Operational resilience | Risk Management & Reporting

July 16, 2019

The result of three recent cyber resilience audits conducted by the Australian National Audit Office (ANAO) was released on 4 July.  The report showed some encouraging results, but also highlighted some concerns. The need for real-time visibility of cyber security posture is becoming increasingly evident.

In these modern times where everything is available ‘now’, why does cyber security still rely on external auditors to give an organisation objective visibility of their cyber security posture?  Like any good performance management programme, there should be no ‘ta-dah’ moment, only full disclosure and continuous development in the pursuit of excellence.

The Audit Process

ANAO reviewed three well-known Australian government enterprises. The purpose of the audit was to conclude whether these organisations manage cyber security risks appropriately (in line with their own risk arrangements), whether they manage cyber security risks in line with the Australian Signals Directorate’s (ASD) Information Security Manual (ISM), and whether they have a culture of cyber security resilience.

ANAO investigated how the organisations met the requirements of their own security risk management frameworks, including a detailed assessment of the controls implemented to mitigate named risks. Furthermore, ANAO looked at whether each organisation’s approach to security management aligned with ASD’s ISM, and whether each one has a cyber security culture of, “shared organisational attitudes, values and behaviours,” regarding cyber risks.

ANAO’s primary focus was on each entity’s corporate ICT platform, as well as any systems considered critical to their operation (this selection was done in consultation with the entities themselves).

Cyber security risk frameworks

Adopting a recognised cyber security risk management framework provides assurance that an organisation’s chosen set of security controls are comprehensive and robust. It enables an organisation to benchmark its cyber security posture against said framework. Secondly, with residual risk identified, CISOs and risk executives can prioritise actions to manage the risk.

There are a number of these frameworks in use around the world, many with significant similarities; ACSC Essential 8 (Australia), NCSC Top 10 (UK) and NIST (USA).

Australia’s ACSC Essential 8 Framework incorporates the eight most fundamental mitigation strategies. It is simple, measurable and the ‘Top 4’  of the ‘Essential 8’ controls alone have has been found to mitigate 85% of targeted attacks (Application Whitelisting, Patch Applications, Restrict Administrator Privileges and Patch Operating Systems).

ACSC Essential 8 Framework - security controls to prevent attacks, limit extent of attacks and recover data & system availability

ACSC Essential 8 Framework

The ANAO found that the two organisations that followed a recognised framework were more resilient than the one that did not. ANAO’s assessment of risk management framework compliance includes investigation of:

  • Enterprise-wide governance arrangements
  • Information security roles assigned and responsibilities communicated
  • ICT security incorporated intro strategy, planning and delivery of services
  • ICT operational staff understand the vulnerabilities and cyber threats to the system
  • Integrated and documented architecture for data, systems and security controls
  • Systematic approach to managing cyber risks, including assessments of the effectiveness of controls and security awareness training

Alignment with the ISM

The audit identified that the two cyber resilient organisations implemented controls in line with those proffered in the ASD’s ISM, including those of the ‘Top 4‘ and the ’Essential 8‘ while the third company did not fully implement these controls, rather they had implemented two: patching ICT applications and minimising privileged user access (both of which are highly effective).

Some of the controls are harder to implement than others.  For example, Application Whitelisting  is notoriously difficult to get right as it often has a negative impact on running systems and critical ICT service management processes such as software deployment. However, the Top 4 controls are mandatory for government entities so must be prioritised.

ANAO assesses controls and benchmarks performance against a set of measures:

  • Controls not in place and no dispensation authorised by the Accountable Authority
  • Controls not in place but dispensation is authorised by the Accountable Authority
  • Controls not in place but entity is actively implementing, with a minimum of design deliverables in evidence
  • Controls in place and meeting control objectives
  • Controls in place and maintenance is part of business processes, including monitoring and taking corrective action as required

It is interesting to note that whilst controls are in place and meeting control objectives, best practice dictates that there must be a maintenance programme as cyber resilience can change at any time.

Cyber resilient culture

The cyber resilience of an organisation’s culture is the third area that ANAO assesses in its audit process.  The thirteen behaviours and practices that are reviewed sit within the following areas:

  • Establish a business model and ICT governance that incorporates ICT security into strategy planning and delivery of services
  • Manage cyber risks systematically, including through assessments of the effectiveness of controls and security awareness training
  • Task enterprise-wide governance arrangements to have awareness of cyber vulnerabilities and threats
  • Adopt a risk-based approach to improvements to cyber security and to ensure higher vulnerabilities are addressed

Take control of Security Controls

What is clear from the ANAO audit process, it that an organisation’s actual cyber security posture may not be what a self-assessment deemed it to be.  An objective and current measure of cyber maturity is key to maintaining your organisation’s defences.

Security scorecard technology can help in the area of security control effectiveness.  Having a capability that can monitor, measure and report on cyber health means your business can be fully aware of its residual risk to then prioritise and manage.  You can explore our Essential 8 Scorecard here.  It has been designed to benchmark performance against the ACSC Essential 8 framework.

The importance of security monitoring 

There is one very important observation of the audits conducted by the ANAO; the use of security monitoring to detect cyber threats. This is particularly relevant to organisations that cannot implement a security control such as blocking or whitelisting.  With proper configuration by your security team it can be a great substitute for a more obvious control. If you cannot directly block something, then knowing when it’s being targeted by an attacker so that you can block that connection or lock that specific access down can be equally as effective.

A Security Information and Event Management (SIEM) system will provide that failsafe where threats can be detected anywhere within the organisation, not just where the active security controls are in place. What’s considered baseline normal behaviour can be assessed and a picture developed of what normal looks like, that way the SOC team can act when they see something suspicious.

Essential 8 Scorecard Overview

Download the Guide

BLOG POSTS

Related Cybersecurity Content

Joint Advisories keep coming: Heads in the clouds

April 10, 2024

As predicted in early 2024 another joint advisory was recently released from the Five-eyes intelligence and cyber security community. This time the advice relates to governments and corporations moving to cloud infrastructure...

Read more

Operational Resilience – Your obligations and FCA PS21/3

March 18, 2024

Operational resilience requirements are being rolled out across the UK and beyond. UK finance firms are required to improve their operational resilience in accordance with Financial Conduct Authority (FCA) Policy Statement PS21/3 (the Policy).

Read more

Getting value from your cyber investments

February 5, 2024

A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.

Read more

Agency resilience, compliance & reputation: a cyber governance perspective

January 31, 2024

The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.

Read more

How to improve access to cyber insurance & re-insurance

October 13, 2023

As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.

Read more

A tale of two conferences

October 6, 2023

Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]

Read more

2022’s least wanted: Rockstar vulnerabilities that should be has-beens

September 28, 2023

In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies[1] of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]

Read more

Active management for operational and cyber resilience

September 27, 2023

The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]

Read more

Applying an Australian regulator’s cyber audit findings, in a UK context

September 26, 2023

The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]

Read more

Cyber Gap Measurement & Evidence – The New Standard of Quantifiable Internal Assessment

September 18, 2023

<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]

Read more

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.

Marketing(Required)
Agree(Required)