List of Recommendations

Recommendation 1

1.73
The Committee recommends that the Attorney-General’s Department provide an update on its implementation of external moderation models/benchmarking processes, to verify Commonwealth entities’ reported compliance with cybersecurity requirements, including implementation timeframes.

Recommendation 2

1.77
The Committee recommends that the Attorney-General’s Department:
provide an update on the levels of cyber security maturity within Commonwealth entities and the feasibility of mandating the Essential Eight across Commonwealth entities, including the threshold of cyber security maturity required by Government to impose this mandate, and expected timeframes; and
report back on any impediments to mandating the Top Four mitigation strategies for government business enterprises and corporate Commonwealth entities.

Recommendation 3

1.88
The Committee recommends that the Australian Government (the Attorney-General’s Department) ensure that the framework of 13 behaviours and practices developed by the Australian National Audit Office (ANAO) play a greater role in the implementation and improvement of a cyber resilience culture within Commonwealth entities, including that:
the Protective Security Policy Framework (PSPF) be amended to reflect or incorporate the behaviours and practices framework, including for auditing purposes, to maximise alignment between the PSPF and the ANAO’s audit framework; and
a dedicated section be created within the annual PSPF self-assessment questionnaire addressing the ANAO’s 13 behaviours and practices that facilitate a cyber resilience culture.

Recommendation 4

1.96
The Committee recommends that the Australian National Audit Office (ANAO) consider conducting an annual limited assurance review into the cyber resilience of Commonwealth entities, with the cost to be met by the responsible policy agencies or Government. The review should examine and report on the extent to which entities have embedded a cyber resilience culture though alignment with the ANAO’s framework of 13 behaviours and practices. The review should also examine the compliance of corporate and non-corporate entities with the Essential Eight mitigation strategies in the Information Security Manual and be conducted for 5 years, commencing from June 2022 (to enable time for implementation).

Recommendation 5

2.40
The Committee recommends that Australia Post provide an update on:
progress in implementing controls in line with the Top Four and other mitigation strategies in the Essential Eight (in confidence, if required); and
how a cyber resilience culture is being further embedded in the organisation.

Recommendation 6

3.42
The Committee recommends that the Australian Digital Health Agency (ADHA) provide an update on its ‘ANAO My Health Record Performance Audit Implementation Plan’ (20 February 2020), including:
key milestones and implementation dates for each of the recommendations in Auditor-General Report No. 13 (2019-20), Implementation of the My Health Record System, with a particular focus on recommendations 3 and 4; and
details of the specific changes that ADHA and other stakeholders need to make to implement the recommendations.

 |  Contents  | 

About this inquiry

Joint Committee of Public Accounts and Audit is conducting an inquiry into matters contained and associated with Auditor-General’s Reports 1 and 13 (2019-20)



Past Public Hearings

02 Jul 2020: Canberra
19 May 2020: Canberra