House debates

Wednesday, 9 December 2020

Committees

Public Accounts and Audit Committee; Report

6:52 pm

Photo of Lucy WicksLucy Wicks (Robertson, Liberal Party) Share this | Hansard source

On behalf of the Joint Committee of Public Accounts and Audit, I present report No. 485 entitled Cyber resilience: inquiry into Auditor-General's reports 1 and 13 (2019-20).

Report made a parliamentary paper in accordance with standing order 39(e).

by leave—I present report No. 485 of the Joint Committee of Public Accounts and Audit, entitled Cyber resilience. This report details the committee's findings from its inquiry into two Auditor-General's reports of 2019-20, including report No. 1, Cyber resilience of government business enterprises and corporate Commonwealth entities, and report 13, Implementation of the My Health Record system. The purpose of the committee's inquiry was to consider the effectiveness of the management of cyber-risks and the implementation of cybersecurity measures in various agencies. It also examined the Auditor-General's findings on the extent to which Commonwealth entities had embedded a cyber-resilience culture.

The report contains six recommendations targeting a number of core areas. In the interests of time, I'll broadly outline some of the key themes. The first of those concerns the importance of the development of a cyber-resilience culture within entities. The committee noted that the ANAO has developed a detailed framework of 13 behaviours and practices that could assist in the implementation and improvement of culture. These are covered under four headings: governance and risk management, roles and responsibilities, technical support, and monitoring compliance. The committee outlines in recommendation 3 that these practices and behaviours should play a greater role in the implementation and improvement of a cyber-resilience culture within Commonwealth entities.

Further, the committee noted that the Protective Security Policy Framework, commonly known as the PSPF, addresses the development of a positive security culture. However, specific references to the 13 behaviours and practices under the title outlined by the Auditor-General within the PSPF could not be found. Recommendation 3 seeks to help to address this by outlining that the PSPF should be amended to reflect or incorporate, where needed, the ANAO's framework. It also recommends that a dedicated section be created within the annual PSPF self-assessment questionnaire addressing these 13 criteria.

Further, in recommendation 4, the committee outlines that the Australian National Audit Office should consider conducting an annual limited assurance review into the cyber-resilience of Commonwealth entities and that this could include examining the extent to which entities have embedded a cyber-resilience culture and compliance with the essential eight mitigation strategies in the Information Security Manual. To enable time for implementation, the committee recommends that this review commence from June 2022 and be conducted yearly for five years.

Other recommendations outlined in this report are specific to relevant Commonwealth entities. Recommendation 5 requests that Australia Post provide an update on progress in implementing controls in line with the top four and essential eight mitigation strategies and how a cyber-resilience culture is being further embedded in the organisation. Recommendation 6 requests that the Australian Digital Health Agency provide an update on a number of key aspects of its ANAO My Health Record performance audit implementation plan.

Finally, other recommendations address broad improvements to existing frameworks and are directed to the Attorney-General's Department. Recommendation 1 requests that the department provide an update to the committee on its implementation of external moderation models and benchmarking processes to verify entities' reported compliance with cybersecurity requirements. Recommendation 2 is also directed to the Attorney-General's Department and seeks an update on the levels of cybersecurity maturity within Commonwealth entities and the feasibility of mandating the essential eight mitigation strategies across Commonwealth entities. It also recommends that the Attorney-General's Department report back on any impediments to mandating the top four strategies for government business enterprises and corporate Commonwealth entities.

Finally, I'd like to very much thank those agencies that participated in the inquiry and those who appeared at public hearings. I would also like to note that this is a consensus report of the committee and thank all committee members for their willingness to work collaboratively on this very important inquiry. I commend the report to the House.

Comments

No comments