Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

ATO, Dept of Immigration wrist-slapped for failing security audit, again

Both promise to implement mandatory controls real soon now

At least two Australian government departments, the Department of Immigration and Border Protection (DIPB) and the Australian Tax Office (ATO), have inadequate security, according to a parliamentary committee report published yesterday.

How far behind? They haven't even managed compliance with the top four of the Australian Signals Directorate's “Essential Eight” threat mitigation strategies.

Those four strategies, mandatory for all government organisations, are application whitelisting, patching systems, using the latest application and operating system versions, and restricting admin privileges.

The new report, by the Joint Committee of Public Accounts and Audit, was a follow-up to an Australian National Audit Office (ANAO) report published in March 2017. It's therefore unsurprising that the committee writes:

The Committee is most concerned that the audit found that the ATO and DIBP are still not compliant with the mandatory ‘Top Four’ mitigation strategies (in the Australian Government’s Information Security Manual) and are not cyber resilient.

The ATO reported itself to be compliant with three out of the four strategies; the committee said that was optimistic and trimmed it to two; the DIPB had its three-out-of-four cut to just one.

Oh, and the target date for compliance was 30 June 2014.

The ATO promises to be compliant by November 2017, a leaf from the DIPB's book, which promised compliance by December 2016, but now “could not provide a date for when full compliance with all of the Top Four mitigation strategies would be achieved”.

Given the gap between self-assessment and reality, the committee also wants the ANAO to audit departments' self-assessment process. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like