This audit would examine controls in place to manage cyber resilience in selected corporate Commonwealth entities and government business enterprises. This audit would use the strategies outlined in the Australian Government Information Security Manual as the baseline against which cyber resilience will be assessed—although mandatory for non-corporate Commonwealth entities, these requirements are not mandatory for government business enterprises.
The Australian Signals Directorate (ASD) has identified those strategies that entities should implement in order to mitigate 85 per cent of the techniques used in targeted cyber intrusions. Through the Protective Security Policy Framework (PSPF), the implementation of these strategies has been made mandatory for non-corporate Commonwealth entities. In 2017, ASD has expanded the original ‘Top 4’ strategies to the ‘Essential 8’, to deliver a baseline cyber security posture, although these have not yet been mandated through the PSPF.
The ANAO conducted its first cyber resilience audit in 2013–14 (ANAO Audit Report No. 50 of 2013–14). This report highlighted non-compliance by the seven participating entities with the ‘Top Four’ strategies in the Information Security Manual. The second audit in the cyber resilience series was completed in May 2016 (ANAO Audit Report No. 37 of 2015–16), and a third audit, which followed up progress made by three of the original seven entities, was completed in March 2017 (ANAO Audit Report No. 42 of 2016–17). This audit would continue the ANAO’s audit coverage in this area.
The ANAO can conduct performance audits of government business enterprises where requested by the Joint Committee of Public Accounts and Audit.