Select language
Webinar Date 2018-04-12
Hours
Minutes
Seconds

Blog

United Kingdom (UK)

Digital Transformation in Government

Five years ago, we highlighted the importance of three major themes in tackling government’s challenges

India

Audit of e-Procurement...

USA

Federal Information Security...

Australia

Cyber Attacks
Securing Agencies'
ICT Systems...

Australia

Cyber Resilience...

Filter By






Australia
Cybersecurity Follow-up Audit

Year Published: 2017

Language: English

Sector: Revenue and Taxation, Personnel Administration and Training, Borders and immigration

Issue: Cybersecurity

Download

In June 2014, ANAO Audit Report No. 50 2013–14, Cyber Attacks: Securing Agencies’ ICT Systems was tabled in Parliament. The report examined seven Australian Government entities’1 implementation of the mandatory strategies in the Australian Government Information Security Manual (Top Four mitigation strategies). The Top Four mitigation strategies are: application whitelisting, patching applications, patching operating systems and minimising administrative privileges.2 The audit found that none of the seven entities were compliant with the Top Four mitigation strategies and none were expected to achieve compliance by the Australian Government’s target date of 30 June 2014.

The Joint Committee of Public Accounts and Audit held a public hearing to examine Report No. 50 on 24 October 2014. Three of the seven audited entities—the Australian Taxation Office, the Department of Human Services, and the then Australian Customs and Border Protection Service3—appeared before the hearing to explain their plans and timetables to achieve compliance with the Top Four mitigation strategies. Each of the three entities gave assurance to the Joint Committee of Public Accounts and Audit that compliance with the Top Four mitigation strategies would be achieved during 2016.

In 2015, the ANAO conducted a second performance audit to examine a further four government entities’ compliance with the Top Four mitigation strategies. The four entities were: Australian Federal Police, Australian Transaction Reports and Analysis Centre, Department of Agriculture and Water Resources and the Department of Industry, Innovation and Science. The ANAO Performance Audit Report No. 37 2015–16 Cyber Resilience was tabled in May 2016. In this audit the ANAO found that two entities—Australian Transaction Reports and Analysis Centre, Department of Agriculture and Water Resources—were compliant with the Top Four mitigation strategies. The other two agencies were not compliant with these strategies. The ANAO made three recommendations and all entities agreed with all recommendations

Weblink : https://www.anao.gov.au/work/performance-audit/cybersecurity-follow-audit

Summary/Highlight:

The Australian Government Information Security Manual outlines 35 strategies to assist government entities mitigate the risk of cyber intrusions to their information and communications technology (ICT) systems.6 The Australian Signals Directorate7 advised that if government entities implemented the top four of these 35 strategies (Top Four mitigation strategies), it would prevent 85 percent of targeted cyber intrusions.

The Top Four mitigation strategies are:

  • using application whitelisting8 on desktops and servers to prevent malicious software and unapproved programs from running on a computer;
  • applying application patches9 through sound policies, procedures and practices to help ensure the applications’ security;
  • applying security patches through sound policies, procedures and practices to operating systems to mitigate security risks and reduce system vulnerabilities; and
  • effectively managing access provisions for privileged user accounts across an entity’s ICT environment, including the entity’s network, applications, databases and operating systems.
Australian Government Procurement Contract Reporting (ANAO Report No.19 of 2017–2018)

Year Published: 2017

Language: English

Sector: All public sectors

Type of IT System(s): Procurement System

Download

Procurement is a significant public sector activity worth $47.4 billion in 2016–17. This information report seeks to provide greater transparency on procurement activity in the Australian public sector. This information report is neither an audit nor an assurance review and presents no conclusions or opinions. The report presents in a variety of ways, including tables and figures, publicly available data from public sector procurement activity.

Weblink : https://www.anao.gov.au/work/information/australian-government-procurement-contract-reporting

Australian Electoral Commission’s Procurement of Services for the Conduct of the 2016 Federal Election (ANAO Report No.25 of 2017–2018)

Year Published: 2018

Language: English

Sector: Finance

Type of IT System(s): Automatic Data Processing System

Download

The audit objective was to assess whether the Australian Electoral Commission appropriately established and managed the contracts for the transportation of completed ballot papers and the Senate scanning solution for the 2016 Federal Election.

Weblink : https://www.anao.gov.au/work/performance-audit/aec-procurement-services-conduct-2016-federal-election

Unscheduled Taxation System Outages (ANAO Report No.29 of 2017–2018)

Year Published: 2018

Language: English

Sector: Revenue and Taxation

Type of IT System(s): Text box – Business Continuity and Disaster Recovery

Download

The objective of the audit was to assess whether the Australian Taxation Office (ATO) has effectively responded to recent unscheduled information technology (IT) system outages.

Weblink : https://www.anao.gov.au/work/performance-audit/unscheduled-taxation-system-outages

myGov Digital Services

Year Published: 2017

Language: English

Sector: Cross Government, Revenue and Taxation

Issue: E-Governance

Download

The myGov digital service (myGov) is an entry portal for individuals to access the services of participating government entities. It was launched in May 2013 to provide individuals with secure online access to a range of Australian Government services in one place. It was expected to provide a whole-of-government digital service delivery capability and to improve the experience for individuals who choose to self-manage their interactions with government services. The four year myGov project (2012–13 to 2015–16) was to provide:

  • a single username to access member services;
  • search ability to identify available government services;
  • the ability to notify multiple services about changes of personal contact details;
  • the ability to submit data online to validate facts, including for proof of identity; and
  • lower costs and more timely communications from services via a digital mailbox.

The Digital Transformation Agency is responsible for myGov service strategy, policy and user experience.2The Department of Human Services (Human Services) is responsible for administering and hosting myGov, including processes and procedures for system development and testing, security and operational performance.

By November 2016, myGov supported nearly 11 million active accounts and ten member services.

Weblink : https://www.anao.gov.au/work/performance-audit/mygov-digital-services

Summary/Highlight:

The Department of Human Services’ implementation of myGov as a platform to deliver whole-of-government online services has been largely effective.

Fit-for-purpose strategic and operational governance arrangements operated for the first three years of the myGov project, followed by a one year gap in strategic governance when interim arrangements had a largely operational focus. This gap was addressed in July 2016 with the re-establishment of a strategic governance board.

There were 9.5 million user accounts registered in myGov by the end of the four year project—nearly double the business case forecast of 5.1 million. myGov has contributed to improved delivery of government services for individuals by providing three key functionalities—single digital credential, Update Your Details and Inbox—to reduce the time spent transacting with government. Several requirements to improve usability have only recently been implemented and a small number of requirements are yet to be delivered. As at November 2016, there were ten government services available through myGov. While it is not mandatory for member services to participate in myGov, the effectiveness of myGov as a whole-of-government capability has been hampered by government services not joining myGov and not fully adopting the myGov functionalities.

Since late 2015, the myGov platform has been hosted on high-availability infrastructure, which has improved performance, especially during peak demand periods, with performance targets consistently met. Suitable security and privacy measures were in place to control access and protect sensitive data stored in myGov.

In 2012, the Government approved a budget for the myGov project of $29.7 million for 2012–13 to 2015–16based on the functionalities set out in the business case. The myGov project was not delivered within this original agreed funding, with actual expenditure to June 2016 totalling $86.7 million. Over the four years of the project an additional $37.8 million in funding was approved by Government, and Human Services funded the remaining $19.2 million from a pre-approved ICT contingency fund. Departmental records indicate that the increase in operating expenses over the four years of the project—from $8.5 million in 2012–13 to $37.3 million in 2015–16—was primarily driven by the costs associated with supporting the large number of user accounts (nearly double the forecast) and the improved high-availability infrastructure.

Performance metrics to enable the quantification of actual savings in the six areas identified in the business case were not developed. In the absence of such metrics, it is not possible to determine whether the expected savings have been realised in all six areas.

Australian Government Procurement Contract Reporting (ANAO Report No.19 of 2017–2018)

Year Published: 2017

Language: English

Sector: All public sectors

Type of IT System(s): Procurement System

Download

Procurement is a significant public sector activity worth $47.4 billion in 2016–17. This information report seeks to provide greater transparency on procurement activity in the Australian public sector. This information report is neither an audit nor an assurance review and presents no conclusions or opinions. The report presents in a variety of ways, including tables and figures, publicly available data from public sector procurement activity.

Weblink : https://www.anao.gov.au/work/information/australian-government-procurement-contract-reporting

Australian Electoral Commission’s Procurement of Services for the Conduct of the 2016 Federal Election (ANAO Report No.25 of 2017–2018)

Year Published: 2018

Language: English

Sector: Finance

Type of IT System(s): Automatic Data Processing System

Download

The audit objective was to assess whether the Australian Electoral Commission appropriately established and managed the contracts for the transportation of completed ballot papers and the Senate scanning solution for the 2016 Federal Election.

Weblink : https://www.anao.gov.au/work/performance-audit/aec-procurement-services-conduct-2016-federal-election

Unscheduled Taxation System Outages (ANAO Report No.29 of 2017–2018)

Year Published: 2018

Language: English

Sector: Revenue and Taxation

Type of IT System(s): Text box – Business Continuity and Disaster Recovery

Download

The objective of the audit was to assess whether the Australian Taxation Office (ATO) has effectively responded to recent unscheduled information technology (IT) system outages.

Weblink : https://www.anao.gov.au/work/performance-audit/unscheduled-taxation-system-outages

Cyber Resilience

Year Published: 2016

Language: English

Sector: Agriculture, Industry, Science & Technology

Issue: Cybersecurity

Download

In June 2014, the Australian National Audit Office tabled in Parliament ANAO Audit Report No.50 2013–14, Cyber Attacks: Securing Agencies’ ICT Systems. The report examined implementation of the mandatory strategies in the Australian Government Information Security Manual (ISM).

The Joint Committee of Public Accounts and Audit (JCPAA) held a public hearing to examine Report No.50 on 24 October 2014. The Committee was concerned that the seven entities audited were not compliant with the ‘Top Four’ strategies in the ISM. And that none of the entities were expected to achieve compliance by the mandated target date of 30 June 2014.

In light of concerns about entities’ shortcomings to achieve compliance, the JCPAA asked the Auditor-General to extend the coverage of the audit to include other entities. In response to the JCPAA, a performance audit was scheduled to assess another four selected entities’ compliance with Australian Government requirements.1 This report is the outcome of the audit.

Weblink : https://www.anao.gov.au/work/performance-audit/cyber-resilience

Summary/Highlight:

All entities made efforts to achieve compliance with the mandated strategies in the ISM. Two of the four selected entities achieved compliance—AUSTRAC and the Department of Agriculture and Water Resources. Two entities did not achieve compliance—Australian Federal Police and the Department of Industry, Innovation and Science.

The ANAO has made three recommendations aimed at achieving compliance with mandated strategies in the ISM. The recommendations are likely to apply to other Australian Government entities not specifically examined in this audit.

Australian Government Procurement Contract Reporting (ANAO Report No.19 of 2017–2018)

Year Published: 2017

Language: English

Sector: All public sectors

Type of IT System(s): Procurement System

Download

Procurement is a significant public sector activity worth $47.4 billion in 2016–17. This information report seeks to provide greater transparency on procurement activity in the Australian public sector. This information report is neither an audit nor an assurance review and presents no conclusions or opinions. The report presents in a variety of ways, including tables and figures, publicly available data from public sector procurement activity.

Weblink : https://www.anao.gov.au/work/information/australian-government-procurement-contract-reporting

Australian Electoral Commission’s Procurement of Services for the Conduct of the 2016 Federal Election (ANAO Report No.25 of 2017–2018)

Year Published: 2018

Language: English

Sector: Finance

Type of IT System(s): Automatic Data Processing System

Download

The audit objective was to assess whether the Australian Electoral Commission appropriately established and managed the contracts for the transportation of completed ballot papers and the Senate scanning solution for the 2016 Federal Election.

Weblink : https://www.anao.gov.au/work/performance-audit/aec-procurement-services-conduct-2016-federal-election

Unscheduled Taxation System Outages (ANAO Report No.29 of 2017–2018)

Year Published: 2018

Language: English

Sector: Revenue and Taxation

Type of IT System(s): Text box – Business Continuity and Disaster Recovery

Download

The objective of the audit was to assess whether the Australian Taxation Office (ATO) has effectively responded to recent unscheduled information technology (IT) system outages.

Weblink : https://www.anao.gov.au/work/performance-audit/unscheduled-taxation-system-outages

Cyber Attacks: Securing Agencies’ ICT Systems

Year Published: 2014

Language: English

Sector: Revenue and Taxation, Personnel Administration and Training, Borders and immigration

Issue: Cybersecurity

Download

Governments, businesses and individuals increasingly rely on information and communications technology (ICT) in their day-to-day activities, with rapid advances continuing to be made in how people and organisations communicate, interact and transact business through ICT and the Internet. In the government sector, ICT is used to deliver services, store and process information, and enable communications, with a consequent need to protect the privacy, security and integrity of information maintained on government systems.

Cyber crime is an international problem, and it is estimated that in 2012, 5.4 million Australians fell victim to such crimes, with an estimated cost to the economy of $1.65 billion.1,2 In the government sector, the Australian Signals Directorate (ASD)3 has estimated that between January and December 2012, there were over 1790 security incidents against Australian Government agencies. Of these, 685 were considered serious enough to warrant a Cyber Security Operations Centre response.4

The protection of Australian Government systems and information from unauthorised access and use is a key responsibility of agencies, having regard to their business operations and specific risks. In the context of a national government, those risks can range from threats to national security through to the disclosure of sensitive personal information. Unauthorised access through electronic means, also known as cyber intrusions, can result from the actions of outside individuals or organisations. Individuals operating from within government may also misuse information which they are authorised to access, or may inappropriately access and use government information holdings.

For some years, the Australian Government has established both an overarching protective security policy framework, and promulgated specific ICT risk mitigation strategies and related controls, to inform the ICT security posture6 of agencies. In 2013, the Government mandated elements of the framework, in response to the rapid escalation, intensity and sophistication of cyber crime and other cyber security threats.

Weblink : https://www.anao.gov.au/work/performance-audit/cyber-attacks-securing-agencies-ict-systems

Summary/Highlight:

The selected agencies were assessed on their: compliance with the top four mitigation strategies and related controls; maturity to effectively manage logical access and change management as part of normal business processes (IT general controls); observed compliance state as at 30 November 2013; and reported planned compliance state by 30 June 2014.

The ANAO’s summary findings for each of the selected agencies are reported in the context of a matrix, which indicates agencies’ overall level of protection against internal and external threats as a consequence of the steps taken to implement the top four strategies and IT general controls. The matrix, which is referred to as the Agency Compliance Grade, indicates where agencies are positioned in terms of ICT security zones: vulnerable zone; externally secure zone; internally secure zone, and cyber secure zone. The zones are explained further in Table S.2 and illustrated in Figure S.1. An agency’s position indicates its overall ICT security posture—in essence how well the agency is protecting its exposure to external vulnerabilities and intrusions, internal breaches and disclosures, and how well it is positioned to address threats

Australian Government Procurement Contract Reporting (ANAO Report No.19 of 2017–2018)

Year Published: 2017

Language: English

Sector: All public sectors

Type of IT System(s): Procurement System

Download

Procurement is a significant public sector activity worth $47.4 billion in 2016–17. This information report seeks to provide greater transparency on procurement activity in the Australian public sector. This information report is neither an audit nor an assurance review and presents no conclusions or opinions. The report presents in a variety of ways, including tables and figures, publicly available data from public sector procurement activity.

Weblink : https://www.anao.gov.au/work/information/australian-government-procurement-contract-reporting

Australian Electoral Commission’s Procurement of Services for the Conduct of the 2016 Federal Election (ANAO Report No.25 of 2017–2018)

Year Published: 2018

Language: English

Sector: Finance

Type of IT System(s): Automatic Data Processing System

Download

The audit objective was to assess whether the Australian Electoral Commission appropriately established and managed the contracts for the transportation of completed ballot papers and the Senate scanning solution for the 2016 Federal Election.

Weblink : https://www.anao.gov.au/work/performance-audit/aec-procurement-services-conduct-2016-federal-election

Unscheduled Taxation System Outages (ANAO Report No.29 of 2017–2018)

Year Published: 2018

Language: English

Sector: Revenue and Taxation

Type of IT System(s): Text box – Business Continuity and Disaster Recovery

Download

The objective of the audit was to assess whether the Australian Taxation Office (ATO) has effectively responded to recent unscheduled information technology (IT) system outages.

Weblink : https://www.anao.gov.au/work/performance-audit/unscheduled-taxation-system-outages