Australian Taxation and Immigration depts fail infosec audits

They've had years to fix things up, but they can't even deliver on known best practice

Australia's Taxation Office, Department of Human Services and Department of Immigration and Border Protection are heavyweights of the public service, but only one has managed basic infosec protections on its systems.
That's the conclusion of the Australian National Audit Office (ANAO), which yesterday reminded the three agencies that it asked them to improve their security three years ago.
In 2014, the auditor criticised seven departments for failing the most basic infosec practices – the Australian Signals Directorate's “Top Four” list of risk mitigation strategies (application whitelisting; patching applications; patching operating systems; and limiting admin privileges).
In response to that rebuke, the agencies promised to be compliant by 2016 – but the follow-up report says only Human Services met the deadline.
The ANAO report says the three departments are almost across privileged accounts, but still need to improve their monitoring of how those accounts are used.
Immigration's contract arrangements don't comply with the “Top Four” list, and along with the ATO, it lets service providers assess compliance for themselves – without validation.
The ANAO isn't much impressed by agencies' ability to assess their compliance, as this extract from its assessment shows:
“The Australian Taxation Office’s and the Department of Immigration and Border Protection’s self-assessments both reported compliance against three of the Top Four mitigation strategies. The ANAO assessed that the Australian Taxation Office and the Department of Immigration and Border Protection complied with only two and one of the Top Four mandatory strategies respectively.”
The audit recommends better self-assessment and better governance.
Source