iTnews
  • Home
  • News
  • Business
  • Strategy

Fed agencies cop mass fail in core systems cyber review

By Justin Hendry on May 29, 2020 1:59PM
Fed agencies cop mass fail in core systems cyber review

Just one agency gets 'essential eight' tick for financial, HR systems.

Only one of the federal government’s largest agencies has fully applied the Australian Signals Directorate's essential eight to some of its most important systems, the national auditor has found.

The finding is contained in the 2019 interim financial controls audit of major entities, which reviewed the implementation of the controls now considered the baseline for cyber resilience.

The Australian National Audit Office’s review focused on the financial and HR systems of 18 agencies, including Defence, Services Australia, Home Affairs and the Tax Office.

“The review was undertaken to confirm the accuracy of reporting and identity cyber security risks that may impact on the preparation of financial statements,” the auditor said [pdf].

“The review consisted of analysis of policy and procedural documentation, testing of mitigation strategies specific to the FMIS and HRMIS, results of sprint assessments and interviews with entity personnel.”

It follows a series of target audits conducted by the auditor since 2013 that have uncovered serious cyber resilience shortcomings, particularly around the implementation of the top four.

But as with previous audits, the review found “maturity levels for most entities were significantly below” requirements under policy 10 of the protective security policy framework (PSPF).

Policy 10 requires entities to achieve the maturity level ‘managing’, which the ANAO said is equivalent to the essential eight maturity level three.

“Of the 18 entities assessed, only one was rated as achieving a managing maturity level across all eight controls,” the auditor said.

Source: ANAO

The review found the lowest level of compliance related to the application hardening, macro controls and multi-factor authentication controls - all non-mandatory under the essential eight.

“Achieving a Managing level for Application Hardening was viewed by entities to be difficult due to the number of applications in the entities’ systems and the difficulty in identifying all applicable hardening controls,” the auditor said.

But it also acknowledged that the majority of agencies are planning to address these concerns by July.

“Entities have implementation plans focused on reducing the number of applications in their environments, with an aim to lowering their attack surface and minimising risk,” the ANAO said.

“Implementation of these plans is currently being actioned by the majority of entities, with most plans scheduled for completion by July 2020.”

Restricting macros also differed widely between agencies, with agencies reporting the control as difficult “due to users relying heavily on macros to perform business activities”, with some relying on “additional mitigations” to address concerns.

For Multi-factor authentication, agencies “found the process of organising/distributing multi-factor authentication tokens for all users to be an onerous one”, with most instead accepting the risk and focusing on achieving a lesser maturity level.

“Entities prioritised multi-factor controls for remote access and privileged users, rather than all users,” the auditor said.

The ANAO also found that four agencies had incorrectly self-assessed, which the agencies blamed on a poor understanding of their requirements.

“The entities attributed the inaccuracies in their assessments to their interpretation of the scope of the requirement and indicated that they found it challenging to determine whether they had met the intention of the mitigation strategies,” the report states.

Most entities were also found to have “conducted their self-assessment at a system or environment level and did not specifically assess the controls required to minimise cyber risks to their FMIS or HRMIS applications”.

ANAO assessment worse than ACSC's

ACSC’s recent cyber security posture report to parliament found most government agencies were still struggling to implement the essential eight cyber security controls.

It said 73 percent of agencies reported below baseline levels of maturity with the mandatory top four controls last year, including 13 percent who reported ad hoc levels of maturity.

Ad hoc is considered the lowest possible score under the scoring metric, and indicates only “partial or basic implementation and management” of the top four.

But the auditor's report indicates that things are in fact even worse than this.

“ANAO found that 76 percent of controls were an ad-hoc or developing maturity level,” the report states.

“This is in line with ACSC findings, which noted ‘73 percent of non-corporate Commonwealth entities reporting ad hoc or developing levels of maturity’.”

As such, the auditor stressed “majority of the entities reviewed are not meeting the required Policy 10 maturity level” and said “significant progress was still required”.

The ANAO also pours cold water on any suggestion that changes to the PSPF in 2018 has led to any real improvement in cyber resilience.

This is despite the government’s cyber uplift in 2019, which assessed 25 agencies in the wake of the state-sponsored cyber attack against Parliament House - Australia’s “first national cyber crisis”.  

“The regulatory framework and self- assessments to date have not driven the achievement of the standard of cyber security required by Government policy,” the auditor said.

“The policy 10 requirements, that non-corporate Commonwealth entities implement the ASD Mandatory Strategies to Mitigate Cyber Security Incidents (Top Four), have been in place since 2013.

“Entities’ inability to meet these requirements indicates a weakness in implementing and maintaining strong security controls over time.

“Previous audits of cyber security by the ANAO to assess the progress of implementation against Policy 10 requirements have not found an improvement in the level of compliance with the controls over time. 

“The work undertaken as part of this review indicates that this pattern continues, with limited improvements.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
asdauditcybercyber securitygovernmentitsecuritystrategy

Partner Content

The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats
Security: Understanding the fundamentals of governance, risk & compliance
Promoted Content Security: Understanding the fundamentals of governance, risk & compliance
Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage

Sponsored Whitepapers

Free eBook: Digital Transformation 101 – for banks
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see

Events

  • Forrester Technology & Innovation Asia Pacific 2022
By Justin Hendry
May 29 2020
1:59PM
0 Comments

Related Articles

  • Cyber basics still beyond fed gov as Essential Eight mandate looms
  • Defence cancels SkyGuardian drones to fund REDSPICE cyber plan
  • Prime Minister's department among agencies to fail cyber security audit
  • Gov readies cyber hub expansion, stops certifying internet gateways
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Australian court finds insurer not liable for ransomware clean-up costs

Australian court finds insurer not liable for ransomware clean-up costs

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

Telstra deregisters 900MHz sites “hindering” Optus 5G rollout

Telstra deregisters 900MHz sites “hindering” Optus 5G rollout

ADHA extends Accenture's My Health Record support deal for $100m

ADHA extends Accenture's My Health Record support deal for $100m

Digital Nation

Metaverses on the agenda for Dominello, Husic ministerial meeting
Metaverses on the agenda for Dominello, Husic ministerial meeting
Domino’s invests in observability for zero contact delivery
Domino’s invests in observability for zero contact delivery
COVER STORY: How KPMG, Mirvac and ASX use blockchain to build trust in the property sector
COVER STORY: How KPMG, Mirvac and ASX use blockchain to build trust in the property sector
Criteo to fork out $94.7m for consent breaches
Criteo to fork out $94.7m for consent breaches
Australia will lose 11 percent of jobs to automation by 2040: Forrester
Australia will lose 11 percent of jobs to automation by 2040: Forrester
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.