Operational resilience | Risk Management & Reporting

April 16, 2020

How is the Australian Government doing in its efforts to defend itself from cyber threats? Are key strategies and advisories being implemented and operating effectively? The newly released ‘Commonwealth Cyber Security Posture in 2019 Report to Parliament’ (CCSP2019) provides information and visibility into the efforts of the Australian Cyber Security Centre (ACSC) and Attorney-General’s Department (AGD) as to the readiness of Commonwealth entities to respond to the country’s cyber threat environment.

Commonwealth Cyber Security Posture in 2019 report

The report reiterates how both ACSC and AGD are committed to improving the cyber resilience of Commonwealth entities:

ACSC advice to Commonwealth Entities

The ACSC advice centres on their ‘Strategies to Mitigate Cyber Security Incidents’, in particular the ‘Essential Eight’.  The ACSC recommends that entities aim to achieve Maturity Level 3 for each of the eight strategies.

AGD requirement of Commonwealth Entities

The Protective Security Policy Framework (PSPF), administered by the AGD, mandates that all non-corporate Commonwealth entities implement the first four mitigation strategies of the Essential Eight, known as the Top Four – and strongly recommends the adoption of the entire Essential Eight.

The latest CCSP2019 reveals that, while the maturity around implementing the Essential Eight strategies is improving, progress is slow and patchy.  Measures of progress are not clear.  The key question is………. how can these objectives of improved cyber security posture be operationalised and scaled across the Australian Government landscape?

How to Measure Cyber Security Posture

Having advice, recommendations and mandates in place is only the starting point for Commonwealth entities in their pursuit of cyber maturity. Having the skills, resources and time to operationalise the critical security controls is where the biggest challenges lie.

The hands-on approach

The creation of the ACSC’s ‘sprint’ program in 2019 was designed to address these issues and provide hands-on support to Commonwealth entities in the implementation of the ACSC’s recommendations. The report notes the support given to 25 Commonwealth entities to assess, baseline and strengthen their cyber security posture.  There are two observations of this approach: (i) it is hard to scale, and; (ii) without the introduction of ongoing processes, success can be short lived.

The challenges of measuring cyber security posture

Aside from having the resources and skills required to complete a cyber security audit, there is also a question around the timeliness, accuracy and objectivity of information gathered. Undoubtedly these are challenges for auditors of any industry.  However, with cyber security audits the environment is particularly difficult to measure due to its dynamic nature; what is robust one day may be compromised and vulnerable the next.

How cyber security audit technology can help

Audit tools are used worldwide.  In the world of accounting for example, software packages are widely available to calculate key financial performance metrics for organisations, auditors and consultancies to then analyse and manage performance improvement. In cyber security, audit tools can help with the frequency, accuracy and communication of key performance metrics, not to mention the much sought after independent validation. Tactically, they can also assess the impact of any remediation activity.

Essential Eight cyber security audit tool

Huntsman Security’s Essential 8 Auditor was designed specifically to measure the implementation and operational effectiveness of the ACSC Essential Eight security controls.  The product was developed to support our Australian government clients and their requirement to implement and measure against the Essential Eight Framework.

The Essential 8 Auditor delivers an immediate, systematic measure of an organisation’s implementation and security control effectiveness against the Essential Eight Framework.  The tool is ‘self-install’ and is suitable for use by IT teams, consultants and auditors.  Audit information can be calculated, exported and shared with colleagues and management.

Essential 8 Auditor, Application Control Dashboard

Essential 8 Auditor – Dashboard detailing Application Control Maturity Summary

Kicking goals for Australian cyber resilience

Commonwealth entities and supply chain partners

The Essential Eight Auditor can support Commonwealth entities in pursuit of their own Essential Eight compliance journey. The tool produces performance metrics to self-assess security status in regard to maintaining confidentiality, integrity and availability of information, in the context of an entity’s own unique risk environment. The tool can also be used to assess the security status of supply chain partners.

ASD and AGD reporting on the Commonwealth’s cyber security posture

If Commonwealth entities were to self-assess their implementation of the Essential Eight using the Essential 8 Auditor, both ASD and AGD would be able to provide more accurate reporting to Parliament annually on the Commonwealth’s cyber security posture.

PSPF ‘Top Four’ compliance measurement

The Essential 8 Auditor can support the measurement of Commonwealth entities’ compliance with the PSPF mandate that all non-corporate Commonwealth entities implement the ‘Top Four’ of the Essential Eight mitigation strategies.

ACSC sprint program tool

The Essential 8 Auditor could augment the ACSC sprint program in its work to help Commonwealth entities introduce a repeatable process to assess, baseline and strengthen their cyber security posture.  The Essential Eight audit tool will enable coverage of entities as well as consistent and comprehensive measurement and documentation of results.

Find out more

To find out more, watch the short Essential 8 Auditor overview video here.

Esential 8 Auditor short overview video


Visit the Essential 8 Auditor Web Page 

Contact us for more information 

Essential 8 Security Controls Compliance Guide


Related Cybersecurity Content


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.