Geoscience Australia says it has developed a new strategy to implement key cyber security mitigation strategies.
The organisation said its ‘Security Improvement Program’ (SIP) is internally funded and scheduled for completion in June 2020. That program includes application whitelisting, a focus on application and OS patching, and restricting administrative privileges on its systems — which together comprise the ‘Top 4’ mandatory security measures developed by the Australian Signals Directorate (ASD).
In addition Geoscience Australia had said it will take a “risk based approach” and employ an ASD-developed maturity model when it comes to implementing the other measures that together with the Top 4 comprise the so-called ‘Essential Eight’ (locking down Microsoft Office macro settings, user application hardening, implementing multi-factor authentication, and daily backups of critical information). The efforts to strengthen the agency’s security posture followed an audit released in mid-2018 that concluded Geoscience Australia was “vulnerable to cyber attacks” and had failed to implement any of the ASD’s Top 4.
The Top 4 have, in theory, been mandatory for Commonwealth entities since April 2013. According to the ASD, the strategies are capable of preventing 85 per cent of the security incidents it responds to.
The Geoscience Australia SIP also covers vulnerability management, governance and architecture, people and culture, and technical controls.
The organisation has upgraded its workstation endpoint security software and is trialling a new service to monitor the use of cloud services and file sharing. It has also launched an email sandboxing proof of concept.
National Archives develops cyber security roadmap
The audit also found flaws at the National Archives of Australia, which has since developed a cyber security resilience framework and a roadmap to strengthen security.
“The framework will underpin a secure, stable and contemporary ICT environment that supports the business of the National Archives,” according to the organisation.