1. The Department of the Premier and Cabinet should:
a. provide guidance to agencies on ways to better manage identities and access including password management and multi-factor authentication
DPC response: Agreed
Implementation timeframe: by 31 December 2018
2. All agencies should:
a. have adequate security policies in place that require a lifecycle management approach for different types of accounts and access levels
b. implement privileged identity and access management best practices
c. consider providing staff with a secure way of storing passwords and technical solutions to reduce the number of passwords users need
d. use multi-factor authentication for remote access
e. prevent/blacklist the use of common weak passwords
f. tailor password requirements for each type of account, based on the risk, environment (e.g. On-premise, Cloud) and other mitigating controls in place
g. maintain visibility on the purpose, ownership and use of service, system and database accounts.
DPC agrees with the recommendations detailed in the Summary of Findings. The Office of Digital Government (formerly Office of the Chief Government Information Officer) was transferred to the Department of the Premier and Cabinet (DPC) as a discrete business unit on 1 July 2018, to provide a stronger mandate for the Government’s digital transformation agenda, and to ensure that ICT performance, data sharing and cyber security are strengthened. Since then, DPC has commenced recruitment for a new Government Chief Information Officer, as well as other cyber security positions, to support this mandate.
Since the audit, DPC has:
- provided advice to Directors General and Chief Executive Officers at the Public Sector Leadership Council, and through the CEO Gateway, on the impending release of the report, strongly encouraging agencies to take a number of practical actions to improve security, risk management and recover capabilities. This advice included encouraging agencies to review their practices and policies to ensure they are compliant with the Australian Signals Directorate Checklist.
- offered support to assist agencies with their cyber security matters through the Office of Digital Government.
- engaged with the 17 agencies named in the report and requested a status of their progress with implementation of the recommendations.
- organised a Directors General Cyber Security Forum for 29 August 2018, aimed at improving cyber security practices across government. The forum will bring together speakers from the Office of the Auditor General, DPC and Edith Cowan University.