The Australian National Audit Office (ANAO) has completed another round of cyber compliance testing[1], finding Treasury was compliant with the Australian Signals Directorate (ASD) Top 4 mitigated strategies, while the National Archives and Geoscience Australia was lacking.
ANAO said it has now found only four government entities compliant with the Top 4 requirement that was made mandatory[2] in April 2013, from the 14 organisations it has examined.
In early 2017, the Top 4 was expanded to the Essential Eight[3], with ANAO finding all three agencies in this round were only compliant with one of the expanded requirements.
"These findings provide further evidence that the implementation of the current framework is not achieving compliance with cyber security requirements, and needs to be strengthened," ANAO said.
With guides to cyber compliance being provided by the Attorney-General's Department (AGD) in the form of the Protective Security Policy Framework (PSPF) and by ASD with the Essential Eight Maturity Model (EEMM), ANAO was at pains to point out the conflicting requirements.
"There are shortcomings in the Essential Eight Maturity Model that limits its usefulness in its current form, and could lead to entities inadvertently overstating their cybersecurity compliance if it is used in performing the self-assessment," ANAO said.
As an example, ANAO said it would be possible to score highly on application whitelisting in the EEMM yet only comply with one requirement under the same category in the PSPF.
"Given the multiple instruments in assessing the effectiveness of ICT security controls, there is likely to be uncertainty for entities in deciding whether to adopt: a controls-based assessment by using the Information