Australian Audit Report September 25 2020

ANAO finds Services Australia lacking in cyber and cost aspects of WPIT

Services Australia did not apply an appropriate framework to manage cyber security risk.

ANAO Services Australia Audit Report: System Redevelopment — Managing Risks While Planning Transition
Reported in: ANAO finds Services Australia lacking in cyber and cost aspects of WPIT | ZDNet
More reports from ZDNet.

Key InfoSec Finding: “Services Australia had largely appropriate arrangements to manage risks to operating the welfare payment system. Services Australia established and maintained a risk management framework at the entity and group levels that applied to various elements of the welfare payment system. Payment correctness and system availability risks were managed. Services Australia did not apply an appropriate framework to manage cyber security risk, and did not monitor the cost of operating the system.”

Australian National Audit Office (ANAO) on Thursday handed down its examination of the Services Australia Welfare Payment Infrastructure Transformation (WPIT) program, finding the agency had “largely appropriate arrangements” in many areas, but was lacking on the cyber and cost monitoring fronts.

Kicked off in 2015, WPIT was originally slated to cost around AU$1.5 billion and run from 2015 to 2022, with one of the core reasons for the program being to replace the then-30-year-old Income Security Integrated System (ISIS).

On the cyber front, the report found there were no cybersecurity plans specific to each element of the system.

“However, Services Australia self-assessed that it ‘has measures in place for the underpinning components including monitoring of vulnerabilities and appropriate patching, monitoring of system administrative and privileged access, and penetration testing of outward facing systems’,” the ANAO wrote.