Geo Focus: Asia , Geo-Specific , Governance & Risk Management

Audit Reveals Flaws in Australian Agencies' Cyber Practices

AUSTRAC, Services Australia Told to Fix Critical Holes in Incident Response Plans
Audit Reveals Flaws in Australian Agencies' Cyber Practices
Services Australia's Centrelink portal (Image: Shutterstock)

The Australian National Audit Office said the nation's financial crimes watchdog and the social services provider to millions of citizens have "partly effective" capabilities to investigate, monitor and respond to cybersecurity incidents.

See Also: The Compromised Identity in Healthcare

The government audit agency said the Australian Transaction Reports and Analysis Center and Services Australia displayed middling capability in designing and implementing incident management procedures or implementing effective incident management recovery practices to mitigate disruptions to operations.

AUSTRAC is the federal government's anti-money laundering and counterterrorism financing regulator and financial intelligence unit. It regulates over 17,000 businesses that provide financial, gambling, bullion, remittance and digital currency exchange services. Services Australia provides Medicare, child support and Social Security payments and services to millions of citizens.

ANAO said the two government bodies have cybersecurity incident management and response procedures in place, but they still have some distance to cover to become "cyber exemplars" as they process and store some of Australia's most sensitive data to support the delivery of essential public services.

ANAO said it audited the two agencies' cybersecurity practices and procedures to determine their readiness as outlined by the government's 2023-30 Australian Cyber Security Strategy that mandates a forecasting approach to improve government agencies' cyber resilience.

The government plans to spend AU$587 million on the strategy in a bid to convert Australia into a "world leader in cybersecurity" by the end of this decade (see: Australia Unveils AU$587M Strategy to Defeat Cybercrime).

The government audit found that Services Australia has designed an incident response plan and a framework of procedures but lacks a documented approach to threat and vulnerability assessments and a policy to cover cybersecurity incident management.

The agency said the Social Security and Medicare payments provider implemented a security information and event management solution and an approach to monitor and prioritize alerts, but it lacks a time frame for triage and escalation activities, a process to analyze archived SIEM data, and an approach for cybersecurity investigations.

ANAO also found serious loopholes in Service Australia's data backup and recovery strategy. It said the agency has partly implemented a recovery process to mitigate post-incident disruptions and has put in place business continuity and disaster recovery plans, but its plans "do not include all systems and applications supporting critical business processes and it does not test the recoverability of backups."

A Services Australia spokesperson told Information Security Media Group that the agency welcomes the ANAO's audit, agrees to the recommendations and will use them as a guide to strengthen its policies, processes and procedures for responding to incidents.

"We're pleased the ANAO concluded our cybersecurity incident response procedures are largely effective," the spokesperson said. "Our 24/7 cybersecurity measures protect the data of millions of Australians and help us safely deliver over 1.1 billion online transactions each year. Our highest priority is ensuring our ICT systems are robust and reliable, meeting the needs and expectations of the Australian community."

The agency said its security operations center continues to prioritize the management of cyber vulnerabilities and risks, implementing effective protective security controls, and improving operational resilience through effective threat detection and robust response capabilities.

"We're one of the critical points for cybersecurity across government and our focus areas and investments align with the Australian Government's Data and Digital Government Strategy. We'll continue to share intelligence about the cyberthreat landscape with the Australian Cyber Security Center, Australian Signals Directorate and Cyber Security Response Coordination Unit," the spokesperson said.

ANAO also found several inconsistencies in anti-money laundering watchdog AUSTRAC's incident readiness and response plans. Some of the issues are the agency's failure to document the chief information security officer's assigned responsibilities and cybersecurity incident meetings and the failure to define time frames for reporting to relevant stakeholders.

The audit office also found that AUSTRAC does not have an event logging policy and does not document its analysis of all cybersecurity events, and its incident recovery processes do not take into account the security and testing of backup solutions or the systems, applications and servers that support critical business processes.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.