The ANAO decided to conduct this fourth audit of entities’ management of cyber risks recognising ongoing parliamentary interest (including enquiries by the Joint Committee of Public Accounts and Audit) and the level of non-compliance with mandatory requirements identified in previous audits. In Report 467: Cybersecurity Compliance, the Joint Committee of Public Accounts and Audit recommended that the ANAO outlines the behaviours and practices it would expect in a cyber resilient entity and assess against these.
The objective of the audit was to assess the effectiveness of the management of cyber risks by the Department of the Treasury, National Archives of Australia and Geoscience Australia.
The audit criteria were:
- do entities have effective arrangements in place for managing cyber risks;
- do entities monitor and report against cyber security deliverables; and
- were entities cyber resilient, with a culture of cyber resilience?
As with the ANAO’s previous audits of cyber security, this audit identified relatively low levels of effectiveness of Commonwealth entities in managing cyber risks, with only one of the three audited entities compliant with the Top Four mitigation strategies. None of the three entities had implemented the four non-mandatory strategies in the Essential Eight and were largely at early stages of consideration and implementation. These findings provide further evidence that the implementation of the current framework is not achieving compliance with cyber security requirements, and needs to be strengthened.