Take our Insights reader feedback survey

Help shape the future of ANAO Insights by taking our reader feedback survey.

This edition of Audit Insights is targeted at Australian Government officials who have responsibility for the implementation of cyber security controls or strategy for government systems. The aim is to communicate lessons from our audit work to make it easier for people working within the Australian public sector to apply those lessons. It is drawn from audit reports tabled in 2019–20, 2020–21 and 2022–23 into management of cyber security risks.

Introduction

Cyber security continues to be a risk for all Australian individuals, organisations and government entities, with over 76,000 cybercrimes reported to the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) in 2021–22 — an increase of 13 per cent on the previous financial year. Cyber attacks against the government sector include malicious cyber activities against contractors holding government information.

Cyber security controls and strategies are designed to protect Australians’ privacy and Australia’s social, economic and national security interests from targeted cyber intrusions and emerging cyber threats.

The Attorney-General has established the Protective Security Policy Framework (PSPF). The PSPF helps Australian Government entities to protect their people, information and assets. The PSPF is comprised of 16 policies, including Policy 10 — ‘safeguarding information from cyber threats’. Policy 10 specifies the mandatory cyber security requirements for non-corporate Commonwealth entities under the Public Governance, Performance and Accountability Act 2013 and represents better practice for corporate Commonwealth entities and companies.

The ACSC developed the Essential Eight mitigation strategies for cyber security, which were mandated in Policy 10 from 1 July 2022. The ACSC has defined the Essential Eight as being the most effective strategies for mitigating cyber security incidents.

The ANAO has conducted a series of audits on cyber security and identified ongoing low levels of cyber resilience in non-corporate Commonwealth entities, and high rates of non‐compliance with the Policy 10 requirements. The Attorney-General’s Department’s PSPF Assessment Report 2021–22 indicated that 76 per cent of entities reported not fully implementing Policy 10 requirements. Non-compliance with Policy 10 requirements increases the risk of cyber security incidents to systems and information. The ACSC’s Annual Cyber Threat Report, July 2021 to June 2022 reported that the severity of cyber security incidents was increasing, and 24 per cent of cyber security incidents responded to by ACSC were reported from Commonwealth entities.

ANAO audits have identified cases where entities have attempted to comply with mandatory security requirements, but evidence suggests entities have not fully understood the intention of Policy 10 and how it applies to their organisation. Several entities had not implemented the mitigation strategies and relied on documenting policies and procedures to achieve compliance with Policy 10. The intention of Policy 10 is to mitigate common and emerging cyber threats and to safeguard information from cyber threats, not just establish or update internal frameworks, policies and procedures. These audits illustrate three key lessons for effectively implementing and managing cyber security in Australian Government entities.

  1. Decide what, when and how much to protect.
  2. Regularly assess performance of security controls.
  3. Monitor contractor performance.

1. Decide what, when and how much to protect

Under the PSPF, non-corporate Commonwealth entities are required to establish effective security planning and embed security into risk management practices. This includes identifying assets, such as information and systems, that are critical to the ongoing operation of the entity and the national interest, and applying appropriate protections to those assets. The effective implementation of cyber security risk mitigation strategies is supported by the identification of assets, and risk assessments to identify the level of protection required from cyber threats.

There are a number of key considerations when identifying critical assets and implementing protection measures.

  • Use appropriate expertise — Entities may not have the internal expertise to perform cyber security risk assessments. These entities can draw on expertise in the Australian Signals Directorate (ASD) and the ASD’s Infosec Registered Assessors Program (IRAP), and the private sector for assistance in performing cyber security risk assessments and strengthening cyber security controls.
  • Identify and evaluate assets — Entities should identify their assets and perform a risk assessment to help determine their value, importance, sensitivity and impact to the organisation if those assets were compromised. Entities should consider the type of asset and the services the asset supports when assessing the value, importance, sensitivity and impact.
  • Adopt a risk-based approach to implementation of protection measures — The ACSC recommends starting with threats of most concern to the organisation and implementing protection measures for higher-risk assets, such as those with access to important data or those exposed to the internet. This approach should consider the balance of maturity levels across protection measures to ensure broad coverage of cyber threats. The ACSC suggests achieving a consistent maturity level across all Essential Eight mitigation strategies before implementing higher maturity levels.
  • Implement the Essential Eight mitigation strategies — Entities should focus on implementing the Essential Eight mitigation strategies as their security baseline and, where the Essential Eight cannot be implemented, establish compensating controls to address associated risks. Compensating controls are measures such as antivirus scanning and macro blocking. ASD suggests that entities also broaden their focus to include mitigation strategies and practices focussed on cyber security hygiene, such as email and website encryption, and mitigations identified through ASD’s Cyber Hygiene Improvement Programs (CHIPs).

Case study

The Reserve Bank of Australia (RBA) and ASC Pty Ltd (a government business enterprise, formerly known as the Australian Submarine Corporation) had incident response plans for their critical assets. Although it is not mandatory for government business enterprises and corporate Commonwealth entities to apply the PSPF, the RBA and ASC had established cyber security frameworks that mandated the implementation of the Essential Eight. This level of security planning helped RBA and ASC ensure the required protection measures for their critical assets were appropriately implemented and operating effectively. Where RBA and ASC could not implement mandatory security controls, they undertook risk assessments to develop compensating controls, which proved effective in meeting the intent of the mandatory security controls.

2. Regularly assess performance of security controls

Non-corporate Commonwealth entities are required to report, under the PSPF, to provide transparency about their implementation of sound and responsible protective security practices. The reporting requirements under the PSPF also help the Attorney-General’s Department with the development of the annual PSPF Assessment Report.

ANAO audits of cyber security have identified cases where entities have overstated their PSPF maturity levels in reporting to the Attorney-General’s Department. As part of the annual reporting process, accountable authorities of Australian Government entities should obtain assurance that mandatory cyber security requirements have been implemented and are operating in accordance with the PSPF, and that the entity’s reporting to the Attorney-General’s Department accurately reflects the entity’s maturity level. The following are common practices that have helped entities obtain assurance over their implementation of mandatory cyber security controls and the accuracy of reported maturity levels.

  • Embed cyber security into governance and risk management practices — Cyber security should be included as a focus in oversight arrangements and internal controls. Entities that embed cyber security into governance and risk management practices were able to improve transparency of cyber security by making it part of regular dialogue within senior management.
  • Monitor security risks and controls regularly — Entities should establish regular assessments of their business and IT risks and controls. Monitoring both business and IT risks and controls can assist senior management to ensure that controls effectively mitigate risks across the organisation.
  • Evaluate performance of controls — Evaluating the performance of controls can assist with identifying where controls are not operating as intended to mitigate risk. These assessments should be underpinned by an appropriate methodology. PSPF Policy 4 Security maturity monitoring recommends the development of a security maturity monitoring plan that includes these mechanisms. The results of such assessments should be considered as the inputs and evidence to support annual PSPF reporting.
  • Adopt a risk-based approach to assessments — Entities should prioritise the assessment of cyber security controls. The priority should be based on critical assets and high-risk users and systems. Entities should then progress through other identified assets based on the value, importance, sensitivity and impact to the organisation.

Case study

The Australian Taxation Office (ATO) has established periodic assessments of its implementation of the Essential Eight mitigation strategies as part of its Cyber Threat Assurance Program. The ATO uses these to check on its implementation of mandatory PSPF cyber security requirements. These assessments are performed using a defined methodology and are supported by quality assurance processes. The assessments provide assurance to the senior executive that the ATO is meeting its security requirements and is accurately reporting on its security capabilities.

The Attorney-General’s Department has implemented processes for monitoring vulnerabilities and security events to manage its cyber threats and risks. These processes provide an indication of the level of implementation of some Essential Eight mitigation strategies.

The RBA has governance committees that meet regularly to review enterprise and operational level risks, which include reviewing vulnerabilities and potential cyber threats. The RBA adopts a risk-based approach to prioritising improvements to cyber security, including a systematic approach to assessing risk and the effectiveness of controls.

3. Monitor contractor performance

Where the provision of digital services is outsourced to external providers, accountability for the good or service and associated delivery outcomes (including managing security risks) remains with the contracting entity. Ongoing oversight and management are important given the constantly changing security risks and environment. The following are some considerations to help entities effectively monitor contractor performance to ensure goods and services are in accordance with PSPF cyber security requirements.

  • Define cyber security performance measures — Entities should specify contract terms and conditions that define cyber security performance measures and establish financial consequences for poor performance. Contract management arrangements should include service level agreements and key performance indicators relating to adherence to mandatory PSPF cyber security requirements.
  • Conduct regular compliance assessments — Contract arrangements that include ongoing and regular assessments of compliance with contract security conditions will help ensure that vendors are adhering to essential security requirements.
  • Establish assurance arrangements over performance information — Entities need arrangements to ensure performance information is complete and accurate. Without these arrangements, contracted providers may overstate the implementation, operation, and maintenance of cyber security controls.

Case study

The ATO requires its contracted providers to provide regular updates on the implementation and operation of relevant security controls. These updates include reporting on Essential Eight mitigation strategies. The information from contracted providers supports assurance activities within the ATO’s broader Cyber Threat Assurance Program. By focussing on cyber security reporting as part of regular reporting, the ATO is able to assess whether contracted providers are implementing and operating required security controls.