Every “Key Risks of (Insert Year)” for the last couple of years has had cyber risks high on the list of issues that we all need to consider.

Consequently when a good report comes out on the topic it is well worth the read to see whether the rhetoric matches action within organisations.

And it is in this context that a recent report of the Australian National Audit Office is a valuable contributor to the approach to review such areas.

The ANAO report looked at a number of Australian Government agencies and departments based on the character and sensitivity of the information primarily managed by the organisation.  The agencies of focus were:

Screenshot 2014-07-02 08.28.28

The organisations were assessed against the four mandatory ICT security strategies and related controls in the Australian Government Information Security Manual (ISM).

Based on the ISM the current top four mitigation strategies are:

  • application whitelisting: designed to protect against unauthorised and malicious programs executing on a computer. This strategy aims to ensure that only specifically selected programs can be executed;
  • patching applications: applying patches to applications and devices to ensure the security of systems;
  • patching operating systems: deploying critical security patching to operating systems to mitigate extreme risk vulnerabilities; and
  • minimising administrative privileges: restricting administrative privileges provides an environment that is more stable, predictable, and easier to administer and support as fewer users can make changes to their operating environment.

The findings of the ANAO review are summarised as:

The agencies subject to audit had established internal information security frameworks, implemented controls designed to safeguard the enterprise ICT environment from external cyber attack, and had stipulated change management processes to authorise the implementation of security patches for applications and operating systems.

While these arrangements contributed to the protection of agency information, the selected agencies had not yet achieved full compliance with the top four mitigation strategies mandated by the Australian Government in 2013; a requirement reflecting heightened government expectations in response to the risk of cyber attack.

Further, none of the selected agencies are expected to achieve full compliance by the Government’s target date of mid–2014, notwithstanding their advice regarding further initiatives which, when implemented, would strengthen ICT security controls and protection against cyber attacks.

Most damning it was noted:

In essence, agency processes and practices have not been sufficiently responsive to the ever‐present and ever‐changing risks that government systems are exposed to.

The report contains an interesting visual representation of where the relevant agencies sit.  Firstly it is important to understand the criteria that was used:

Screenshot 2014-07-02 08.40.59

Based on this the following summary assessment was made of the agencies’ compliance with the top four mandatory strategies and related controls and overall ICT security posture:

Screenshot 2014-07-02 08.43.32

A similar representation could be used within organisations to demonstrate where on the continuum of cyber security awareness and preparedness specific departments sit.


Download PDF


Subscribe to Receive Our Email Updates

  • This field is for validation purposes and should be left unchanged.