Govt agencies miss ICT security deadline


By Andrew Collins
Tuesday, 01 July, 2014

Govt agencies miss ICT security deadline

At least seven federal government department agencies are expected to fail to meet a federally mandated July 2014 deadline for improving their ICT security, according to a report from the nation’s Auditor-General, Ian McPhee.

The Australian National Audit Office (ANAO) - a government department that assists the Auditor-General undertake performance audits, financial statement audits and assurance reviews of Commonwealth public sector bodies - last week released the report, titled ‘Cyber Attacks: Securing Agencies’ ICT Systems’.

The government last year mandated that government agencies follow the top four of 35 ICT security strategies as provided by the Australian Signals Directorate (ASD). The agencies were given a target date of July 2014 for full implementation of the four strategies.

“In the government sector, the Australian Signals Directorate (ASD) has estimated that between January and December 2012, there were over 1790 security incidents against Australian Government agencies. Of these, 685 [almost 40%] were considered serious enough to warrant a Cyber Security Operations Centre [CSOC] response,” it said.

CSOC - a part of the ASD - coordinates and assists operational responses to cyberthreats of national importance.

“ASD has advised that if fully implemented, the top four mitigation strategies would prevent at least 85% of the targeted cyber intrusions to an agency’s ICT systems. This list of strategies is revised annually based on the most recent analysis of incidents,” the ANAO report said.

The current top four mitigation strategies are:

  • application whitelisting, to ensure that only specifically selected programs can be executed;
  • applying patches to applications and devices;
  • deploying critical security patches to operating systems; and
  • restricting administrative privileges.

ANAO assessed the cybersecurity of seven agencies: the Australian Bureau of Statistics, The Australian Customs and Border Protection Service, the Australian Financial Security Authority, the Australian Taxation Office, the Department of Foreign Affairs and Trade, the Department of Human Services and IP Australia.

The audit examined the agencies’ compliance with the four mandatory ICT security strategies, as well as IT general controls.

These general controls are defined by ANAO as: logical access controls, which “prevent unauthorised access to ICT resources (including files, data and applications) and the associated administrative procedures”; and change management controls, which “ensure that standardised methods and procedures support the formal request for a change to ICT systems”.

For security reasons, the report abstains from identifying the exact criteria each agency failed to meet, but it does speak in general terms about the agencies’ failures.

The audit found that at 30 November 2013, none of the agencies had achieved full compliance with the top four mitigation strategies, and nor would they by the government’s deadline of mid-2014, “notwithstanding their advice regarding further initiatives which, when implemented, would strengthen ICT security controls and protection against cyber attacks”.

All of the seven agencies had met the ANAO requirement for implementation of IT general controls, earning them the ANAO label of “Internally Secure”. But the agencies’ collective failure to fully implement the ASD’s top four mitigation strategies meant that none could be considered “Externally Secure”.

“The agencies had security controls in place to provide a reasonable level of protection from breaches and disclosures of information from internal sources. However, this is not sufficient protection against cyber attacks from external sources. To comply fully with the PSPF [Protective Security Policy Framework], agencies should also have a reasonable level of protection from external threats,” the report said.

“In essence, agency processes and practices have not been sufficiently responsive to the ever-present and ever-changing risks that government systems are exposed to,” it said.

“Notwithstanding the agency activities planned for implementation by 30 June 2014, and in the absence of further agency initiatives, all of the selected agencies are likely to remain in the Internally Secure Zone and not achieve full compliance with the mandatory ISM controls by 30 June 2014, the date specified by the Australian Government,” the report said.

The ANAO provided several recommendations aimed at improving the seven agencies’ security postures.

Image courtesy of Richard Gifford under CC

Related Articles

Secure-by-design software development for digital innovation

The rise of DevSecOps methodologies and developments in AI offers every business the opportunity...

Bolstering AI-powered cybersecurity in the face of increasing threats

The escalation of complex cyber risks is becoming a pressing issue for those in business...

How attackers are weaponising GenAI through data poisoning and manipulation

The possibility for shared large language models to be manipulated through data poisoning...

Content from other channels on our network

Shoalhaven City Council uses AI to deliver safer roads to the community

Smart technologies: helping councils improve community services and sustainability

Infrastructure projects a funding black hole without asset management

Gartner announces top government technology trends

Fujitsu establishes security consulting division

EV future for Monash Uni

Shell Cove battery launched on NSW South Coast

Million-dollar rooftop solar for Kimberley hospital

Protecting wildlife from electrical assets — and vice versa

Immersive VR training for electricians

'Curving' light beams could enable terahertz comms

Panasonic offers private 5G network testing in Munich

Antenna upgrade enables better sewer management

60 million Aust drone flights predicted for 2043

The fire on Marley's Hill

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd