This audit was conducted to provide assurance to the Australian Parliament on Defence’s arrangements for the management of its ICT systems authorisations. It found the current arrangements have been partly effective.

Malicious cyber activity represents a key risk for Defence. The Defence Security Principles Framework (DSPF) requires that all Defence ICT systems must be authorised prior to processing, storing or communicating official information and provides for system authorisation decisions to be escalated to more senior personnel based on the system’s assessed residual risk level.

Findings

• Arrangements for system authorisation have not been regularly reviewed and do not reflect current Protective Security Policy Framework (PSPF) requirements.
• Reporting did not comply with DSPF requirements, omitted key system authorisation data, and indicated a more optimistic outlook than was reflected in other Defence documentation.
• Defence did not comply with the PSPF and DSPF system authorisation requirements for the five case studies examined in the audit.

Recommendations
There were eight recommendations aimed at improving:

• the review and update of assessment arrangements
• training
• the quality of supporting information
• assurance and reporting arrangements
• compliance with authorisation requirements.