Wednesday, 16 August 2023

Victorian Auditor-General’s Office

Cybersecurity: Cloud Computing Products

David DAVIS (Southern Metropolitan) (17:25): I am pleased to rise and make a contribution to this report section of the day’s proceedings and note today that the Victorian Auditor-General’s Office tabled a report Cybersecurity: Cloud Computing Products, August 2023, an independent assurance report to Parliament. I do want to compliment the Auditor-General’s office. This is, in a sense, a non-partisan contribution because I think they have done excellent work. This is a complex area. I do not claim to be an expert on these IT matters. As anyone who knows me will know, I have never claimed that. But I again want to put on record my thanks to the Auditor-General and his office for the work that they have done here.

This, it seems to me, is leading-edge stuff. The Auditor’s office is ahead of auditors’ offices around the country on these matters, and they have done a significant audit. I am going to quote from page 4:

This section summarises our key findings. Sections 2 and 3 detail our complete findings …

Why cybersecurity is important

They talk about data breaches. We have seen a lot of those recently, with disruption of communication networks, shutting down water, health and other critical facilities. We have seen serious data breaches in health services and others. There is every reason for us to think carefully about these matters.

They put their findings into three key areas:

1 Overall, audited agencies do not have fully effective Microsoft 365 cloud-based identity and device controls.

2 Not all audited agencies properly understand and oversee cybersecurity services delivered by third-party providers.

3 The public sector does not use its size and economy of scale to address cybersecurity risks in a coordinated way.

So these are findings that are significant and they are a wake-up call. I asked the President about the Parliament. The Parliament should, if these recommendations are adopted, be in a position to look at the frameworks that are put in place. But there are a series of recommendations that are made to government, seven of them – some to the Department of Government Services, others to the Office of the Victorian Information Commissioner. Most have been accepted and most are thoughtful:

Work together, in consultation with other relevant agencies, to issue non-overlapping guidance …

…

The guidance should mandate:

• conditional access policy and device compliance policy configurations

• additional technical control configurations consistent with the maturity model in this report

• an issuer of device security configuration baselines.

This mandate should apply to all classes of identities and devices used to access public sector resources …

It goes on:

Extends the cyber hubs and the security operation centres to:

• maximise the number of Victorian public sector agencies protected

• include protection services against cyber attacks …

It goes on, and I urge the minister and the Department of Government Services to pay heed to these sensible recommendations.

The list of agencies audited is significant. The variety of agencies is significant. The advice is thoughtful and balanced. It is leading-edge advice. There is a challenge, I think, in the interrelationship between the Department of Government Services and the Office of the Victorian Information Commissioner, and I draw attention to the response of OVIC. I pay tribute, I might say, to Sven Bluemmel, the information commissioner, noting he is going to bigger and further fields as the Electoral Commissioner. But he has done a very good job on freedom of information and as the government’s information commissioner and his again balanced contribution is seen in the correspondence to the Auditor-General at appendix A-21:

… OVIC is concerned that a shift to “compliance” thinking will undercut the extensive work that has been done to spur better risk assessments … We appreciate your comment that adoption or rejection of M365 controls needs to be assessed in the context of properly documented risk assessments.

OVIC aims to conduct another review of the Victorian Protective Data Security Standards … and their elements should Government provide funding in the future. In the interim, consistent with current legislation and appropriate consultation, OVIC will continue to evolve the Framework and Standards …

They have got to do that, enmeshing with the Department of Government Services. I pay tribute to this audit team for the work they are doing, which is thoughtful, balanced, looking to the future and taking in the information. Their response to that is that it does not diminish the risk assessment but actually complements it – having a proper framework in place.