Government security arrangements are the subject of ongoing focus by audit offices across the nation. Security arrangements encompass information, information communications and technology (ICT), personnel and physical security dimensions.
A new Australian National Audit Office (ANAO) report has concluded overall that the security awareness and training arrangements at its most recently targeted agencies were generally adequate and operating as intended.
Nevertheless, it found that ‘there is considerable scope to enhance the effectiveness of the organisations’ security awareness and training programs’. In so doing, the ANAO has outlined a number of security shortcomings at four selected Federal Government agencies, and stated that such weaknesses are likely found at many Australian agencies.
The audit report, Security Awareness and Training, released 15 April, provides an assessment of the National Archives of Australia (Archives); CrimTrac Agency (CrimTrac); National Gallery of Australia (Gallery); and the Department of Health and Ageing (Health).
The report outlines a number of recommendations to reform the weaknesses identified across the four agencies, which include a lack of:
- Organisation-wide security risk assessments; and
- Security awareness planning and a lack of monitoring.
According to the report, these two weaknesses are consistent with findings reported in previous ANAO protective security audits, stating that “improvements in these areas remain elusive for Australian Government organisations”.
The principal shortcomings identified during the audit include:
- Three agencies did not have an organisation-wide approach to identifying and assessing security risks;
- Only one agency had an approved security awareness and training plan setting out its approach to managing its security awareness program;
- Records on the delivery of, and attendance at security awareness training were limited and, where available, generally indicated a need for additional training;
- None of the agencies regularly monitored the effectiveness of their security awareness and training programs;
- The Gallery was the only agency that had undertaken an organisation-wide review to identify security risks. As result, the agencies could not clearly demonstrate that details of security risks were appropriately factored into the design of their security awareness and training programs;
- Apart from the Gallery, none of the audited agencies maintained sufficient records on security awareness training; and
- None of the audited agencies had regular and structured processes in place to assess the impact and success of their security awareness and training activities.
In the context of previous years’ state government audit report findings on ICT security, the shortcomings of this latest Federal report indicate a national ICT security landscape with endemic shortcomings in the application of ICT and other security measures.