This audit assessed selected agencies’ compliance with the four mandatory information and communications technology (ICT) security strategies and related controls in the Australian Government Information Security Manual.
Modern information and communications technology (ICT) and the Internet are increasingly relied upon by Australian Government agencies as business enablers, to the mutual benefit of government and the community. Benefits include improved access to government services and more cost‑effective administration.
In this context, the protection of ICT systems and information is a key responsibility of government agencies, and includes: the prevention of unauthorised access by outsiders seeking to exploit the Internet; and by insiders seeking to misuse their trusted status. Unauthorised access and misuse of government information is an international issue which can affect, amongst other things, national security, the economy, personal privacy, and the integrity of data holdings. The Australian Government has established a protective security framework and identified ICT-specific risk mitigation strategies and related controls which provide a basis for agencies’ management of risks to their ICT systems and information. Four key mitigation strategies—intended to control access to ICT systems and apply timely security upgrades—were mandated by the Australian Government in January 2013, and agencies are expected to achieve full compliance with those strategies by July 2014.
The agencies subject to audit had established internal information security frameworks, implemented controls designed to safeguard the enterprise ICT environment from external cyber attack, and had stipulated change management processes to authorise the implementation of security patches for applications and operating systems. While these arrangements contributed to the protection of agency information, the selected agencies had not yet achieved full compliance with the top four mitigation strategies mandated by the Australian Government in 2013; a requirement reflecting heightened government expectations in response to the risk of cyber attack. Further, none of the selected agencies are expected to achieve full compliance by the Government’s target date of mid–2014, notwithstanding their advice regarding further initiatives which, when implemented, would strengthen ICT security controls and protection against cyber attacks.
Based on their stage of implementation of the top four mitigation strategies and IT general controls, the selected agencies’ overall ICT security posture was assessed as providing a reasonable level of protection from breaches and disclosures of information from internal sources, with vulnerabilities remaining against attacks from external sources to agency ICT systems. In essence, agency processes and practices have not been sufficiently responsive to the ever-present and ever-changing risks that government systems are exposed to.
In the context of working towards compliance with the mandated requirements, it is important that agencies develop a timetable and process to guide implementation in the following key areas:
- deploy the top four mandated ISM controls across the entire ICT environment, to comply fully with Australian Government requirements;
- adhere to a security patch management strategy and deploy security patches in a timely manner, commensurate with assessed risk and using the Australian Signals Directorate’s deployment timeframes for vulnerability and patch risk rating;
- restrict privileged user access accounts based on the level of sensitivity of the information; and strengthen access controls to capture and monitor the audit logs for unauthorised access to privileged accounts, and inappropriate activities by privileged users; and
- promote security awareness and accountability within the agency, recognising that security is a shared responsibility.
The growth in cyber attacks indicates that an agency's ICT security posture—in essence how well the agency is protecting its exposure to external vulnerabilities and intrusions, internal breaches and disclosures, and how well it is positioned to address threats—is increasingly a matter for senior management attention, including agencies’ boards of management. Periodic assessment and review of an agency’s overall ICT security posture by the agency security executive can provide additional assurance on an agency’s resilience to cyber attacks.
The ANAO has made three recommendations aimed at improving the selected agencies’ approaches to the protection and security of information which they manage. The recommendations are likely to have applicability to other Australian Government agencies.