ATO, Dept of Immigration wrist-slapped for failing security audit, again
Both promise to implement mandatory controls real soon now
At least two Australian government departments, the Department of Immigration and Border Protection (DIPB) and the Australian Tax Office (ATO), have inadequate security, according to a parliamentary committee report published yesterday.
How far behind? They haven't even managed compliance with the top four of the Australian Signals Directorate's “Essential Eight” threat mitigation strategies.
Those four strategies, mandatory for all government organisations, are application whitelisting, patching systems, using the latest application and operating system versions, and restricting admin privileges.
The new report, by the Joint Committee of Public Accounts and Audit, was a follow-up to an Australian National Audit Office (ANAO) report published in March 2017. It's therefore unsurprising that the committee writes:
The Committee is most concerned that the audit found that the ATO and DIBP are still not compliant with the mandatory ‘Top Four’ mitigation strategies (in the Australian Government’s Information Security Manual) and are not cyber resilient.
The ATO reported itself to be compliant with three out of the four strategies; the committee said that was optimistic and trimmed it to two; the DIPB had its three-out-of-four cut to just one.
Oh, and the target date for compliance was 30 June 2014.
The ATO promises to be compliant by November 2017, a leaf from the DIPB's book, which promised compliance by December 2016, but now “could not provide a date for when full compliance with all of the Top Four mitigation strategies would be achieved”.
Given the gap between self-assessment and reality, the committee also wants the ANAO to audit departments' self-assessment process. ®