Introduction

1.1 In November 2023 the Australian Government released the 2023–2030 Australian Cyber Security Strategy. The minister’s foreword identifies cyber security as an ‘urgent national problem’ that ‘touches the lives of every Australian’, and declares the government’s intention to ‘hold itself to the same standard it expects of industry’. The strategy notes the government’s appointment of a National Cyber Security Coordinator to lead whole-of-government cyber security uplift.

1.2 The Department of Parliamentary Services (DPS) is a non-corporate Commonwealth entity (NCE) that provides essential services to the Australian Parliament. The DPS Corporate Plan 2025–26 notes that it operates in a ‘challenging’ security environment and that cyber security is a ‘top priority’.² In 2019 DPS was subject to a high-profile cyber security incident, and the department regularly monitors and responds to other potential cyber threats.

Protective Security Policy Framework

1.3 The Australian Government Protective Security Policy Framework (PSPF) ‘prescribes what Australian Government entities must do to protect their people, information and resources’.³ The Minister’s Directive on the Security of Government Business establishes the PSPF as government policy and directs NCEs subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) to comply with the PSPF.⁴ Section 21 of the PGPA Act requires accountable authorities of NCEs to govern the entity in accordance with the PGPA Act in a way that is not inconsistent with the policies of the Australian Government.

1.4 The PSPF is updated annually, with each ‘release’ providing a list of requirements and a summary of changes made since the previous release. As at March 2026 the most recent release was issued on 24 July 2025.⁵ PSPF Release 2025 sets out Australian Government policy across six connecting protective security ‘domains’ — governance, risk, information, technology, personnel and physical — and prescribes entity responsibilities to meet protection requirements. It also covers principles, policy, standards, and technical manuals and guidelines. Entity application of the PSPF is intended to assure government that protective security practices are sound and that entities can identify and mitigate risks. The technology domain covers technology lifecycle management, cyber security strategies and cyber security programs, with section 14 stipulating cyber security strategy requirements. This audit made assessments based on PSPF Release 2025.

1.5 Under the Administrative Arrangements Orders, of 13 May 2025, the Department of Home Affairs (Home Affairs) is responsible for administering the PSPF and protective security policy.⁶ The Australian Signals Directorate (ASD) is responsible for the Information Security Manual (ISM). The ISM sets out the technical controls relevant to cyber security for agencies to implement in applying the PSPF as the overarching policy framework.⁷ To help organisations mitigate cyber security incidents, ASD produces the Strategies to Mitigate Cyber Security Incidents. These are prioritised according to effectiveness and those ASD considers most effective are referred to as the Essential Eight (see Table 1.1).⁸

Table 1.1: Essential Eight cyber threat mitigation strategies for entities

Source: ANAO analysis of ASD Essential Eight guidance.

1.6 For each Essential Eight strategy ASD defines implementation maturity levels from zero to three.⁹ Since 1 July 2022 the PSPF has required that NCEs entities maintain Maturity Level Two for implementation of each strategy.¹⁰ NCEs must undertake annual PSPF compliance self-assessments against the entire PSPF and report this to their minister and Home Affairs. For the Essential Eight, Home Affairs allows entities to report their implementation of Maturity Level Two requirements as ‘fully implemented’, ‘risk managed’ or ‘not yet implemented’ and to provide commentary (see Table 1.2).¹¹

Table 1.2: PSPF self-assessment categories

Note a: The PSPF Guidelines allow for entities to report as ‘risk managed’ the implementation of Essential Eight strategies with alternative mitigations that they consider meet or exceed PSPF requirements.

Note: PSPF refers to the Protective Security Policy Framework.

Source: ANAO analysis of PSPF Guidelines. See Department of Home Affairs, Australian Government Protective Security Policy Framework release 2025: guidelines, available from https://www.protectivesecurity.gov.au/ pspf-annual-release/pspf-guidelines [accessed 4 March 2026].

1.7 The PSPF self-assessment process results in an overall entity score. The scoring approach does not ‘penalise’ entities for employing a risk-managed approach. Additional information is required to justify the approach.

1.8 Home Affairs does not require entities to provide evidence of their self-assessment or the effectiveness of their PSPF requirement implementation but may seek further information for quality assurance. As at March 2026 DPS had not received a request to provide information for a Home Affairs quality assurance activity.

Department of Parliamentary Services

1.9 DPS is one of four departments that comprise the Australian Parliamentary Service.¹² The DPS Secretary reports to the President of the Senate and the Speaker of the House of Representatives (the Presiding Officers). The DPS Corporate Plan 2025–26 sets out its key activities as:

• support the functioning of the parliament;
• facilitate visitor and community access to Australian Parliament House and the parliamentary process; and
• stewardship of Australian Parliament House.¹³

1.10 DPS provides Information and Communications Technology (ICT) office equipment to its staff inside and outside the Parliament House building as well as to parliamentarians, their electorate office staff and personal staff, and former prime ministers. In addition, it has established memoranda of understanding for provision of ICT services with:

• the Office of the Official Secretary to the Governor-General;
• the Parliamentary Workplace Support Service; and
• jointly the Department of the Senate, the Department of the House of Representatives and the Parliamentary Budget Office (the parliamentary departments).

1.11 DPS advised the ANAO on 20 April 2026 that its network, and networks it supports under shared services arrangements, support 4,817 users across 10,951 end-user devices. The largest cohort of users are parliamentarians and their staff using the network, with staff of other parliamentary departments also forming a significant user group.

1.12 As discussed in paragraph 1.3, the requirement of NCEs to adhere to the PSPF is established by section 21 of the PGPA Act. The extent to which section 21 applies to parliamentary departments is subject to subsection 9(2) of the Parliamentary Service Act 1999, which provides that the Parliamentary Service serves the Parliament independently of the Executive Government of the Commonwealth. The Minister for Home Affairs’ foreword to the PSPF directs accountable authorities of NCEs subject to the PGPA to comply with the PSPF, and the DPS Security Plan 2025–2027 states that the department’s protective security must be applied in alignment with PSPF requirements. DPS does not have other mechanisms (such as memoranda of understanding or user agreements) for those using its network to agree to comply with PSPF requirements.

1.13 The Parliamentary Precincts Act 1988 provides that the presiding officers control and manage the parliamentary precincts (all land, structures and works within the circular boundary formed by the retaining wall). The Parliamentary Service Act 1999 established the Security Management Board to advise the Presiding Officers on Parliament House security, including cyber security. The Security Management Board terms of reference state that it ‘provides a formal forum for advice to the Presiding Officers on strategic and operational security matters that affect the control and management of the Parliamentary precincts’. The DPS Secretary is the board chair (appointed by the presiding officers), and the remaining membership comprises Department of the Senate and Department of the House of Representatives SES representatives, and the Australian Federal Police Commissioner.¹⁴

1.14 In 2022 DPS finalised the Parliament of Australia Cyber Security Strategy 2022–2025.¹⁵ The strategy notes its responsibility for providing a diverse range of services to high-profile stakeholders and that the ‘Parliament’s status as the operational and symbolic centre of Australian parliamentary democracy raises its profile among malicious cyber actors’.

Rationale for undertaking the audit

1.15 Auditor-General Report No. 39 2024–25 Interim Report on Key Financial Controls of Major Entities reviewed entity self-reported PSPF data.¹⁶ Only five of 22 entities (23 per cent) reported all Essential Eight strategies as fully implemented. The Department of Home Affairs 2024–25 PSPF Assessment report summarises results from entities’ PSPF self-assessments, with 47 per cent of reporting entities having self-reported fully implementing all requirements associated with essential cyber security strategies and a further 42 per cent self-reporting risk-managed compliance.¹⁷ This audit provides independent assurance to Parliament on whether DPS has an effective baseline of cyber security strategies to mitigate cyber security risks.

Audit approach

Audit objective, criteria and scope

1.16 The objective of the audit was to assess whether the Department of Parliamentary Services has an effective baseline of cyber security strategies.

1.17 To form a conclusion against the objective, the following criteria were adopted:

• Has DPS appropriately assessed essential cyber security risks?
• Has DPS implemented appropriate essential cyber security controls?
• Does DPS have appropriate assurance of the effectiveness of its essential cyber security controls?

Audit methodology

1.18 The audit methodology included:

• reviewing entity documentation such as internal policies and procedures, management reports, self-assessments and assurance activities, committee papers and minutes relevant to the scope of this audit;
• conducting meetings with relevant DPS senior officials and officers involved in the design, implementation and monitoring of cyber security controls; and
• testing the effectiveness of selected controls and technical configuration within the DPS network.

1.19 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $330,000.

1.20 The team members for this audit were Ben Siddans, Edwin Apoderado, Jay Banpel, Kelvin Le, Adam Reddiex, Jane Wiles and Lesa Craswell.

1.21 The ANAO has co-operative evidence gathering arrangements in operation with entities. On 16 December 2025 the Auditor-General issued DPS with a notice to provide information and produce documents pursuant to section 32 of the Auditor-General Act 1997, in order to facilitate timely provision of data given the sensitivities associated with the audit subject matter, and the role of DPS in supporting the work of the Parliament. DPS provided the information and documents requested within the specified time, following receipt of the notice.

2.1 As discussed in paragraphs 1.2 and 1.3, non-corporate Commonwealth entities (NCEs) such as the Department of Parliamentary Services are required to apply the PSPF, which includes adhering to the Information Security Manual (ISM). The PSPF and ISM outline a risk-based approach to a cyber security framework that organisations can apply to protect key systems from cyber threats. The ANAO considered the extent to which DPS followed key elements of a risk-based approach to its essential cyber security controls.

Has the Department appropriately assessed essential cyber security risks?

2.2 The first steps in the ISM’s risk-based lifecycle approach to cyber security include defining the system to be protected and selecting appropriate controls. While the PSPF requires that entities implement the Essential Eight cyber security strategies to Maturity Level Two¹⁸, entities may decide to implement controls to a higher standard, vary the specifics of the control implementation, or to use other mitigation strategies to achieve the same objective. The Australian Signals Directorate (ASD) provides guidance to entities to inform their implementation of the Essential Eight using a risk-based approach. The ANAO considered whether DPS performed appropriate assessments of risks to inform its posture for essential cyber security controls.

2.3 During the audit, ASD updated the ISM and associated Essential Eight guidance.¹⁹ The ANAO considered the extent to which DPS aligned with overarching principles relevant to ISM principles and the scope of the audit, the result of which are shown in Table 2.1.

Table 2.1: Assessment of DPS’ risk assessment processes related to essential cyber security risks

Key: ● Effective ◕ Largely effective ◑ Partly effective ◔ Limited effectiveness

Source: ANAO assessment of DPS IT control environment.

Enterprise-wide governance arrangements

2.4 DPS has established a Security Plan, which clearly defines roles and responsibilities related to cyber security, with overall responsibility resting with the Secretary (DPS’ Accountable Authority). As the Accountable Authority, the Secretary has responsibilities under the PSPF including (but not limited to) determining tolerance for security risks, managing the security risks of DPS, and adhering to the mandatory directions issued by the Secretary of the Department of Home Affairs to government entities.²⁰ The Secretary is supported by the Chief Security Officer, the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO) — who reports to the CIO.

2.5 The Security Plan defines a risk tolerance relating to cyber security and describes the circumstances in which DPS may adjust its tolerance in order to balance other imperatives. The Security Plan also assesses key security threats, and identifies strategic and business risks that are mapped to DPS’ enterprise risks. DPS advised the ANAO on 3 March 2026 that it was unable to provide evidence of the process by which it had assessed the severity of these risks, or monitored them on an ongoing basis. While the PSPF requires entities achieve Maturity Level Two for the Essential Eight strategies as a minimum requirement, limited documentation was available to describe the process by which the department considered if other maturity levels may be required for its risk environment.

2.6 DPS has a Security Committee which is the body responsible for the oversight and management of protective security and security risk, including cyber security matters. The Security Committee meets quarterly and reports to the Executive Committee. As discussed in paragraph 1.13, the Security Management Board advises the Presiding Officers on Parliament House security, including cyber security. The Parliamentary Heads of Department Group is chaired on a rotating basis by the heads of each parliamentary department and receives advice on strategic ICT matters including those related to cyber security. The relationship between key cyber security governance committees is outlined in Figure 2.1.

Figure 2.1: Key DPS governance committees relevant to cyber security

Source: ANAO analysis of DPS governance arrangements.

2.7 Key policies relating to the management of cyber security risks are incomplete and/or not endorsed by the Security Committee and have not been implemented (security policies are discussed further in 2.48).

2.8 The ISM specifies requirements for reporting and coordination of cyber security. The ISM requires that the CISO report directly to the executive committee, and audit and risk committee on cyber security, a function performed by the DPS CIO.²¹ ISM control 0725 requires that the CISO coordinate cyber security and business alignment through a cyber security steering committee or advisory board, which meets formally on a regular basis. While the Information Security Working Group serves this purpose, the group had not met within a 12-month period examined by the audit.

Parliament and parliamentary departments

2.9 As discussed in paragraphs 1.9 to 1.14, DPS operates in an environment in which the majority of the users of its network are not its own staff, and are subject to varying legislative and policy requirements regarding cyber security. The DPS network does not provide separate governance arrangements or control environments that align with these differing business requirements and risks (discussed further in paragraph 2.39). DPS does not have other mechanisms (such as memoranda of understanding or user agreements) for those using its network to agree to comply with PSPF requirements. As a result, cyber security policy requirements not applied to Parliamentarians or parliamentary departments have also not been applied to DPS staff using the same network.²² As the Secretary of DPS is responsible for ensuring that DPS staff adhere to the PSPF per the direction from the Minister (see paragraph 1.12), this may expose the department to risk.

2.10 DPS provides shared ICT services to other parliamentary departments, which are defined in a series of memoranda of understanding (MoUs). The MoUs describe a Parliamentary ICT Governance Framework that includes the following means by which shared cyber security risks are managed:

• the DPS CIO who represents the interests of parliamentary departments in the Executive Committee;
• the Strategic ICT Group which has members from the senior executive of the parliamentary departments including DPS CIO, the chair. The Group is described as ‘the premier body for the escalation of and consideration of ICT issues that impact the parliamentary departments’ and reports to the Parliamentary Heads of Department Group; and
• the Information Security Working Group which brings together representatives from all parliamentary departments at an operational level to discuss and review shared security risks, security incidents and escalate security issues to the Strategic ICT Group as necessary. The Working Group terms of reference set out that it will meet every two months from February to November, however as discussed in paragraph 2.8 this Working Group had not met within a 12-month period.

2.11 Regular review of governance arrangements, such as the role of committees and the frequency of their engagement, can assist entities in determining if they remain appropriate.

Resourcing of cyber security

2.12 As discussed in paragraph 2.4, DPS has appointed staff to key cyber security roles, including those required by the ISM. DPS’ CIO is a senior executive reporting to the Deputy Secretary and leads Information Services Division (ISD). Within ISD, the CISO is a senior executive leading Cyber Security Branch.

2.13 The department has experienced considerable staff movement in recent years, with both the CIO and CISO commencing in their roles in 2025. As of February 2026, 55 per cent of staff in the Cyber Security Branch had been with the department for less than 12 months. Managing significant turnover in key personnel requires effective processes to preserve institutional knowledge (for example, documentation of key systems, and processes for regularly reviewing risks and treatments), and increases risks that key controls and risks may not be managed consistently.

Identification, documentation and assessment of key systems and requirements

2.14 Designing an effective control environment requires an understanding of the systems and risks requiring management. The PSPF requires that:

A register of the entity’s authorised technology systems is developed, implemented and maintained, and includes the name and position of the Authorising Officer, system owner, date of authorisation, and any decisions to accept residual security risks.²³

2.15 DPS’ registers relating to key systems and information assets are incomplete and not current. The business criticality of key systems is not consistently documented, and there is no central list of critical systems, with available lists having incomplete risk assessments for some systems. DPS did not have processes to assure itself that these registers were complete and accurate or regularly updated.

2.16 As discussed in paragraph 2.8, the ISM specifies controls for ensuring the coordination of cyber security and business objectives. An understanding of the business criticality of systems is important in designing a proportionate control environment, and in understanding the potential impact of an issue affecting the confidentiality, availability or integrity of a system. DPS’ incomplete registers of systems, and associated risk assessments, limit its ability to demonstrate that it has appropriately considered and addressed the business criticality of the systems it maintains, and has designed risk treatments appropriate for these. DPS’ registers and risk assessments also make limited mention of factors unique to its operating environment, such as the interaction with the other parliamentary departments and as a result, the potential presence of information that may be considered to be subject to parliamentary privilege.

2.17 The department’s incomplete documented understanding of its operating environment limits its ability to effectively assess risks associated with key systems and information.

Security risk acceptance and communication

2.18 The PSPF requires that entities approve all technology systems prior to use in the entity.²⁴ The approval process provides an opportunity for entities to consider cyber security risks and design and implement essential cyber security strategies appropriate to address these risks, and ensure that these are communicated and understood.

2.19 DPS conducts risk assessments in relation to authorising new technology systems and for vulnerabilities that cannot be easily patched.²⁵ As discussed in paragraph 2.15 DPS has not completed risk assessments for all systems. The ANAO observed that some risk assessments were not completed in a timely manner and resulted in the department accepting risks above its tolerance. Case Study 1 provides an example of an instance in which earlier consideration of security risks could have provided DPS with opportunities to avoid accepting high levels of risk.

2.20 Where the department has accepted risks above tolerance, it has relied on treatment plans to manage these risks and bring them into compliance. DPS’ processes for managing risks and issues have shortcomings (discussed further in paragraph 2.57) and the treatment plans are not regularly reviewed for currency, with several DPS systems operating with expired approvals to operate. Re-approval of existing systems provides an opportunity to confirm that essential cyber security strategies are effective and remain appropriate. DPS advised the ANAO on 27 February 2026 that it is undertaking work to inventory existing system approvals to identify those systems requiring re-assessment.

Has the Department implemented appropriate essential cyber security strategies?

2.23 As discussed in paragraph 1.6, entities are required to annually self-assess the extent to which they have implemented each of the Essential Eight mitigation strategies. In 2024–25, DPS self-assessed that it had implemented all strategies to the standard required by Maturity Level Two, with risk-managed elements for seven of eight strategies. Where an entity is relying on risk-managed elements to achieve a maturity level, it is assessing that deficiencies in selected controls for a given strategy require mitigation through the implementation of additional controls (for example, additional logging and monitoring controls to detect exploitation of control deficiencies).²⁶

2.24 The ANAO assessed the extent to which DPS had implemented each Essential Eight mitigation strategy (as described in Table 1.1) and where applicable, associated risk-management approaches.²⁷ The DPS’ self-assessment and the ANAO’s assessment are shown below in Table 2.2. DPS was assessed as not meeting Maturity Level Two for seven of eight strategies. The department is relying on risk-management approaches to address the gap between implemented and required controls. For five of eight strategies, these risk-management approaches fell short of the standard required to adequately address risks. The remaining two strategies were assessed as meeting Maturity Level One requirements only.

Table 2.2: DPS and ANAO Essential Eight assessments

Source: DPS PSPF self-assessment 2024–25 and ANAO assessment of DPS cyber strategies.

2.25 Specific considerations behind the ANAO’s assessment for each strategy are discussed further below.

Patch applications and patch operating systems

2.26 DPS self-assessed as risk-managing patching of both applications and operating systems due to the presence of IT systems for which patches are not necessarily available in a timely manner, and for which other controls are required. DPS relies on its vulnerability management process as mitigating control for some systems (see paragraph 2.41).

2.27 DPS’ patch management of its modern environment was more robust but could be improved by strengthening compliance monitoring and processes to remediate identified issues.

Multi-factor authentication

2.28 DPS does not have sufficient assurance that its multi-factor authentication arrangements are appropriate for all systems. For some systems, the technical implementation of multi-factor authentication required improvement. Where systems are not adequately covered by multi-factor authentication, systems may be more vulnerable to unauthorised access.

Restrict administrative privileges

2.29 Selected technical controls regarding management of privileged credentials were identified as not being configured. Additionally, as a result of a management-initiated review, and as part of its PSPF self-assessment, DPS identified that:

• selected controls to prevent privileged accounts from undertaking certain non-privileged activities were not in place;
• removal of privileges after a period of inactivity was subject to a manual process; and
• lack of revalidation of privileged access in components of DPS’ environment.

2.30 These deficiencies in the privileged user management regime increase the risk that privileged accounts may be used inappropriately.

Application control

2.31 DPS self-assessed its use of application control as ‘risk managing’ due to limitations on the scope of controls and the Department’s work to adopt a new application control solution, the implementation of which was in progress.

2.32 DPS had restricted some required functionality relating to application control, however, some controls required by Maturity Level Two had not been fully addressed. These issues may allow certain applications to bypass application control restrictions, increasing the risk that malicious software may be allowed to execute.

Restrict Microsoft Office macros

2.33 DPS has implemented the relevant controls for Maturity Level Two.

User application hardening

2.34 DPS operates some software with known vulnerabilities, and the ANAO identified that some software was misconfigured. According to DPS’ self-assessment, compensating controls were in the process of being finalised and implemented.

Regular backups

2.35 DPS does not maintain a comprehensive, prioritised system inventory. Consequently, it cannot reliably ensure that backup activities are prioritised in accordance with business criticality and business continuity requirements.

2.36 The ANAO identified that DPS had no formal program of disaster recovery testing in place. The department was able to demonstrate restoration of data in a test environment, but had not recently tested disaster recovery arrangements in a production capacity. Regular testing of backup and recovery arrangements is critical to providing assurance that such arrangements will work in a disaster scenario and is a requirement of Maturity Level Two.

Factors affecting implementation

2.37 DPS’ 2024–25 self-assessment identified a number of factors for incomplete implementation of Essential Eight strategies. Key themes included:

• a lack of resources for full implementation of the strategy (seven of eight strategies); and
• the presence of ‘legacy factors’ (such as systems approaching the end of their useful life).²⁸

2.38 Where the ANAO assessed implementation of Essential Eight strategies below Maturity Level Two requirements, the assessment primarily related to deficiencies with the intended compensating controls that DPS relied upon for risk-managed elements of the strategy.

2.39 In January 2026 DPS reported publicly that the parliamentary network may no longer be fit for purpose and does not provide for appropriate segmentation between users.²⁹ The lack of segmentation in the DPS environment increases the potential impact of identified issues, noting the different business, risk and security requirements of the stakeholders DPS supports (see paragraph 2.9).³⁰ In March 2026 DPS sought additional funding to progress a project to segment its network and address associated risks. In the 2026–27 Budget the department received additional resourcing to deliver necessary enhancements for critical information technology systems.

Compensating controls

2.40 For several Essential Eight strategies DPS has placed reliance on two compensating controls; vulnerability management, and logging and monitoring.

Vulnerability management

2.41 DPS makes use of a vulnerability management (VM) platform to conduct regular scans of its environment. The VM platform automatically scans the network and identifies known vulnerabilities. For supported platforms, the VM platform can propose and deploy security patches to address the identified issues. Vulnerability scanning of this nature is a requirement of the ISM and several Essential Eight strategies (specifically patch operating systems and patch applications).

2.42 DPS’ VM measures address the ISM requirements for supported platforms. The DPS environment features systems that are not supported by the VM platform, and systems with identified vulnerabilities. Accordingly, vulnerability management as a compensating control is less effective for these portions of DPS’ environment.

2.43 DPS has technology platforms supporting key business functions that require risk-managed operation due to lifecycle constraints. The department is working to risk assess this infrastructure and renew authorities to operate, however this work is not yet complete. In some instances, risk assessments have been completed but not yet reviewed and accepted by relevant decision-makers, resulting in a default acceptance of risk in the interim. While the department works to address these issues, it is exposed to an increased level of risk and its vulnerability management controls are less effective.

Logging and monitoring

2.44 A Security and Event Management (SIEM) platform collects, centralises and analyses log data from sources within a network or system.³¹ DPS has a SIEM platform in place to support staff in monitoring this data for indicators and trends that may suggest a security incident. Multiple Essential Eight strategies refer to the need to log and monitor events, as this may assist in the detection of both successful and failed attempts to bypass relevant controls. Evidence supporting the effectiveness of the department’s logging and monitoring controls is mixed:

• in simulated threat activities, DPS’ logging and monitoring capability successfully detected the test activities, allowing the department to respond;
• the ANAO has previously identified that some systems have inadequate monitoring, exposing the department to risks regarding unauthorised access; and
• as discussed in relation to vulnerability management, the department has deficiencies in the process for managing vulnerabilities (refer to paragraph 2.43).

2.45 The ability of the department to detect simulated threat activities provides management with some assurance that significant cyber incidents will be identified and mitigated when they occur. However, the absence of a consistent approach to managing identified issues (ensuring that identified problems can be triaged and risk managed), and potential limitations on the scope of systems monitored, increases the likelihood of such an incident occurring.

Does the Department have appropriate assurance as to the effectiveness of their essential cyber security strategies?

2.46 As discussed in paragraph 2.23, entities are required to assess the effectiveness of their essential cyber security strategies as part of their annual PSPF self-assessment. Beginning with the 2024–25 reporting cycle, Home Affairs moved to a compliance-based self-assessment model that ‘emphasises evidence-based compliance, risk outcomes and measurable assurance’.³²

2.47 The PSPF does not provide specific guidance as to the means by which entities might obtain appropriate evidence to support their self-assessment or assure their controls. The ANAO considered the extent to which DPS had established core elements of an assurance regime, as shown in Table 2.3.

Table 2.3: ANAO assessment of DPS’ assurance processes for essential cyber security strategies

Key: ● Effective ◕ Largely effective ◑ Partly effective ◔ Limited effectiveness

Source: ANAO assessment of DPS assurance processes for essential cyber security strategies.

Policy and procedure framework for essential cyber security strategies

2.48 Policies and procedures help provide assurance that activities are performed consistently, and in accordance with management intent, by specifying standards for the performance of controls. Effective security controls are dependent on a sound policy framework approved by management, communicated to staff, and regularly reviewed to ensure currency against emerging threats and changes in the operating environment. Policies also help mitigate risks associated with staff turnover by documenting key information and reducing dependence on assumed knowledge. The PSPF requires that entities develop, implement, and maintain procedures to ensure all elements of the entity’s security plan are achieved.

2.49 Several of DPS’ key cyber security policies and procedures are in draft. In 2025 DPS commenced work to consolidate and finalise all cyber-related policies, this work is ongoing. DPS’ Audit and Risk Committee has requested increased visibility of policy approval status.

2.50 The absence of a current policy and procedure framework, noting the significant staff turnover in DPS’ ICT functions, creates risk that essential cyber security strategies may not be managed consistently and effectively.

Risk assessment and assurance activities

2.51 DPS has undertaken a range of internal reviews, audits, and other exercises to assess and improve its cyber security posture. These include:

• internal audits, with two relevant audits examining the department’s Essential Eight strategies, and cyber security incident management processes, and identifying areas for improvement;
• advisory activities undertaken by the Australian Cyber Security Centre;
• assurance activities performed by contracted cyber security firms; and
• other assurance activities such as the departments’ annual PSPF self-assessment process.

2.52 Many of these activities identified risks, issues and potential improvements. The department’s processes for tracking and implementing these outcomes which are discussed further in paragraph 2.57, could be improved.

PSPF self-assessment

2.53 As discussed in paragraph 2.23, as a non-corporate Commonwealth entity DPS conducts an annual self-assessment of its essential cyber security strategies. The annual self-assessment provides an opportunity for the department to seek its own assurance as to the effectiveness of these strategies and identify potential improvements.

2.54 The ANAO examined the evidence by which DPS self-assessed its essential cyber security controls since 2020–21, and identified inconsistencies in the approach by which these assessments were conducted. For its 2024–25 assessment DPS improved its processes by undertaking testing to verify control effectiveness, as illustrated in Case Study 2.

2.55 Risk assessment and assurance activities are a key tool for management to obtain assurance that cyber security risks are being managed in accordance with an organisation’s risk tolerance.

Tracking and remediation of identified risks and issues through a risk-based approach

2.57 DPS does not have an effective, risk-based approach for tracking and remediating risks and issues relating to essential cyber security strategies. The department does not have a single source of truth for identified risks and issues, and available registers are not complete. The ANAO identified instances in which cyber security risks were assigned to system owners for management of the risk, where those staff had subsequently left the department.

2.58 As discussed in paragraph 2.45, DPS’ processes for managing identified vulnerabilities expose the department to risk. The ANAO examined two risk assessments performed by DPS during 2024–25 and neither assessment demonstrated formal acceptance by a system owner, the CISO, or CIO. While DPS staff responded appropriately in identifying potential vulnerabilities requiring treatment, the absence of a formal process to track and accept identified risks limits management assurance that these processes are occurring effectively.

2.59 As shown in Table 2.2, in 2024–25 DPS self-assessed that it was achieving Maturity Level Two for essential cyber security strategies through risk management. The extent to which risk management processes are embedded and monitored is unclear. DPS’ self-assessment for 2024–25 noted that mitigation treatment plans for several requirements ‘involves finalising and implementing a compensating control process for the entity’, and that a formal guideline would be developed to ‘outline the steps for identifying, applying, and maintaining compensating controls’.

2.60 Each of the department’s PSPF self-assessments since 2020–21 have identified consistent themes as contributing to the need to risk-manage Essential Eight strategies, such as the presence of risk-managed software and other components in the environment. These self-assessments have also referred to plans being in place to address these issues, however resolution of these issues remains in progress.

2.61 DPS advised the ANAO on 27 February 2026 that work is in progress to develop registers of risk treatments and improve monitoring processes and strengthening assurance arrangements to demonstrate risk treatments are effective.

Appendix 1 Entity response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s corporate plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. During the audit, DPS undertook a new risk assessment of systems to identify vulnerabilities and inform future actions. DPS provided the ANAO with documentation demonstrating it had been developing designs and business cases for options to improve its ICT architecture and control environment, including segmenting users into separate environments. The department also advised the ANAO it was continuing to roll out an education program for its staff to improve cyber security awareness.