Section 41 of the Auditor-General Act 1997 establishes the position of the Independent Auditor. The Independent Auditor report, Review of Cyber Security, was tabled in Parliament on 4 December 2017 and can be accessed here: PDF icon ANAO Review of Cyber Security. The reporting included a number of recommendations relating to the ANAO’s own IT environment and the ANAO’s cyber security performance audits of other Australian entities.

Review of Cyber Security external audit - status update (February 2018)

February 2018 update

Recommendations relating to the ANAO's own IT environment

ANAO response included in the report

Current status

Enhance the data governance framework and further drive the prioritisation of required security controls by improving the communications channels/processes from audit teams to the CIO and ITSA. This communication is to identify the most sensitive stakeholder data held within the ANAO IT environment which requires protection.

The ANAO has a sound approach to managing client data that is collected as part of an audit. This approach is guided by the Audit Manuals that prescribe processes based on policies, audit standards and audit methodology. In addition, the ANAO has identified opportunities across its strategic governance framework to enhance the corporate processes that support audit teams to collect, handle and store audit evidence. The ANAO will include standing agenda items at the IT Strategic Committee that require Senior Audit managers to report on ongoing conformance with corporate policies.

In progress.

Membership of the ANAO's security committee has been expanded to include greater input from business units, particularly to enhance management of personnel security.

Data governance has been added as a standing agenda item to the ANAO's IT Strategic Committee to enable Executive leaders to continue to normalise discussions about the relationship between audit evidence and data management.

ANAO continues to monitor its data holdings to ensure the appropriate management and storage of audit evidence according to Audit manuals.

Create a cyber security strategy to prioritise the required security improvements to further strengthen the security controls of the ANAO IT environment. These controls should include:

  • the Essential Eight1 (incorporating the Top Four) cyber security mitigations recommended by the ASD (henceforth the Essential Eight);
  • specific controls with a high cost-benefit value to the ANAO's IT environment; and
  • key detective security controls e.g. implementing more network and host based monitoring.

The ANAO agrees to develop a cyber security strategy to complement its existing suite of governance documents including the ANAO Corporate Plan, IT security policy and ANAO strategic risk framework. The ANAO notes that the ISM and PSPF do not require an organisation to develop a security strategy. The ANAO has regard to both the ISM and PSPF in developing its approach to security and has existing policies that cover information security, personal security and physical security. The ANAO agrees to include in the cyber security strategy its approach regarding the Essential Eight controls particularly those controls that have a high cost-benefit value to the ANAO's IT environment

In progress.

  • The ANAO has commenced the development of the cyber security strategy. The strategy will complement the ANAO's existing security documents and articulate the ANAO's strategic approach to security management.
  • The ANAO has undertaken a number of security improvements in the meantime to align with the Essential Eight and improve cyber resilience:
    • A Windows 10 operating environment has been implemented with new controls whilst removing previous vulnerabilities.
    • Improved backup and restore capabilities to minimise risks of data loss.
    • Enhancements to application and firmware patching processes.

Document and maintain a security risk assessment that includes a register of ANAO's IT security controls, additional risk treatments required or accepted risks under the ANAO's risk management framework.

The ANAO has implemented a risk register that identifies PSPF requirements and the ANAO's treatment and risk assessment of those controls. The register is monitored through a sound governance framework which includes the monthly ANAO Security Committee meeting, the IT Strategic Committee which is a sub-committee of the ANAO's Executive Board of Management.


The register has been developed and is currently being refined to include risks and controls across the ANAO's entire ICT environment, beyond the PSPF.

Define a process that identifies when and how to engage with the ASD when responding2 to a security incident, and if ASD support was not available in a timely manner due to other ASD priorities, how the security incident would be handled by the ANAO.

The ANAO has updated the Incident Response Plan as part of the IRAP assessment to include more direction on when to contact ASD. The ANAO notes that its Incident Response Plan contained guidance on when to contact ASD prior to the recent update. The ANAO will review its documents to provide additional guidance on how to manage an incident where ASD was not available.


The ANAO has reviewed its existing plans to ensure that guidance on how to manage incidents remains relevant and appropriate. The ANAO conducted an exercise in December 2017 to test its incident response plan and business continuity plans.

The ANAO continues to work with its vendors to refine processes for managing security incidents in the absence of ASD.

Improve the monitoring of security controls by ensuring segregation of duties between the staff responsible for operating key security controls and the ITSA that is monitoring and reporting on them.

The ANAO recognised the importance of segregating the duties of the ITSA in October 2016, splitting the role from the CIO and appointing a dedicated ITSA at that time. The ANAO notes the Independent Auditor's observation that the ITSA has other duties and will monitor the workload to ensure IT security functions continue as a priority.

ANAO has improved reporting mechanisms through its governance framework to ensure that cyber security is prioritised, monitored and reviewed. The development of the cyber security strategy will assist the ANAO in the management and reporting of progress to senior management.


The CIO and ITSA roles remain segregated. In addition, the ANAO continues to include cyber security in its governance committees to ensure ongoing monitoring of cyber security environment.

Continue with the current IRAP assessment in progress to validate the effectiveness of current security policies and controls across the IT environment and inform the prioritisation of remediation of key control deficiencies.

The ANAO is nearing completion of the IRAP assessment. The ANAO continues to implement improvements and recommendations from the assessment.

In progress

The ANAO's security documentation framework was updated and IRAP testing has taken place. The ANAO is awaiting the assessor's report.


1 JCPAA Report 467 on Cybersecurity Compliance issued in October 2017 recommended that Australian Government mandate the Essential Eight for all Public Governance, Performance and Accountability Act 2013 entities, by June 2018. This represents two changes: increasing the mandatory controls for non-corporate Australian Government entities from the Top Four to the Essential Eight and making the Essential Eight mandatory for corporate Australian Government entities where they are currently only recommended.

2 The process for mandatory reporting of security incidents to ASD is documented. This recommendation relates to the expectations of support (from internal staff, service providers and potentially ASD) to respond to an on-going security incident.