Australian Information Security Audit Report July 4 2019
One of the reasons for this result was that despite having a fit for purpose cyber security risk management framework, the government-owned corporation had “not met the requirements of its framework”. Specifically Australia Post has “not effectively managed cyber security risks”, having not undertaken a “detailed security risk management assessment” on the two systems for two years.
“Australia Post has not met the requirements for ICT controls in its framework, having not implemented all specified key controls, and as a result has rated the overall cyber risk as significantly above its defined tolerance level,” the Australian National Audit Office (ANAO) said.
Details are contained in the ANAO audit of cyber resilience published on the 4 July 2019