This edition of audit insights covers audit reports tabled in Parliament during the fourth quarter of 2017–18 with a focus on the key learnings relating to cyber resilience. Cyber security is an increasing risk across government and one that requires attention by Accountable Authorities.

Video

Introduction

Information security is important and should be a priority for government entities. If information systems can be accessed by intruders, this could compromise the financial and identity security of individuals and the commercial interests of corporations. It could also compromise national security and diminish the reputation of government and willingness of individuals and entities to share information with the government. In doing so, this could affect government’s ability to effectively and efficiently carry out its functions.

According to the Attorney-General’s Department’s Protective Security Policy Framework (PSPF), non-corporate Commonwealth entities must develop, document, implement and review appropriate security measures to protect information from unauthorised use or accidental modification, loss or release by:

  • establishing an appropriate information security culture within the entity;
  • implementing security measures that match the information’s value, classification and sensitivity; and
  • adhering to all legal requirements.

The mandatory requirements of this core policy are based on the three elements of information security:

  • confidentiality: ensuring that information is only accessible to those authorised to access it;
  • integrity: safeguarding the accuracy and integrity of information and processing methods; and
  • availability: ensuring that authorised users have access to information and associated assets when required.

A secure cyberspace provides trust and confidence for individuals, business and the public sector to share ideas, collaborate and innovate. To strengthen trust online, effective implementation of a comprehensive cyber security strategy across government systems is critical to protect Australians’ privacy and Australia’s social, economic and national security interests from targeted cyber intrusions and emerging cyber threats.

Cyber resilience

Cyber resilience is the ability to continue providing services while deterring and responding to cyber intrusions. Cyber resilience also reduces the likelihood of successful cyber intrusions. To become cyber resilient, an entity must first establish effective ICT general controls. Effective ICT general controls provide a stable and reliable foundation upon which other processes and controls can be built. An entity must also effectively implement the Top Four mitigation strategies. Together, these form the basis of the entity’s cyber resilience—in essence, how well the entity is protecting its exposure to external vulnerabilities and intrusions, internal breaches and unauthorised information disclosures, and how well it is positioned to address cyber threats

In February 2017, the Australian Signals Directorate issued the updated Strategies to Mitigate Cyber Security Incidents, referred to as the Essential Eight. These strategies are set out below. The ‘Top Four’ of these eight strategies are mandatory:

  • using application whitelisting on desktops and servers to prevent malicious software and unapproved programs from running on a computer;
  • applying application patches through sound policies, procedures and practices to help ensure the applications’ security;
  • applying operating system patches through sound policies, procedures and practices to mitigate security risks and reduce system vulnerabilities; and
  • effectively managing access provisions for privileged user accounts across an entity’s ICT environment, including the entity’s network, applications, databases and operating systems.

The four non-mandatory strategies of the Essential Eight are:

  • disabling untrusted Microsoft Office macros on desktops and servers to prevent the unauthorised download and running of malicious software;
  • hardening the configuration of applications (user application hardening) used to interact with the Internet, including blocking web browser access to Adobe Flash player, web advertisements and untrusted Java code;
  • applying multi-factor authentication to make it more difficult for adversaries to use stolen credentials to access sensitive information and facilitate further malicious activities across an entity’s ICT environment; and
  • effectively managing daily backup of important data, including testing of data restoration processes, to mitigate data being encrypted, corrupted or deleted by ransomware or other destructive malicious software.

Audit activity

Over the past four years of conducting performance audits of entities cyber resilience, reaching 14 entities, the ANAO found that compliance with mandatory requirements of information security continued to be low. While efforts have been made to achieve compliance, there were low levels of compliance for whitelisting, particularly for servers (higher levels of compliance for desktops), variable levels of compliance for security patching of applications and operating systems (lower for operating systems) and while privileged accounts had some controls, there were also shortcomings in a number of entities.

The 14 entities examined in these audits held information across the spectrum of economic, commercial, policy and regulatory, national security, program and service delivery and corporate activities.

The Interim Report on Key Financial Controls of Major Entities was published in June 2018 and includes an assessment of entities’ key internal controls that supported the preparation of the 2017–18 financial statements of 26 entities. The report also includes the self-assessed level of compliance with mandatory cyber security controls of 23 entities. A significant proportion of these entities continue to report non-compliance with mandatory strategies to mitigate targeted cyber intrusions, with only 48 per cent reporting compliance. Not implementing the mandatory mitigation strategies reduces an entity’s ability to continue providing services while deterring and responding to cyber intrusions. It also increases the likelihood of a successful cyber intrusion.

Also in June 2018 the ANAO published, as part of Auditor-General Report No. 53 Cyber Resilience, a list of behaviours (Table 4.3) that may assist agencies to build a strong cyber security compliance culture and meet mandatory requirements. These are outlined below.

Governance and risk management

  • Establish a business model and ICT governance that incorporates ICT security into strategy, planning and delivery of services.
  • Manage cyber risks systematically, including through assessments of the effectiveness of controls and security awareness training.
  • Task enterprise-wide governance arrangements to have awareness of cyber vulnerabilities and threats.
  • Adopt a risk-based approach to prioritise improvements to cyber security and to ensure higher vulnerabilities are addressed.

Roles and responsibilities

  • Assign information security roles to relevant staff and communicate the responsibilities.
  • Develop the capabilities of ICT operational staff to ensure they understand the vulnerabilities and cyber threats to the system.
  • Ensure management understand their roles and responsibilities to enhance security initiatives for the services for which they are accountable. This includes senior management understanding the need to oversight and challenge strategies and activities aimed at ensuring the entity complies with mandatory security requirements.
  • Embed security awareness as part of the enterprise culture, including expected behaviours in the event of a cyber incident.
  • Assign data ownership to key business areas, including the role to classify the data, and grant/revoke access to shared data by other entities.

Technical support

  • Develop and implement an integrated and documented architecture for data, systems and security controls.
  • Identify and analyse security risks to their information and system, including documenting ICT assets requiring protection.
  • Establish a Cyber Incident Response Plan, informed by a comprehensive risk assessment and business continuity plan, including a priority list of services (not ICT systems) to be recovered.

Monitoring compliance

  • Develop an approach to verify the accuracy of self-assessments of compliance with mandatory cyber security requirements.

The recent Cyber Resilience audit found that low levels of compliance were driven by entities not adopting a risk-based approach to prioritise improvements to cyber security, and cyber security investments being focused on short-term operational needs rather than long-term strategic objectives.

The audit noted that cyber resilient entities had a business model and ICT governance that incorporated ICT security into their strategy, planning and delivery of government services. For these entities, ICT systems were no longer considered an enabler to business—they were core business. These entities understand the risk profile across their enterprise ICT systems, and managed those risks systematically, including through assessments of the effectiveness of controls and security awareness training. They had taken steps to improve business processes to accommodate the security strengths and weaknesses of each ICT system. For these effective entities, ICT security was a priority.

Entities with a cyber-resilient culture have a set of shared attitudes, values and behaviours that characterise how an entity considers cyber risk in its day-to-day activities. Cyber-resilience requires more than compliance with government requirements and following a checklist of behaviours and practices that may improve an entity’s cyber resilience.

A cyber resilience culture promotes an open and proactive approach to managing cyber risk that considers both vulnerabilities and opportunity; and is one where cyber risk is appropriately identified, assessed, communicated and managed across all levels of the entity.