Enhance the data governance framework and further drive the prioritisation of required security controls by improving the communications channels/processes from audit teams to the CIO and ITSA. This communication is to identify the most sensitive stakeholder data held within the ANAO IT environment which requires protection.

The ANAO has a sound approach to managing client data that is collected as part of an audit. This approach is guided by the Audit Manuals that prescribe processes based on policies, audit standards and audit methodology. In addition, the ANAO has identified opportunities across its strategic governance framework to enhance the corporate processes that support audit teams to collect, handle and store audit evidence. The ANAO will include standing agenda items at the IT Strategic Committee that require Senior Audit managers to report on ongoing conformance with corporate policies.

Completed.

As updated in August, the ANAO is continuing its development of a Data Action Plan and is progressing with a program of work to further enhance security of data by establishing additional standardised processes for data acquisition and registration of client data when it is collected, stored and disposed.

Create a cyber security strategy to prioritise the required security improvements to further strengthen the security controls of the ANAO IT environment. These controls should include:

• the Essential Eight^a (incorporating the Top Four) cyber security mitigations recommended by the ASD (henceforth the Essential Eight);
• specific controls with a high cost-benefit value to the ANAO's IT environment; and
• key detective security controls e.g. implementing more network and host based monitoring.

Completed.

The ANAO developed a cyber security strategy (February 2019) which sets out the ANAO objectives and priorities for cyber security.

The ANAO also invested in a two-year program (2020-2021) of security improvement with a specific focus on Essential Eight Maturity uplift and implementing specific controls with a high cost-benefit value to increase security of ANAO’s IT environment.

The ANAO has a documented security risk management plan for the Essential Eight which was endorsed by the Accountable Authority on 25 August 2020.

The ANAO has also implemented improved monitoring systems which are designed to detect and report security incidents near to real time.  

Document and maintain a security risk assessment that includes a register of ANAO's IT security controls, additional risk treatments required or accepted risks under the ANAO's risk management framework.

The ANAO has implemented a risk register that identifies PSPF requirements and the ANAO's treatment and risk assessment of those controls. The register is monitored through a sound governance framework which includes the monthly ANAO Security Committee meeting, the IT Strategic Committee which is a sub-committee of the ANAO's Executive Board of Management.

Completed.

The risk register has been developed and expanded to include risks and controls across the ANAO's entire ICT environment as well as identified PSPF requirements.

Define a process that identifies when and how to engage with the ASD when responding^b to a security incident, and if ASD support was not available in a timely manner due to other ASD priorities, how the security incident would be handled by the ANAO.

The ANAO has updated the Incident Response Plan as part of the IRAP assessment to include more direction on when to contact ASD. The ANAO notes that its Incident Response Plan contained guidance on when to contact ASD prior to the recent update. The ANAO will review its documents to provide additional guidance on how to manage an incident where ASD was not available.

Completed.

The ANAO has reviewed its existing plans to ensure that guidance on how to manage incidents remains relevant and appropriate.

The ANAO has effectively implemented incident response plans and business continuity plans in response to the COVID19 pandemic.

The ANAO continues to work with its vendors to ensure processes are in place for effectively managing security incidents in the absence of ASD.

Improve the monitoring of security controls by ensuring segregation of duties between the staff responsible for operating key security controls and the ITSA that is monitoring and reporting on them.

The ANAO recognised the importance of segregating the duties of the ITSA in October 2016, splitting the role from the CIO and appointing a dedicated ITSA at that time. The ANAO notes the Independent Auditor's observation that the ITSA has other duties and will monitor the workload to ensure IT security functions continue as a priority.

ANAO has improved reporting mechanisms through its governance framework to ensure that cyber security is prioritised, monitored and reviewed. The development of the cyber security strategy will assist the ANAO in the management and reporting of progress to senior management.

Completed.

The CIO and ITSA roles remain segregated. In addition, the ANAO continues to include cyber security in its governance committees to ensure ongoing monitoring of cyber security environment.

Improve the monitoring of security controls by ensuring segregation of duties between the staff responsible for operating key security controls and the ITSA that is monitoring and reporting on them.

The ANAO recognised the importance of segregating the duties of the ITSA in October 2016, splitting the role from the CIO and appointing a dedicated ITSA at that time. The ANAO notes the Independent Auditor's observation that the ITSA has other duties and will monitor the workload to ensure IT security functions continue as a priority.

ANAO has improved reporting mechanisms through its governance framework to ensure that cyber security is prioritised, monitored and reviewed. The development of the cyber security strategy will assist the ANAO in the management and reporting of progress to senior management.

Completed.

The CIO and ITSA roles remain segregated. In addition, the ANAO continues to include cyber security in its governance committees to ensure ongoing monitoring of cyber security environment.

Continue with the current IRAP assessment in progress to validate the effectiveness of current security policies and controls across the IT environment and inform the prioritisation of remediation of key control deficiencies.

The ANAO is nearing completion of the IRAP assessment. The ANAO continues to implement improvements and recommendations from the assessment.

Completed.

The IRAP assessment has been completed with the ANAO Protected ICT Network Accreditation endorsed by the Accountable Authority on 1 April 2019.

Enhance the data governance framework and further drive the prioritisation of required security controls by improving the communications channels/processes from audit teams to the CIO and ITSA. This communication is to identify the most sensitive stakeholder data held within the ANAO IT environment which requires protection.

The ANAO has a sound approach to managing client data that is collected as part of an audit. This approach is guided by the Audit Manuals that prescribe processes based on policies, audit standards and audit methodology. In addition, the ANAO has identified opportunities across its strategic governance framework to enhance the corporate processes that support audit teams to collect, handle and store audit evidence. The ANAO will include standing agenda items at the IT Strategic Committee that require Senior Audit managers to report on ongoing conformance with corporate policies.

In progress.

The ANAO has developed a Data Action Plan and is progressing with a program of work to further enhance security of data by establishing additional standardised processes for data acquisition and registration of client data when it is collected, stored and disposed.

Data governance has been added as a standing agenda item to the ANAO's IT Strategic Committee to enable Executive leaders to continue to normalise discussions about the relationship between audit evidence and data management.

ANAO continues to monitor its data holdings to ensure the appropriate management and storage of audit evidence according to Audit manuals.

Create a cyber security strategy to prioritise the required security improvements to further strengthen the security controls of the ANAO IT environment. These controls should include:

• the Essential Eight^a (incorporating the Top Four) cyber security mitigations recommended by the ASD (henceforth the Essential Eight);
• specific controls with a high cost-benefit value to the ANAO's IT environment; and
• key detective security controls e.g. implementing more network and host based monitoring.

Completed

The ANAO developed a cyber security strategy (February 2019) which sets out the ANAO objectives and priorities for cyber security. 

The ANAO also invested in a two-year program (2020-2021) of security improvement with a specific focus on Essential Eight Maturity uplift and implementing specific controls with a high cost-benefit value to increase security of ANAO’s IT environment.

The ANAO has a documented security risk management plan for the Essential Eight which was endorsed by the Accountable Authority on 25 August 2020.

The ANAO has also implemented improved monitoring systems which are designed to detect and report security incidents near to real time.  

Document and maintain a security risk assessment that includes a register of ANAO's IT security controls, additional risk treatments required or accepted risks under the ANAO's risk management framework.

The ANAO has implemented a risk register that identifies PSPF requirements and the ANAO's treatment and risk assessment of those controls. The register is monitored through a sound governance framework which includes the monthly ANAO Security Committee meeting, the IT Strategic Committee which is a sub-committee of the ANAO's Executive Board of Management.

Completed.

The risk register has been developed and expanded to include risks and controls across the ANAO's entire ICT environment as well as identified PSPF requirements.

Define a process that identifies when and how to engage with the ASD when responding^b to a security incident, and if ASD support was not available in a timely manner due to other ASD priorities, how the security incident would be handled by the ANAO.

The ANAO has updated the Incident Response Plan as part of the IRAP assessment to include more direction on when to contact ASD. The ANAO notes that its Incident Response Plan contained guidance on when to contact ASD prior to the recent update. The ANAO will review its documents to provide additional guidance on how to manage an incident where ASD was not available.

Completed.

The ANAO has reviewed its existing plans to ensure that guidance on how to manage incidents remains relevant and appropriate.

The ANAO has effectively implemented incident response plans and business continuity plans in response to the COVID19 pandemic.

The ANAO continues to work with its vendors to ensure processes are in place for effectively managing security incidents in the absence of ASD.

Improve the monitoring of security controls by ensuring segregation of duties between the staff responsible for operating key security controls and the ITSA that is monitoring and reporting on them.

The ANAO recognised the importance of segregating the duties of the ITSA in October 2016, splitting the role from the CIO and appointing a dedicated ITSA at that time. The ANAO notes the Independent Auditor's observation that the ITSA has other duties and will monitor the workload to ensure IT security functions continue as a priority.

ANAO has improved reporting mechanisms through its governance framework to ensure that cyber security is prioritised, monitored and reviewed. The development of the cyber security strategy will assist the ANAO in the management and reporting of progress to senior management.

Completed.

The CIO and ITSA roles remain segregated. In addition, the ANAO continues to include cyber security in its governance committees to ensure ongoing monitoring of cyber security environment.

Improve the monitoring of security controls by ensuring segregation of duties between the staff responsible for operating key security controls and the ITSA that is monitoring and reporting on them.

The ANAO recognised the importance of segregating the duties of the ITSA in October 2016, splitting the role from the CIO and appointing a dedicated ITSA at that time. The ANAO notes the Independent Auditor's observation that the ITSA has other duties and will monitor the workload to ensure IT security functions continue as a priority.

ANAO has improved reporting mechanisms through its governance framework to ensure that cyber security is prioritised, monitored and reviewed. The development of the cyber security strategy will assist the ANAO in the management and reporting of progress to senior management.

Completed.

The CIO and ITSA roles remain segregated. In addition, the ANAO continues to include cyber security in its governance committees to ensure ongoing monitoring of cyber security environment.

Continue with the current IRAP assessment in progress to validate the effectiveness of current security policies and controls across the IT environment and inform the prioritisation of remediation of key control deficiencies.

The ANAO is nearing completion of the IRAP assessment. The ANAO continues to implement improvements and recommendations from the assessment.

Completed.

The IRAP assessment has been completed with the ANAO Protected ICT Network Accreditation endorsed by the Accountable Authority on 1 April 2019.

Enhance the data governance framework and further drive the prioritisation of required security controls by improving the communications channels/processes from audit teams to the CIO and ITSA. This communication is to identify the most sensitive stakeholder data held within the ANAO IT environment which requires protection.

The ANAO has a sound approach to managing client data that is collected as part of an audit. This approach is guided by the Audit Manuals that prescribe processes based on policies, audit standards and audit methodology. In addition, the ANAO has identified opportunities across its strategic governance framework to enhance the corporate processes that support audit teams to collect, handle and store audit evidence. The ANAO will include standing agenda items at the IT Strategic Committee that require Senior Audit managers to report on ongoing conformance with corporate policies.

In progress.

Membership of the ANAO's security committee has been expanded to include greater input from business units, particularly to enhance management of personnel security.

Data governance has been added as a standing agenda item to the ANAO's IT Strategic Committee to enable Executive leaders to continue to normalise discussions about the relationship between audit evidence and data management.

ANAO continues to monitor its data holdings to ensure the appropriate management and storage of audit evidence according to Audit manuals.

Create a cyber security strategy to prioritise the required security improvements to further strengthen the security controls of the ANAO IT environment. These controls should include:

• the Essential Eight^a (incorporating the Top Four) cyber security mitigations recommended by the ASD (henceforth the Essential Eight);
• specific controls with a high cost-benefit value to the ANAO's IT environment; and
• key detective security controls e.g. implementing more network and host based monitoring.

The ANAO agrees to develop a cyber security strategy to complement its existing suite of governance documents including the ANAO Corporate Plan, IT security policy and ANAO strategic risk framework. The ANAO notes that the ISM and PSPF do not require an organisation to develop a security strategy. The ANAO has regard to both the ISM and PSPF in developing its approach to security and has existing policies that cover information security, personal security and physical security. The ANAO agrees to include in the cyber security strategy its approach regarding the Essential Eight controls particularly those controls that have a high cost-benefit value to the ANAO's IT environment

In progress.

• The ANAO has commenced the development of the cyber security strategy. The strategy will complement the ANAO's existing security documents and articulate the ANAO's strategic approach to security management.
• The ANAO has undertaken a number of security improvements in the meantime to align with the Essential Eight and improve cyber resilience:
  • A Windows 10 operating environment has been implemented with new controls whilst removing previous vulnerabilities.
  • Improved backup and restore capabilities to minimise risks of data loss.
  • Enhancements to application and firmware patching processes.

Document and maintain a security risk assessment that includes a register of ANAO's IT security controls, additional risk treatments required or accepted risks under the ANAO's risk management framework.

The ANAO has implemented a risk register that identifies PSPF requirements and the ANAO's treatment and risk assessment of those controls. The register is monitored through a sound governance framework which includes the monthly ANAO Security Committee meeting, the IT Strategic Committee which is a sub-committee of the ANAO's Executive Board of Management.

Completed.

The register has been developed and is currently being refined to include risks and controls across the ANAO's entire ICT environment, beyond the PSPF.

Define a process that identifies when and how to engage with the ASD when responding^b to a security incident, and if ASD support was not available in a timely manner due to other ASD priorities, how the security incident would be handled by the ANAO.

The ANAO has updated the Incident Response Plan as part of the IRAP assessment to include more direction on when to contact ASD. The ANAO notes that its Incident Response Plan contained guidance on when to contact ASD prior to the recent update. The ANAO will review its documents to provide additional guidance on how to manage an incident where ASD was not available.

Completed.

The ANAO has reviewed its existing plans to ensure that guidance on how to manage incidents remains relevant and appropriate. The ANAO conducted an exercise in December 2017 to test its incident response plan and business continuity plans.

The ANAO continues to work with its vendors to refine processes for managing security incidents in the absence of ASD.

Improve the monitoring of security controls by ensuring segregation of duties between the staff responsible for operating key security controls and the ITSA that is monitoring and reporting on them.

The ANAO recognised the importance of segregating the duties of the ITSA in October 2016, splitting the role from the CIO and appointing a dedicated ITSA at that time. The ANAO notes the Independent Auditor's observation that the ITSA has other duties and will monitor the workload to ensure IT security functions continue as a priority.

ANAO has improved reporting mechanisms through its governance framework to ensure that cyber security is prioritised, monitored and reviewed. The development of the cyber security strategy will assist the ANAO in the management and reporting of progress to senior management.

Completed.

The CIO and ITSA roles remain segregated. In addition, the ANAO continues to include cyber security in its governance committees to ensure ongoing monitoring of cyber security environment.

Continue with the current IRAP assessment in progress to validate the effectiveness of current security policies and controls across the IT environment and inform the prioritisation of remediation of key control deficiencies.

The ANAO is nearing completion of the IRAP assessment. The ANAO continues to implement improvements and recommendations from the assessment.

In progress

The ANAO's security documentation framework was updated and IRAP testing has taken place. The ANAO is awaiting the assessor's report.