A review of public sector cybersecurity by the national audit office has found Australia Post needs to improve its digital security. Currently it “has not effectively managed cyber security risks” and failed to meet the requirements of its own cyber security risk framework.
The two other organisations included in the review by the Australian National Audit Office, the Reserve Bank and naval ship builder ASC, were found to have effectively managed cyber security risks.
ANAO is presenting a series of reviews of public sector entities, the latest focusing on three corporate entities — independent bodies but still subject to Parliament’s national auditor.
The review, released last week, found all three bodies had a “fit for purpose cyber security risk management framework” but, unlike the Reserve Bank and ASC, Australia Post had not met its framework because it had not implemented all specified controls, harming its resilience to an external attack.
“The Reserve Bank and ASC are cyber resilient, with high levels of resilience compared to 15 other entities audited over the past five years. Australia Post is not cyber resilient but is internally resilient, which is similar to many of the previously audited entities,” the ANAO report said.
In response to the findings, Australia Post has agreed to conduct risk assessments of all its critical assets where it has not already done so and immediately address any “extreme risks” to the assets or associated databases.
The postal service says this process is already underway, noting in its report response, “Australia Post has clear oversight of its critical asset infrastructures and has prioritised actions under a program of work already underway to address this recommendation.
“This will involve conducting risk assessments for critical assets not yet assessed, updating assessments for those already assessed, and taking immediate action to address any concerns that are identified.”
Not up to code
As a corporate commonwealth entity Australia Post is not required to apply the Protective Security Policy Framework like non corporate government entities are. Although the review showed the RBA and ASC have successfully applied the framework as corporate commonwealth entities.
According to the ANAO, for Australia Post it is better practice to apply the “Top Four and other Essential Eight mitigation strategies” in the Australian Government Information Security Manual. The audit revealed the RBA and ASC have success mostly met that criteria also, including the Top Four mitigation strategies.
Australia Post, however, “has not fully implemented controls in line with either the Top Four or the four non-mandatory strategies in the Essential Eight.”
The RBA and ASC’s relatively high cyber resilience also fairs well compared to the 15 other public sector entities the ANAO has so far audited, according to the report.