ACT: Cyber security lost down the back of the bureaucracy

By on
ACT: Cyber security lost down the back of the bureaucracy

[Blog post] Buck passing takes its toll.

While comparatively tiny, the Australian Capital Territory has nevertheless managed to pull together an IT security policy.

The problem is, however, that no-one knows if its recommendations are mandatory or whether they are guidelines.

That might have something to do with responsibility for infosec being distributed among nearly half a dozen bodies and agencies. It’s probably little surprise that the jurisdiction home to bureaucrats manages to breed layers of bureaucracy.

Score: 2/9

In her 2012 report, auditor-general Maxine Cooper mapped cyber security functions as far and wide as the Treasury’s records office, the shared services team, the justice directorate and the parliament’s security in government committee.

She painted a picture of the latter as a toothless body with a tendency to make policies and then forget about them a year or two later.

At that time, confusion about the Protective Security Policy Guidelines seemed to have taken their toll.

Cooper’s report found that even though having a system security plan was a requirement of the policy, only 5 percent of information management systems had one. Only 2 percent had undergone a threat and risk assessment, and none of the security assessments had been revised since 2010.

When Cooper issued the report, the Protective Security Policy Guidelines were under review to decide if a subset of 33 actions should be made mandatory.

As a result, in 2014, the policy was amended to include a list of four compulsory - if still somewhat vague in their substance - rulings.

They boil down to every directorate having its own risk-based security framework that adheres to the PSPG, keeping shared services informed about their sensitive data holdings, and meeting all legal obligations.

The revised policy still leaves a lot of wriggle room for ACT government entities, but let’s hope the stricter line boosts cyber awareness inside the jurisdictions that supports - even if it doesn’t control - some of the most critical infrastructure housed in the nation’s capital.

Want to see how all the states and territories stack up? Download our State of Security report. Do you work for the government? Let us know how you would have scored your state here.

Got a news tip for our journalists? Share it with us anonymously here.
Tags:
Paris Cowan
Paris Cowan joined iTnews in July 2013 after a stint at Intermedium, a news and data analysis firm based exclusively on government IT procurement. At Intermedium, Paris reported on new IT projects underway in state and federal agencies, interviewed public sector CIOs and was subsequently promoted to Online Editor in June 2012. While public sector IT will remain her key focus at iTnews, she has been given a broader remit to cover technology programs across several industries.
Read more from this blog: The State of Security

Most Read Articles

Log In

  |  Forgot your password?