Australian Audit Fail June 10 2021

Australian National Audit Office (ANAO) finds cyber resilience unchanged since last year

Only one of 18 agency audited hits Essential Eight baseline.

Australian National Audit Office: Interim Report on Key Financial Controls of Major Entities
Reported in: Fed govt cyber resilience unchanged since last year: auditor | iTnews
Read more Audit Reports

The audit which was released just prior to revelations the government will mandate the Essential Eight – looked at the 2019-20 ‘Policy 10’ self-assessments of 18 agencies, including the Department of Defence, Services Australia and the Australian Taxation Office.

Policy 10 – part of the protective security policy framework (PSPF) – requires entities to achieve a maturity level of ‘managing’, which the Australian National Audit Office (ANAO) said is equivalent to Essential Eight maturity level three.

An agency is considered to have achieved the ‘managing’ maturity when it has implemented all of the ‘top four’ cyber security controls and has considered the remaining four voluntary controls.

While three agencies were found to have “significantly improved” their maturity since the 2019-20 report, the ANAO said “most entities were still significantly below the ‘policy 10’ requirements”.

The ANAO said the lowest level of compliance continues to be with the mandatory patching applications control, followed by the non-mandatory multi-factor authentication and user application hardening controls.