Audit Office said non-corporate Commonwealth entities have not been held to account for not meeting mandatory cybersecurity requirements under the Protective Security Policy Framework, specifically the mandate to safeguard information from cyber threats.
The Australian National Audit Office (ANAO) has said it considered continued transparency through reporting to Parliament where cybersecurity risk is concerned to be a positive, but it remained concerned that this may not be enough to drive improvement. In documentation [PDF] prepared for the Joint Committee of Public Accounts and Audit (JCPAA), ANAO said it was clear that auditing and reporting alone has not driven improvement in compliance with the government’s cybersecurity policy. “Non-corporate Commonwealth entities have not been held to account for not meeting the mandatory cybersecurity requirements under PSPF Policy 10,” it wrote, in reference to the Protective Security Policy Framework (PSPF) Policy 10, which is centred on safeguarding information from cyber threats. “The current framework to support responsible ministers in holding entities accountable within government is not sufficient to drive improvements in the implementation of mandatory requirements.” The JCPAA last year reviewed a pair of reports from ANAO and handed down a number of recommendations in its own report published in December. One of the recommendations asked ANAO to consider conducting an annual limited assurance review into the cyber resilience of Commonwealth entities.
