The Cth Attorney-General’s Department released its 2017-2018 Protective Security Policy Framework (PSPF) Compliance Report this week. It reports almost 40% of agencies were still to fully-implement the Australian Signals Directorate’s (ASD’s) top four (mandatory) cyber mitigation strategies which avoid at least 85% of cyber threats.
Cth agencies have had since April 2013 to implement these mandatory controls, but 40% of agencies haven’t yet fully implemented them! In fact the number of agencies compliant with the top four controls has barely improved over the last three years.
This is notwithstanding recent efforts by ASD to uplift the cyber posture of 25 agencies in the wake of the state-sponsored cyber attack against Parliament House, which has been labelled Australia’s first “first national cyber crisis”.
Both INFOSEC-3 and INFOSEC-4 are the two mandatory requirements that appear to be the biggest challenge for agencies to implement. INFOSEC-3 requires entities to implement policies and procedures for the security classification and protective control of information assets (in electronic and paper-based formats), which match their value, importance and sensitivity. INFOSEC-4 requires entities to document and implement operational procedures and measures to ensure information, ICT systems and network tasks are managed securely and consistently, in accordance with the level of required security. This includes implementing the mandatory ‘Strategies to Mitigate Targeted Cyber Incidents’ as detailed in the Australian Government’s Information Security Manual.
What makes these stats even more concerning is that the Australian National Audit Office found some agencies were non-compliant with some controls despite self-reporting as being compliant (refer to the ANAO’s 2017 cyber security audit report).
From 2018–19, entities will report on their PSPF implementation using a security maturity model to assess the maturity of their protective security practices instead of a compliance model.
These controls are also relevant to NSW government agencies. The NSW Cyber Security Policy, among other things, requires agencies to maintain a certain level of maturity compliance against not just the top four mandatory controls, but the top eight (referred to as the “Essential Eight”).