The Australian Signals Directorate’s ‘Essential Eight’ strategies to mitigate cyber security incidents should be mandatory for federal government departments and agencies, the report of a parliamentary inquiry has recommended.
Federal parliament’s Joint Committee of Public Accounts and Audit today released the report of its inquiry based on Australian National Audit Office (ANAO) scrutiny of information security arrangements at the Australian Taxation Office (ATO), Department of Human Services and Department of Immigration and Border Protection.
The ANAO audit found that although all three had improved their security arrangements since a 2014 investigation by the office, only DHS could be considered “cyber resilient”.
Today’s report recommended that the Essential Eight should be made mandatory by June 2018 for entities covered by the Public Governance, Performance and Accountability Act 2013.
The ASD in February published the Essential Eight which build on the organisation’s Top 4 security mitigation strategies. The Top 4 have been mandatory for federal agencies since a 2013 update to the government’s Protective Security Policy Framework.
The Essential Eight are application whitelisting, patching of applications, limiting Microsoft Office macros, user application hardening, the restriction of admin privileges, patching of operating systems, the use of multi-factor authentication, and daily backups.
The joint committee’s report also expressed concern over participation in the government’s Internet Gateway Reduction Program is not mandatory. The program should be mandatory for government departments and agencies, the report states.
The Digital Transformation Agency is currently reviewing the IGR Program and the committee called on the DTA to report to it on the review’s outcomes.
The full report is available online.