The Department of Parliamentary Services (DPS) provides essential services to the Australian Parliament. In 2019 DPS was subject to a high-profile cyber security incident, and cyber security remains a top priority for the department. DPS provides IT services to users with differing business and security needs. This audit provides independent assurance to the Parliament on whether DPS has an effective baseline of cyber security strategies to mitigate cyber security risks.

The ANAO made two recommendations to improve governance arrangements, and prioritise and implement measures to address known cyber security risks. DPS agreed to all recommendations. Instances of good practice identified in the audit may be relevant for the operations of other Australian Government entities.

Key findings

• At the time of the audit, DPS had a partly effective baseline of essential cyber security strategies.
• Governance processes for cyber security were established but risk assessment, acceptance and communication were of limited effectiveness.
• DPS had an outdated policy framework and shortcomings in tracking and assessing areas for improvement. It had limited ability to apply controls and governance for some of the users it supports.