The highly complex IT environment that spawned from the merger of the federal Immigration and Customs agencies is to blame for the combined agency failing a cyber security compliance audit, Immigration has said.
The agency also argued the ATO and Human Services – the other two big agencies to be audited by the national audit office earlier this year – had a head start over Immigration in their cyber security transformation efforts.
The Australian National Audit Office (ANAO) audit found that Human Services was the only one of the three agencies to be “cyber resilient” and compliant with all four of the ASD’s top cyber mitigation strategies.
Immigration and the ATO had failed to properly implement application whitelisting; patch operating systems and applications; and were not effectively managing their IT supplier contacts, the ANAO found.
All three are currently subject to a follow-up inquiry by parliament’s joint committee of public accounts, intended to keep the heat on the agencies to improve compliance.
In a submission to that inquiry, Immigration said it agreed with the findings of the report and would implement the recommendations, but laid out its case as to why it had failed to meet the cyber security obligations.
Its July 2015 merger with Customs left it with a highly complex IT environment as a result of the two agencies having made opposite decisions on basically every technology procurement choice
Former Customs CIO Randall Brugeaud told last year’s Gartner Symposium/ITxpo conference that the combined environment prior to integration had more than 500 business and supporting systems, over 850 systems interfaces and services, around 750 databases, 20,000 desktops, 3500 mobile devices, thousands of servers and multiple data centres.
The combined agency also had something from just about every major technology player on its books.
It has made much headway on slimming down its IT environment, but the agency pointed out in its submission to the inquiry that this complexity had an impact on its cyber security compliance.
For example, of its 279 business critical applications, 70 percent are bespoke, the agency said, and its application set is supported by infrastructure spanning 84 regional and 51 offshore locations.
Source Reference By : itnews