Agencies get poor marks in security audit


By Dylan Bushell-Embling
Monday, 02 July, 2018


Agencies get poor marks in security audit

None of three Australian Government departments audited by the Australian National Audit Office have achieved full compliance with the Essential Eight cybersecurity measures.

The audit of Treasury, the National Archives of Australia and Geoscience Australia found that only the first of these have even achieved compliance with the mandatory Top Four of these measures.

The top four mitigation strategies, developed by the Australian Signals Directorate, involve requiring application whitelisting on desktops and servers, maintaining sound patching policies and procedures for both applications and operating systems, and effectively managing access provisions for privileged user accounts.

As the only department examined to be compliant with these strategies, only Treasury was deemed to be cyber resilient.

The National Archives only complied with the requirements on application patching and privileged user access, but due to sound general ICT controls was deemed to be internally resilient.

Geoscience Australia had none of the controls in place but was working to achieve compliance with all but the application whitelisting requirement. The agency was nevertheless deemed to be vulnerable to attack.

Each of the agencies had also implemented just one of the remaining non-mandatory Essential Eight strategies — the daily backup of important data. Each had made limited progress in implementing the other three strategies — disabling untrusted Microsoft Office macros, user application hardening and implementing multifactor authentication.

Geoscience Australia and the National Archives have both agreed to the Auditor-General’s recommendation that they establish a plan and time frame to achieve compliance with the Top Four mitigation strategies.

The audit has also recommended that the Attorney-General’s Department, Department of Home Affairs and Australian Signals Directorate work together to improve compliance with the Essential Eight strategies.

Image credit: ©iconimage/Dollar Photo Club

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Articles

The machine identity gap putting public sector data at risk

While there is an increased focus on AI and secure data access, many agencies still lack a...

Access management remains a major problem at many Australian councils

As AI starts to be used more widely in the local government sector, further granularity around...

Australia's next Budget must treat cyber resilience as essential infrastructure

The federal Budget needs to make cyber resilience a core investment priority across AI...


  • All content Copyright © 2026 Westwick-Farrow Pty Ltd