Only one of the 18 largest departments and agencies across government recently examined by the national auditor has fully implemented the 'Essential Eight' cyber security controls.
The remaining 17 agencies reported either ‘ad-hoc’ or ‘developing’ levels of maturity with the controls – the lowest possible score under the metric – or incorrectly self-assessed as having a ‘managing’ maturity level.
The Essential Eight is a series of baseline cyber security mitigation strategies and a maturity model recommended by the federal government. It encompasses four 'top' controls, which are mandatory for non-corporate Commonwealth entities.
The findings are contained in the 2020 interim financial controls audit of major entities, which reviewed the implementation of Essential Eight with a focus on core financial and HR systems.
The audit [pdf] – which was released just prior to revelations the government will mandate the Essential Eight – looked at the 2019-20 'Policy 10' self-assessments of 18 agencies, including the Department of Defence, Services Australia and the Australian Taxation Office.
Policy 10 – part of the protective security policy framework (PSPF) – requires entities to achieve a maturity level of ‘managing’, which the Australian National Audit Office (ANAO) said is equivalent to Essential Eight maturity level three.
An agency is considered to have achieved the 'managing' maturity when it has implemented all of the 'top four' cyber security controls and has considered the remaining four voluntary controls.
While three agencies were found to have “significantly improved” their maturity since the 2019-20 report, the ANAO said “most ..
Support the originator by clicking the read the rest link below.
