The Department of Immigration and Border Protection (DIBP) has “no date” for when it will be compliant with the government’s mandatory ‘Top Four’ cyber security mitigation strategies.

CIO Randall Brugeaud told a joint committee hearing this morning that progress had been made since a damning Australian National Audit Office (ANAO) follow-up report in March, but could not say when the work would be complete.

The ANAO’sCybersecurity Follow-up Auditinvestigated the cyber reliance of the DIBP, the Australian Taxation Office (ATO), and the Department of Human Services and their adherence to the Australian Signals Directorate’s Top Four strategies.

The Top Four covers: Application whitelisting, application patching, OS patching, and the restriction of administration privileges based on user duties. The ANAO assessed that DIBP complied with only one of the four strategies.

Speaking to the Joint Committee of Public Accounts and Audit Cybersecurity Compliance hearing today, Brugeaud said that application whitelisting had already been implemented on all desktop environments.

“Server whitelisting – we have just under 7000 servers in our combined and integrated environment – will be applied by July 2018,” he explained.

“And for operating system patching we are in the process of having a discussion around the executive table and it has been, to the point about culture, a much more regular discussion we’ve been having with our executive. So insofar as the operating system patching we have a proposal for the 2017/18 financial year to get to a point where we’ll move to a monthly patching cycle.”

Brugeaud told the hearing that application patching was a “quite a challenge” and full compliance could take some time.

“[It] will be over the next two to three years to get to a point where were be able to be fully compliant in application patching,” he said.

On administration privileges – the only strategy in the Top Four the ANAO had found DIBP to be compliant with – Brugeaud said that a review was underway to reduce the amount of access, helped by the department’s new Windows 10 environment which will be in place by October this year.

Some blame was put on the changing 'machinery of government' for the time it was taking DIBP’s to achieve compliance. Australia's Department of Immigration merged with the Australian Customs andBorder ProtectionService (ACBPS), to create the DIBP in 2015. The ANAO’s original cyber security report in 2014 audited theACBPS.

“As a consequence of what is a significant machinery of government change we have still maintained a positive trajectory, maintained critical business services, but it has adjusted the time it will take,” Brugeaud said.

The ATO was also criticised in the ANAO’s follow-up audit, after it was found to be compliant with only two of the Top Four (despite self-assessing compliance with three).

Speaking at the joint committee hearing, ATO’s service operations deputy commissioner Wendy Bryant said she expected her organisation to be compliant by November.

“At the moment we’re saying November, that’s only because of a small number of servers that are proving to be problematic,” she said. “We would like to be compliant sooner than that. For most things we’ll be compliant with by June 30. But we are running into a busy period already with tax time. So that presents problems with making changes to some of the systems. So November worse case, hopefully a lot sooner.”

The Belated Eight

The Top Four security mitigation measures have been mandatory for federal agencies since an April 2013 update to the government’s Protective Security Policy Framework.

The updated PSPF set a target date of mid-2014 for compliance. Despite their mandatory status, theimplementation of the Top Four has been mixed.

In February, the ASD expanded the Top Four to an ‘Essential Eight’

Both the DIBP and ATO expressed that meeting the Essential Eight would take considerable work given the complexity of the department systems.

“We’re only starting planning for that. They’re not easy and will require a lot of work. So we haven’t finished the assessment of that yet,” Bryant said.