The Queensland Audit Office has published its findings and recommendations following its audit of cyber security readiness at three Queensland public sector bodies. The audit tested each entity’s cyber security through a variety of mechanisms, assessed the public availability of the entities’ sensitive information and tested the implementation of the Australian Cyber Security Centre’s ‘Top 4’ mitigation strategies. Although the audit is focussed on public sector entities identical cyber security considerations apply to all organisations.
The audit demonstrated weaknesses in all 3 entities despite one of the entities having a higher level of maturity in cyber risk management across its governance and technical strategies and two of the entities having appropriate frameworks to manage cyber security risks.
The report sets out three key recommendations against which any entity can assess itself to understand its level of exposure to cyber security risks and provides an additional 14 recommendations based on the level and types of exposure identified.
The key recommendations are:
- develop an internal framework for managing cyber security risks including consistent security standards
- establish a process to identify and classify the sensitivity all information assets across the organisation
- apply a methodology to assess cyber security risks for each information asset
A number of the additional 14 recommendations follow the Australian Cyber Security Centre’s Essential Eight mitigation strategies (https://www.cyber.gov.au/publications/essential-eight-explained) but also include:
- effective management of ICT assets used by employees, especially leavers
- security awareness training for personnel
- an effective password policy
- defined risk management practices for engaging third party IT suppliers
- end user device logging and monitoring to detect malicious and anomalous behaviour
The report is available at https://www.qao.qld.gov.au/report/managing-cyber-security-risks.