29 May Fed agencies cop mass fail in core systems cyber review Just one agency gets ‘Essential eight’ tick for financial, HR systems.
Only one of the federal government’s largest agencies has fully applied the Australian Signals Directorate’s essential eight to some of its most important systems, the national auditor has found.
The finding is contained in the 2019 interim financial controls audit of major entities, which reviewed the implementation of the controls now considered the baseline for cyber resilience.
The Australian National Audit Office’s review focused on the financial and HR systems of 18 agencies, including Defence, Services Australia, Home Affairs and the Tax Office.
“The review was undertaken to confirm the accuracy of reporting and identity cyber security risks that may impact on the preparation of financial statements,” the auditor said [pdf].
“The review consisted of analysis of policy and procedural documentation, testing of mitigation strategies specific to the FMIS and HRMIS, results of sprint assessments and interviews with entity personnel.”
It follows a series of target audits conducted by the auditor since 2013 that have uncovered serious cyber resilience shortcomings, particularly around the implementation of the top four.
But as with previous audits, the review found “maturity levels for most entities were significantly below” requirements under policy 10 of the protective security policy framework (PSPF).
Policy 10 requires entities to achieve the maturity level ‘managing’, which the ANAO said is equivalent to the essential eight maturity level three.
“Of the 18 entities assessed, only one was rated as achieving a managing maturity level across all eight controls,” the auditor said.Source: ANAO