Govt agencies miss ICT security deadline
At least seven federal government department agencies are expected to fail to meet a federally mandated July 2014 deadline for improving their ICT security, according to a report from the nation’s Auditor-General, Ian McPhee.
The Australian National Audit Office (ANAO) - a government department that assists the Auditor-General undertake performance audits, financial statement audits and assurance reviews of Commonwealth public sector bodies - last week released the report, titled ‘Cyber Attacks: Securing Agencies’ ICT Systems’.
The government last year mandated that government agencies follow the top four of 35 ICT security strategies as provided by the Australian Signals Directorate (ASD). The agencies were given a target date of July 2014 for full implementation of the four strategies.
“In the government sector, the Australian Signals Directorate (ASD) has estimated that between January and December 2012, there were over 1790 security incidents against Australian Government agencies. Of these, 685 [almost 40%] were considered serious enough to warrant a Cyber Security Operations Centre [CSOC] response,” it said.
CSOC - a part of the ASD - coordinates and assists operational responses to cyberthreats of national importance.
“ASD has advised that if fully implemented, the top four mitigation strategies would prevent at least 85% of the targeted cyber intrusions to an agency’s ICT systems. This list of strategies is revised annually based on the most recent analysis of incidents,” the ANAO report said.
The current top four mitigation strategies are:
- application whitelisting, to ensure that only specifically selected programs can be executed;
- applying patches to applications and devices;
- deploying critical security patches to operating systems; and
- restricting administrative privileges.
ANAO assessed the cybersecurity of seven agencies: the Australian Bureau of Statistics, The Australian Customs and Border Protection Service, the Australian Financial Security Authority, the Australian Taxation Office, the Department of Foreign Affairs and Trade, the Department of Human Services and IP Australia.
The audit examined the agencies’ compliance with the four mandatory ICT security strategies, as well as IT general controls.
These general controls are defined by ANAO as: logical access controls, which “prevent unauthorised access to ICT resources (including files, data and applications) and the associated administrative procedures”; and change management controls, which “ensure that standardised methods and procedures support the formal request for a change to ICT systems”.
For security reasons, the report abstains from identifying the exact criteria each agency failed to meet, but it does speak in general terms about the agencies’ failures.
The audit found that at 30 November 2013, none of the agencies had achieved full compliance with the top four mitigation strategies, and nor would they by the government’s deadline of mid-2014, “notwithstanding their advice regarding further initiatives which, when implemented, would strengthen ICT security controls and protection against cyber attacks”.
All of the seven agencies had met the ANAO requirement for implementation of IT general controls, earning them the ANAO label of “Internally Secure”. But the agencies’ collective failure to fully implement the ASD’s top four mitigation strategies meant that none could be considered “Externally Secure”.
“The agencies had security controls in place to provide a reasonable level of protection from breaches and disclosures of information from internal sources. However, this is not sufficient protection against cyber attacks from external sources. To comply fully with the PSPF [Protective Security Policy Framework], agencies should also have a reasonable level of protection from external threats,” the report said.
“In essence, agency processes and practices have not been sufficiently responsive to the ever-present and ever-changing risks that government systems are exposed to,” it said.
“Notwithstanding the agency activities planned for implementation by 30 June 2014, and in the absence of further agency initiatives, all of the selected agencies are likely to remain in the Internally Secure Zone and not achieve full compliance with the mandatory ISM controls by 30 June 2014, the date specified by the Australian Government,” the report said.
The ANAO provided several recommendations aimed at improving the seven agencies’ security postures.
Strategies for navigating Java vulnerabilities
Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...
Not all cyber risk is created equal
The key to mitigating cyber exposure lies in preventing breaches before they happen.
How AI can help businesses manage their cyber risks
Artificial intelligence can be a powerful ally in the fight against cyberthreats.