ATO and Department of Immigration under fire for IT supplier contracts

The Australian Taxation Office (ATO) and The Department of Immigration and Border Protection (DIBP) have come under scrutiny from the national auditor for failing to properly manage contracts with IT suppliers.

The two agencies also were found to be non-compliant with the mandatory cyber security controls for all Federal Government departments, according to a report from the Australian National Audit Office (ANAO) tabled in federal parliament on Wednesday 15 March.

In April 2013, the Australian Government Protective Security Policy Framework mandated that all Federal Government agencies comply with the Australian Signals Directorate's (ASD) 'Top Four' before 31 June 2014.

These four strategies are mandatory for government departments and include application whitelisting, patching applications, patching operating systems and minimising administrative privileges.

As part of a follow-up audit on the two agencies and the Department of Human Services (DHS), only the DHS was deemed to have implemented the Australian Signals Directorate's ASD Top Four and achieved “cyber resilience”.

The ANAO subsequently tabled a report to Federal Parliament which showed none of the seven government departments examined were compliant with the Australian Signals Directorate’s (ASD) “Top 4” cyber security strategies.

At a subsequent parliamentary hearing, the DHS, ATO and DIBP all made assurances that they would work to be compliant with the strategies.

Lack of internal assurance

The ANAO found weaknesses in DIBP's management of ICT contracts. In particular, some of Immigration’s ICT contract arrangements did not align with the Information Security Manual’s security patching requirements.

"Both the ATO and Immigration did not effectively use their internal assurance processes to validate the accuracy of service provider self-assessments against contractual obligations," the ANAO said in its report.

"This led to both entities having limited visibility of the true status of security patches across their ICT environments," it said.

This became such an issue that in one instance, the ATO did not know that one of its service provider took significantly longer than the contractually specified time frame to complete patching

In response the ATO said it had overhauled its governance arrangements with third party suppliers to strengthen its compliance to cyber controls.

“In addition, the ‘essential eight’ cybersecurity controls will form part of the regular reporting requirements to the Security Committee and newly formed Risk Management Committee going forward,” it said.

The DIBP said a review of cyber security executive oversight and governance was planned for the its 2017–18 strategic assurance program.

The DHS processes $172 billion in payments annually. The ATO collects over $440 billion tax revenue per year. Meanwhile, the DIBP electronically processes around seven million visas each year. It also inspects and examines over two million air and sea cargo imports and exports.