Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities
SCALE
-
-
Since 2013–14 (…) audits identified that only four entities (29 per cent) had complied with mandatory government requirements for information security, and that the regulatory framework had not driven sufficient improvement in cyber security.
COMPLIANCE FOCUS
-
-
Protective Security Policy Framework
-
-
Australian Government Information Security Manual
-
-
National Institute of Standards and Technology (NIST) Cybersecurity Framework
-
-
ISO/IEC 27002 Information technology - Security techniques - Code of practice for information security controls
-
-
Payment Card Industry Data Security Standard
PERFORMANCE ASPECT
-
-
management of cyber security risks
-
-
mitigation strategies
-
-
culture of cyber security resilience
Australia Post has not met the requirements of its framework, having not implemented all specified key controls (…) not fully implemented controls in line with either the Top Four or the four non-mandatory strategies in the Essential Eight [mitigation strategies in the Australian Government Information Security Manual].
(DRAFT audit matrix)
Australia Post also has a Risk Appetite Statement that states it supports: ‘a highly secure environment and will not tolerate data security incidents resulting in material theft, loss or corruption of business or confidential internal and customer data.’ (…) While Australia Post has identified its critical ICT assets, it has not documented the threats, risks and mitigations against all critical assets. Further work is required by Australia Post to validate the level of exposure and protection required across its critical assets.
(DRAFT audit matrix)
All three entities monitor for the presence of cyber security incidents, both internal and external. The ICT security team in each entity is responsible for notifying staff when there is a heightened threat of a cyber security incident. Any incidents are to be investigated by the ICT security team to determine the root causes; after which remediation plans are to be developed and communicated to internal stakeholders. The Reserve Bank was proactive in its approach to security incidents and has implemented mitigation strategies to reduce the risk of incidents occurring. For example, the intelligence function within the ICT security team had identified potential concerns with a ransomware attack (WannaCry), and implemented controls to detect and prevent the threat. Similarly, all entities communicated the concerns to its staff and provided guidance on how to respond to attacks arising from the breach. All entities also assessed the impact on its environment and where required, extended investigations and discussions to external stakeholders to limit the exposure.
Australia Post has no application whitelisting controls in place to block unauthorised applications from executing on its corporate desktop or server environments. Australia Post had assessed the associated risks and determined that application whitelisting controls would not be suitable for operations within particular environments, such as its corporate desktop and server environments. (…) Australia Post has implemented some other controls to mitigate risks. However, the ANAO’s testing of these mitigating controls found that they were not directly applicable to the threats faced and did not provide sufficient coverage, protection or monitoring of the security vulnerabilities in applications.