Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Sunday, March 21, 2021

It Seems The Government Could Do A Lot Better With Cyber Security, And Needs To!

This appeared a day or so ago.

ANAO finds two government departments inaccurately self-reported cyber compliance

The Audit Office report shows the Attorney-General's Department and Department of the Prime Minister and Cabinet did not accurately self-report full implementation of one or more Top Four mitigation strategies.

By Asha Barbaschow | March 19, 2021 -- 05:53 GMT (16:53 AEDT) | Topic: Security

The Australian National Audit Office (ANAO) has published its findings of an investigation into the effectiveness of cybersecurity risk mitigation strategies implemented by seven government entities, declaring none have fully implemented all the mandatory benchmarks.

The Attorney-General's Department (AGD); Australian Trade and Investment Commission (Austrade); Department of Education, Skills, and Employment; Future Fund Management Agency; Department of Health; IP Australia; and Department of the Prime Minister and Cabinet (PM&C) were all under the microscope.

The Australian Signals Directorate (ASD) and Department of Home Affairs (DHA) were also probed by ANAO, but they were not included in this assessment. Instead, they were examined only in their roles as cyber policy and operational entities.

Since 2013, non-corporate Commonwealth entities have been required to undertake an annual self-assessment against the Top Four strategies, which are mandated by the AGD's Protective Security Policy Framework (PSPF). Entities report their overall compliance with mandatory requirements to AGD.

The Top Four are: Properly implementing application whitelisting, patching applications, patching operating systems, and restricting administrative privileges.

In addition to none of the seven entities implementing all of the mandatory Top Four mitigation strategies, ANAO found that of the three entities that had self-assessed full implementation for one or more of the mitigation strategies in their 2018-19 PSPF assessment, PM&C and AGD had not done so accurately.

Lots more detail here:

https://www.zdnet.com/article/anao-finds-two-government-departments-inaccurately-self-reported-cyber-compliance/

The main finding to me was that none of the entities – including the Department of Health – had been given a clean ‘bill of health’.

Amusingly, but rather sadly, both the Prime Minister’s Department and Attorney General’s Department seem to have claimed compliance that was not present i.e. they were fibbing about their status.

Here is the direct link to the Report:

Cyber Security Strategies of Non-Corporate Commonwealth Entities

Published

Friday 19 March 2021

https://www.anao.gov.au/work/performance-audit/cyber-security-strategies-non-corporate-commonwealth-entities

Two parts are especially interesting to me.

First the Overall Summary Conclusion:

Conclusion

13. The implementation of cyber security risk mitigation strategies by selected non-corporate Commonwealth entities under this audit was not fully effective. The selected entities have not met all mandatory requirements of PSPF Policy 10 in safeguarding information from cyber threats. While the three cyber policy and operational entities have provided more support to entities to meet the mandatory PSPF Policy 10 requirements following Auditor-General Report No.53 2017–18 Cyber Resilience, additional ongoing work will be required to assist entities in achieving a more mature and resilient cyber security posture.

14. None of the seven selected entities examined have fully implemented all the mandatory Top Four mitigation strategies.6 For the three entities that had self-assessed full implementation for one or more of the Top Four mitigation strategies in their 2018–19 PSPF assessment, two had not done so accurately. None of these three entities were cyber resilient. Five of six selected entities that had self-assessed to have not fully implemented any of the Top Four mitigation strategies have established strategies and implemented activities to manage their cyber risks and to progress toward a ‘Managing’ maturity level for PSPF Policy 10.

15. The cyber policy and operational entities have worked together to provide more guidance following Auditor-General Report No.53 2017–18 Cyber Resilience to support non-corporate Commonwealth entities’ self-assessment of their implementation of cyber security requirements under the PSPF. There is scope to further improve the accuracy of entities’ PSPF Policy 10 assessments and strengthen arrangements to hold entities to account for the implementation of cyber security mandatory requirements. Robust accountability arrangements are particularly important in absence of public accountability through reporting to the Parliament.

----

In non ANAO speak I hear the Office saying you are all not trying hard enough!

Second on the Health Department.

Department of Health

The Department of Health (department) acknowledges the methodology and approach taken by the Australian National Audit Office (ANAO).

The department’s Essential Eight Program is underway to uplift the maturity levels of its Essential Eight mitigation strategies by December 2021.

The department has a governance framework in place that ensures appropriate visibility of the Essential Eight program by the Senior Executive and the Audit and Risk Committee.

The department continues to work closely with the Australian Cyber Security Centre (ACSC) to improve its ability to detect and respond to a cyber-security incident.

----

In clear language we really are not in that much of a hurry to get this sorted!

I wonder how long it will be before we see a really serious wake-up call! The stuff the ANAO is asking for is hardy rocket science or cutting edge!

David.

 

2 comments:

ADHA Staffer said...

Fully agree with your closing remark David. An indifference to deploying acceptable IT practices along the way to best practice demonstrates poor leadership at all levels and a disregard for the protection of public assets.

This lying is not isolated to cyber, it is common across information management obligations. The ANAO would do well to conduct the same assessments against the NAA information and record keeping surveys. I think we would uncover more fibbing and sloppy senior management practices. If you cannot manage the creation, storage and use of information then cyber security is pointless.

Seems there is plenty of willingness to invest it senior management salaries but little appetite to protect public information assets.

G. Carter said...

It is quite baffling considering the enormous resources the government has at it disposal. I guess Peter Dutton has no influence and prefers to spend his time bullying our trans-Tasman friends.

Makes you wonder how much is kept secret regarding Service Australia and ADHA health Infrastructure operations.