[Hilarity no. 1: [This article appears within an hour of two of the foundation Minister for 'Home Affairs' resigning.
[Hilarity no. 2: [Agencies have for many years had an obligation to comply with the entire ISM (Information Security Manual). [Because agencies were completely unable to comply, in 2010 the obligation was reduced to a list of 'top 35' mitigation measures. [Because agencies were completely unable to comply, in 2013 the obligation was raised to 'mandation', but reduced to a minuscule sub-set of 'top 4' mitigation measures. [Agencies generally continue to be completely unable to comply. This article mentions precisely 2 that have got there. [Hilarity no. 3: [DHA is one of the agencies whose data holdings and whose culture would seem to have required the most stringent data and IT security, from the date that it was formed in late 2017. [But it was formed through the merger of some or all of 5 agencies (ABF - ex Immigration and Customs, ACIC, AFP, AusTRAC and ASIO), all of which would seem to have required the most stringent data and IT security, from the date that each was formed, in most cases many decades ago [That DHA *still* isn't compliant is extraordinary. Home Affairs nears ASD Top 4 compliance Whitelisting, OS patching added to the books. Justin Hendry itNews Aug 21, 2018 12:00PM https://www.itnews.com.au/news/home-affairs-nears-asd-top-4-compliance-500277 The Department of Home Affairs is nearing full compliance with the federal government's minimum cyber security requirements, with all but one top four cyber mitigation strategies now in place. The department reached compliance with the Australian Signals Directorate's application whitelisting and monthly patching of operating systems strategies at the start of this financial year. Compliance with the strategies comes more than a year after the department failed a cyber resilience audit into the then-Immigration, Human Services, and Tax agencies. The March 2017 audit discovered that only DHS was fully compliant with the top four and therefore "cyber resilient". It has since been joined by the ATO. The strategies became mandatory for agencies in April 2013, as part of their annual protective security policy framework (PSPF) self-reporting commitments. Immigration was found to be the worst performing of the three agencies during the audit, with just one of the four strategies - minimising administrative privileges - in place. It later blamed the highly complex IT environment that spawned from the 2015 merger of the Immigration and Customs agencies for failing the cyber security. The department pledge to be compliant with the application whitelisting across all desktops by July 2017 and servers by July 2018, though hadn't committed to a definite timeline for monthly patching of operating systems. But earlier this month the department confirmed to iTnews that the department was now fully compliant with both strategies, in addition to deploying "additional controls" to improve its cyber resilience. "The Department of Home Affairs is compliant with application whitelisting and monthly patching of operating systems," the spokesperson said. "The Department also employs additional controls through a defence-in-depth capability to minimise the risks of a successful cyber-attack. "These controls have been effective in preventing intrusions to departmental systems or the compromise of data." Monthly patching of applications now remains the only top four strategy yet to be addressed by the department. However the department admits meeting compliance with the sole strategy remains some years off. "The Department currently patches a number of high-risk applications through its monthly desktop patching cycle, and will review and risk assess the remaining applications to achieve compliance by June 2020." -- Roger Clarke http://www.rogerclarke.com/ Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 6916 http://about.me/roger.clarke mailto:roger.cla...@xamax.com.au http://www.xamax.com.au/ Visiting Professor in the Faculty of Law University of N.S.W. Visiting Professor in Computer Science Australian National University _______________________________________________ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
