The Australian Government’s ability to effectively and efficiently deliver its functions relies on government entities prioritising information security. If government information systems can be accessed by intruders, this could compromise the financial and identity security of individuals and the commercial interests of corporations. A secure cyberspace supports online activities for individuals, business and the public sector. Cyber resilience is an entity’s ability to continue providing services while deterring and responding to cyber intrusions. Cyber resilience also reduces the likelihood of cyber intrusions that threaten Australians’ privacy and Australia’s social, economic and national security interests.
Three corporate entities were included in this audit: Australian Postal Corporation (Australia Post) and ASC Pty Ltd (ASC), both government business enterprises; and the Reserve Bank of Australia (Reserve Bank), a corporate Commonwealth entity. These entities were selected based on the character and sensitivity of the information collected, stored and reported — including that the entities manage critical infrastructure or systems of national interest.
Despite the importance of cyber security in safeguarding the Australian Government’s digital information, there has been ongoing low levels of cyber resilience of non-corporate Commonwealth entities and weaknesses in the regulatory framework for ensuring compliance with mandatory cyber security strategies. This audit was undertaken to enable comparison with government business enterprises and corporate Commonwealth entities, and provide information to help strengthen the regulatory framework and improve cyber resilience of Commonwealth entities. In line with the requirements for performance audit of government business enterprises under the Auditor-General Act 1997, the Joint Committee of Public Accounts and Audit provided approval for the Australian National Audit Office (ANAO) to examine the cyber resilience of Australia Post and ASC.
The audit objective was to assess the effectiveness of the management of cyber security risks by Australia Post, ASC and the Reserve Bank.
To form a conclusion against this objective, the ANAO adopted three high-level criteria:
- Have entities managed cyber security risks in line with their own risk arrangements?
- Have entities managed cyber security risks in line with key aspects of the Information Security Manual?
- Do entities have a culture of cyber security resilience?