Blog
Year Published: 2021
Language: English
Sector: Governance
Issue: Cyber Security Strategies
Year Published: 2020
Language: English
Sector: Public Finance
Issue: IT Controls and Cyber Security Risks
Year Published: 2021
Language: English
Sector: Key Internal Controls
Issue: Safeguarding financial information from cyber threats
Year Published: 2017
Language: English
Sector: Revenue and Taxation, Personnel Administration and Training, Borders and immigration
Issue: Cybersecurity
In June 2014, ANAO Audit Report No. 50 2013–14, Cyber Attacks: Securing Agencies’ ICT Systems was tabled in Parliament. The report examined seven Australian Government entities’1 implementation of the mandatory strategies in the Australian Government Information Security Manual (Top Four mitigation strategies). The Top Four mitigation strategies are: application whitelisting, patching applications, patching operating systems and minimising administrative privileges.2 The audit found that none of the seven entities were compliant with the Top Four mitigation strategies and none were expected to achieve compliance by the Australian Government’s target date of 30 June 2014.
The Joint Committee of Public Accounts and Audit held a public hearing to examine Report No. 50 on 24 October 2014. Three of the seven audited entities—the Australian Taxation Office, the Department of Human Services, and the then Australian Customs and Border Protection Service3—appeared before the hearing to explain their plans and timetables to achieve compliance with the Top Four mitigation strategies. Each of the three entities gave assurance to the Joint Committee of Public Accounts and Audit that compliance with the Top Four mitigation strategies would be achieved during 2016.
In 2015, the ANAO conducted a second performance audit to examine a further four government entities’ compliance with the Top Four mitigation strategies. The four entities were: Australian Federal Police, Australian Transaction Reports and Analysis Centre, Department of Agriculture and Water Resources and the Department of Industry, Innovation and Science. The ANAO Performance Audit Report No. 37 2015–16 Cyber Resilience was tabled in May 2016. In this audit the ANAO found that two entities—Australian Transaction Reports and Analysis Centre, Department of Agriculture and Water Resources—were compliant with the Top Four mitigation strategies. The other two agencies were not compliant with these strategies. The ANAO made three recommendations and all entities agreed with all recommendations
Weblink : https://www.anao.gov.au/work/performance-audit/cybersecurity-follow-audit
Summary/Highlight:
The Australian Government Information Security Manual outlines 35 strategies to assist government entities mitigate the risk of cyber intrusions to their information and communications technology (ICT) systems.6 The Australian Signals Directorate7 advised that if government entities implemented the top four of these 35 strategies (Top Four mitigation strategies), it would prevent 85 percent of targeted cyber intrusions.
The Top Four mitigation strategies are:
- using application whitelisting8 on desktops and servers to prevent malicious software and unapproved programs from running on a computer;
- applying application patches9 through sound policies, procedures and practices to help ensure the applications’ security;
- applying security patches through sound policies, procedures and practices to operating systems to mitigate security risks and reduce system vulnerabilities; and
- effectively managing access provisions for privileged user accounts across an entity’s ICT environment, including the entity’s network, applications, databases and operating systems.
Year Published: 2017
Language: English
Sector: Cross Government, Revenue and Taxation
Issue: E-Governance
The myGov digital service (myGov) is an entry portal for individuals to access the services of participating government entities. It was launched in May 2013 to provide individuals with secure online access to a range of Australian Government services in one place. It was expected to provide a whole-of-government digital service delivery capability and to improve the experience for individuals who choose to self-manage their interactions with government services. The four year myGov project (2012–13 to 2015–16) was to provide:
- a single username to access member services;
- search ability to identify available government services;
- the ability to notify multiple services about changes of personal contact details;
- the ability to submit data online to validate facts, including for proof of identity; and
- lower costs and more timely communications from services via a digital mailbox.
The Digital Transformation Agency is responsible for myGov service strategy, policy and user experience.2The Department of Human Services (Human Services) is responsible for administering and hosting myGov, including processes and procedures for system development and testing, security and operational performance.
By November 2016, myGov supported nearly 11 million active accounts and ten member services.
Weblink : https://www.anao.gov.au/work/performance-audit/mygov-digital-services
Summary/Highlight:
The Department of Human Services’ implementation of myGov as a platform to deliver whole-of-government online services has been largely effective.
Fit-for-purpose strategic and operational governance arrangements operated for the first three years of the myGov project, followed by a one year gap in strategic governance when interim arrangements had a largely operational focus. This gap was addressed in July 2016 with the re-establishment of a strategic governance board.
There were 9.5 million user accounts registered in myGov by the end of the four year project—nearly double the business case forecast of 5.1 million. myGov has contributed to improved delivery of government services for individuals by providing three key functionalities—single digital credential, Update Your Details and Inbox—to reduce the time spent transacting with government. Several requirements to improve usability have only recently been implemented and a small number of requirements are yet to be delivered. As at November 2016, there were ten government services available through myGov. While it is not mandatory for member services to participate in myGov, the effectiveness of myGov as a whole-of-government capability has been hampered by government services not joining myGov and not fully adopting the myGov functionalities.
Since late 2015, the myGov platform has been hosted on high-availability infrastructure, which has improved performance, especially during peak demand periods, with performance targets consistently met. Suitable security and privacy measures were in place to control access and protect sensitive data stored in myGov.
In 2012, the Government approved a budget for the myGov project of $29.7 million for 2012–13 to 2015–16based on the functionalities set out in the business case. The myGov project was not delivered within this original agreed funding, with actual expenditure to June 2016 totalling $86.7 million. Over the four years of the project an additional $37.8 million in funding was approved by Government, and Human Services funded the remaining $19.2 million from a pre-approved ICT contingency fund. Departmental records indicate that the increase in operating expenses over the four years of the project—from $8.5 million in 2012–13 to $37.3 million in 2015–16—was primarily driven by the costs associated with supporting the large number of user accounts (nearly double the forecast) and the improved high-availability infrastructure.
Performance metrics to enable the quantification of actual savings in the six areas identified in the business case were not developed. In the absence of such metrics, it is not possible to determine whether the expected savings have been realised in all six areas.
Year Published: 2016
Language: English
Sector: Agriculture, Industry, Science & Technology
Issue: Cybersecurity
In June 2014, the Australian National Audit Office tabled in Parliament ANAO Audit Report No.50 2013–14, Cyber Attacks: Securing Agencies’ ICT Systems. The report examined implementation of the mandatory strategies in the Australian Government Information Security Manual (ISM).
The Joint Committee of Public Accounts and Audit (JCPAA) held a public hearing to examine Report No.50 on 24 October 2014. The Committee was concerned that the seven entities audited were not compliant with the ‘Top Four’ strategies in the ISM. And that none of the entities were expected to achieve compliance by the mandated target date of 30 June 2014.
In light of concerns about entities’ shortcomings to achieve compliance, the JCPAA asked the Auditor-General to extend the coverage of the audit to include other entities. In response to the JCPAA, a performance audit was scheduled to assess another four selected entities’ compliance with Australian Government requirements.1 This report is the outcome of the audit.
Weblink : https://www.anao.gov.au/work/performance-audit/cyber-resilience
Summary/Highlight:
All entities made efforts to achieve compliance with the mandated strategies in the ISM. Two of the four selected entities achieved compliance—AUSTRAC and the Department of Agriculture and Water Resources. Two entities did not achieve compliance—Australian Federal Police and the Department of Industry, Innovation and Science.
The ANAO has made three recommendations aimed at achieving compliance with mandated strategies in the ISM. The recommendations are likely to apply to other Australian Government entities not specifically examined in this audit.
Year Published: 2014
Language: English
Sector: Revenue and Taxation, Personnel Administration and Training, Borders and immigration
Issue: Cybersecurity
Governments, businesses and individuals increasingly rely on information and communications technology (ICT) in their day-to-day activities, with rapid advances continuing to be made in how people and organisations communicate, interact and transact business through ICT and the Internet. In the government sector, ICT is used to deliver services, store and process information, and enable communications, with a consequent need to protect the privacy, security and integrity of information maintained on government systems.
Cyber crime is an international problem, and it is estimated that in 2012, 5.4 million Australians fell victim to such crimes, with an estimated cost to the economy of $1.65 billion.1,2 In the government sector, the Australian Signals Directorate (ASD)3 has estimated that between January and December 2012, there were over 1790 security incidents against Australian Government agencies. Of these, 685 were considered serious enough to warrant a Cyber Security Operations Centre response.4
The protection of Australian Government systems and information from unauthorised access and use is a key responsibility of agencies, having regard to their business operations and specific risks. In the context of a national government, those risks can range from threats to national security through to the disclosure of sensitive personal information. Unauthorised access through electronic means, also known as cyber intrusions, can result from the actions of outside individuals or organisations. Individuals operating from within government may also misuse information which they are authorised to access, or may inappropriately access and use government information holdings.
For some years, the Australian Government has established both an overarching protective security policy framework, and promulgated specific ICT risk mitigation strategies and related controls, to inform the ICT security posture6 of agencies. In 2013, the Government mandated elements of the framework, in response to the rapid escalation, intensity and sophistication of cyber crime and other cyber security threats.
Weblink : https://www.anao.gov.au/work/performance-audit/cyber-attacks-securing-agencies-ict-systems
Summary/Highlight:
The selected agencies were assessed on their: compliance with the top four mitigation strategies and related controls; maturity to effectively manage logical access and change management as part of normal business processes (IT general controls); observed compliance state as at 30 November 2013; and reported planned compliance state by 30 June 2014.
The ANAO’s summary findings for each of the selected agencies are reported in the context of a matrix, which indicates agencies’ overall level of protection against internal and external threats as a consequence of the steps taken to implement the top four strategies and IT general controls. The matrix, which is referred to as the Agency Compliance Grade, indicates where agencies are positioned in terms of ICT security zones: vulnerable zone; externally secure zone; internally secure zone, and cyber secure zone. The zones are explained further in Table S.2 and illustrated in Figure S.1. An agency’s position indicates its overall ICT security posture—in essence how well the agency is protecting its exposure to external vulnerabilities and intrusions, internal breaches and disclosures, and how well it is positioned to address threats
Year Published: 2018
Language: English
Sector: Billing System
Issue: 1. Design of the system and mapping of business rules 2. Non-maintenance of Data dictionary 3. Information security issues like password management and audit trail 4. Weakness in input, processing control 5. Inconsistencies in data
Year Published: 2016
Language: English
Sector: Transport
Issue: 1. Non-formulaton of IT Policy 2. Lack of Data integrity 3. Lack of monitoring and inadequate training 4. Physical Access to IT facilites and poor maintenance.
Year Published: 2017
Language: English
Sector: Finance
Issue: 1. Inadequate Training of Users 2. Issues on Segreaton of duties and data access 3. Lack of BCP/DRP 4. System design deficiencies 5. Absence of input controls and validation checks led to incomplete data
Year Published: 2018
Language: English
Sector: Finance
Issue: 1. Inadequate System Security & Control Mechanism 2. System Design deficiencies 3. Business rules not mapped
Year Published: 2018
Language: English
Sector: Office Automation
Issue: 1. Partial implementatoin of WAMIS 2. Non-prepartion of Software Design Document 3. Deficiencies in Change Management process 4. Inefficient user management 5. Lack of Input and Validation controls 6. Deficient MIS module
Year Published: 2018
Language: English
Sector: Office Automation
Issue: 1. Deficiencies in System Design 2. Bypassing Segregation of duties 3. Inaccurate mapping of business rules 4. Weak process controls in the system
Year Published: 2016
Language: English
Sector: Office Automation
Issue: 1. Delay in completon of modules 2. non-establishment of Disaster Recovery site 3. lack of input and processing control 4. Discrepencies in Migration of Legacy data
Year Published: 2015
Language: English
Sector: Service
Issue: 1. Adhoc approach while Acquiring Hardware 2. Extra charges paid of data migration 3. Application functionalities deficiencies 4. non-mapping of business rules
Year Published: 2017
Language: English
Sector: Office Automation
Issue: 1. Deficiencies in Tender Processing system in the application 2. Inconsistencies in data 3. Incorrect mapping of business rules leading to excess procurement 4. Change Management Control and documention 5. Lack of third-party security assessment
Year Published: 2017
Language: English
Sector: Procurement
Issue: 1. non-mapping of Busines rules 2. Inadequate validation controls in the registration of users 3.Non-supply of Software Design Document, Functional Requirement Specifications Document, Back up policy and Disaster Recovery Plan
Year Published: 2016
Language: English
Sector: Cross-government, Public administration
Issue: Information Security
Five years ago, we highlighted the importance of three major themes in tackling government’s challenges:
- taking a structured approach to reducing costs;
- improving financial management; and
- using information effectively.
We argued that without significant progress in all three areas, government would not be able to transform services and achieve sustainable improvements and savings. Our work over the last five years has identified some improvements in these areas. Across government, there is a much deeper understanding of the challenges and opportunities of transformation. But our work also shows that attempts to transform government have had mixed success. Many public services appear increasingly unsustainable. Those responsible for major programmes have continued to exhibit over-optimism and make slow progress towards their objectives.
Government’s recent experience has highlighted several important building blocks for transformation:
- Strategic business planning and management: Our report Government’s management of its performance: progress with single departmental plans found that a strong planning framework is needed to counter problems in delivering new services successfully.
- Building and deploying capabilities: Our report Capability in the civil service highlighted the importance of getting the right skills and experience to support new ways of working
- Improving the use of technology and data: Our work on major transformation programmes has shown how difficult it is to use technology effectively to enable transformation.
- Managing evolving programmes and portfolios Our work on major programmes has also shown how difficult it can be to assure and manage major transformation programmes, balancing more iterative approaches with robust programme and project management disciplines.
These building blocks will help to counter tendencies to make decisions for tactical reasons without addressing wider considerations. They allow departments to balance short-term spending targets with long-term strategies. At the same time, better information and access to expertise will help to support and assure complex programmes.
Weblink : https://www.nao.org.uk/report/digital-transformation-in-government/
Summary/Highlight:
Government faces significant challenges in providing public services. Continuing austerity has put additional demands on departments, which are already trying to tackle complex reforms with fewer staff and smaller budgets. Our work across government has highlighted the problems this can create for financial sustainability and the need to transform public services. 2 In 2011, the Coalition Government launched its Government ICT Strategy and set up Government Digital Service (GDS) as a centre of digital expertise within the Cabinet Office. Since then, GDS has worked to improve the quality of online information and help transform services so that they meet users’ needs. 3 Transformation has not been straightforward. While many government services are now available online, departments and GDS have struggled to manage more complicated programmes and to improve the complex systems and processes that support public services. 4 In February 2017, the government published its Government Transformation Strategy. The strategy sets out GDS’s new approach to supporting transformation across government and its aims for the current spending review period. 5 In this report, we review the role of GDS in supporting transformation and the use of technology across government. Our report is structured as follows: • Part One describes how GDS has evolved and sets out some of the questions that a central technology function needs to consider. • Part Two considers GDS’s role in coordinating and setting strategy across government. • Part Three looks at how GDS has supported other departments, including by promoting new technologies and uses of data. • Part Four examines how GDS has developed a more common approach to digital development across government through setting standards, establishing reusable central systems and controlling spending.
Year Published: 2013
Language: English
Sector: Cross Government
Issue: E-Governance
This report is about the government’s strategy for moving public services to ‘digital by default’, published in November 2012. The strategy incorporated data on 1,298 users from a government survey in August 2012 as data on citizens and small and medium-sized businesses use of, and willingness to engage with, public services online was limited.1 To give the Committee of Public Accounts assurance about the digital strategy, and that its approach to assisting those who are offline to use digital services is based on sound assumptions about the preferences, capabilities and needs of users in England, we commissioned independent research. This included a face-to-face survey of over 3,000 people, an online survey of 130 businesses and eight focus groups in England. 2 The government started to move to online public services in 2000. In December 2011, we reported on the key developments over the previous decade.2 While we found progress in making it easier for people to find government information and services online, we did not find robust data on the costs or benefits of spending. Therefore we could not conclude that the government had achieved value for money in working towards its objectives. 3 When we last reported, the Cabinet Office had set up the Government Digital Service (‘GDS’) to accelerate the move towards digital public services. We made several recommendations for the GDS that they progressed in 2012. In particular, we recommended that it should lead on integrating digital plans across government and improve its analysis of the costs and benefits of going digital. We also recommended that the GDS should have the authority to set and implement policy and work closely with stakeholders to provide digital services that put users first. 4 The GDS is working to make services ‘digital by default’. Digital by default is defined as “digital services that are so straightforward and convenient that all those who can use them will choose to do so while those who can’t are not excluded”.3 However, the strategy also highlights the savings that can come from switching to digital channels. The GDS has identified more than 650 public services that central government provides (excluding the NHS, local councils and the police). These could yield total potential annual savings of £1.7 billion to £1.8 billion if they were provided digitally. In 2011-12, according to GDS, these services cost between £6 billion and £9 billion to operate and more than 300 have no digital channel.4 The savings estimate does not include the costs that may be required to create or redesign digital services. However, it also does not take into account the government’s new approach to becoming digital, set out in its strategy, which could lead to greater savings being achieved more quickly.
In this report we have tested the assumptions made about users in the government digital strategy. Our future audits will evaluate value for money as government redesigns services and moves them online.
Summary/Highlight:
6 The government has made more ambitious plans over the last year, for making public services digital. It is 13 years since the government first announced that it would move public information and transaction services online; a move it initially intended to complete by 2005. Since we last reported in December 2011, the government’s interest has broadened from consolidation of government websites to the more fundamental need to redesign public services with users at the heart. In July 2012, the Civil Service Reform Plan committed the government to becoming digital wherever possible.5 In November 2012, the Government Digital Strategy was published, which includes ways to help those who are not online to engage with government online (paragraphs 1.1, 1.7 and 1.9). 7 Set up in 2011, the Government Digital Service established firm leadership of this digital agenda. In particular it has: • started to improve the Cabinet Office’s digital capacity, and establish digital leaders in departments; • replaced the Directgov and Business.gov portals to public services with a single website – GOV.UK a single point of entry to online public services; • analysed and published cost and performance information on online public services; and • published the Government Digital Strategy (paragraphs 2.2 to 2.9). 8 The Government Digital Strategy is based on sound evidence that many people and small- and medium-sized businesses can access and have the skills to use online public services. From our surveys we found that 83 per cent of people use the internet. Whether people live in a rural or urban area appears to make little difference to their internet use. Age, socio-economic group and disability do affect internet use. Over 90 per cent of those we surveyed who were online were experienced internet users who felt confident about completing online tasks without help. However, 7 per cent of those online lack confidence and may need help to use the internet (paragraphs 3.2, 3.3, 3.8 and 3.11)
Year Published: 2022
Language: English
Sector: Infrastructure
Issue: Protecting Cybersecurity of Critical Infrastructure
Year Published: 2020
Language: English
Sector: Protecting Cybersecurity of Critical Infrastructure
Issue: Modern commercial airplanes use avionics systems and networks to share data—for GPS, weather, and communications—with pilots, maintenance crews, other aircraft, and air traffic controllers. Protection from cyberattacks is critical to safety. Airplane manufacturers have cybersecurity controls in place and there haven't been reports of successful cyberattacks on commercial airplane IT systems to date. But evolving cyber threats and increasing connectivity between airplanes and other systems could put future flight safety at risk if the FAA doesn't prioritize oversight. We recommended that the FAA strengthen cybersecurity oversight for airplanes.
Year Published: 2020
Language: English
Sector: Security of Emerging Technologies
Issue: Quantum technologies could revolutionize sensors, computation, and communication. These technologies build on the study of the smallest particles of energy and matter to collect, generate, and process information in ways existing technologies can’t. For example, quantum sensors may be able to locate stealth targets or determine an object’s location and speed without GPS. Quantum computers may dramatically accelerate computing for some applications, such as decrypting information. Quantum communications may also allow completely secure information sharing. These technologies may need many years of development to reach their full potential.
Year Published: 2021
Language: English
Sector: Information Systems
Issue: Weaknesses in Federal Agency Information Security Programs
Year Published: 2021
Language: English
Sector: Public Administration
Issue: Weaknesses in Federal Agency Information Security Programs
Year Published: 2021
Language: English
Sector: Cybersecurity
Issue: Protecting Cybersecurity of Critical Infrastructure
Year Published: 2021
Language: English
Sector: Data Protection
Issue: Protecting Privacy and Sensitive Data
Year Published: 2021
Language: English
Sector: Data Protection
Issue: Protection of privacy of sensitive data
Year Published: 2021
Language: English
Sector: Data Protection
Issue: Protecting Privacy and Sensitive Data
Year Published: 2021
Language: English
Sector: Cybersecurity and Infrastructure
Issue: Protecting Cybersecurity of Critical Infrastructure