The Victorian government will spend the next year creating “new, non-overlapping cyber security guidance” and mandated standards for the over 3000 entities in the state’s public sector.
The guidance is expected to contain several “mandates” around identity and access management, security controls and device standards.
The effort was agreed to after a report [pdf] criticised the lack of progress on whole-of-government cyber security coordination, which has been on the radar since at least 2021.
The same report, by the Victorian Auditor-General's Office (VAGO), also looked specifically at a sample of agencies’ use of M365, finding a lack of multi-factor authentication (MFA) use, privileged access management (PAM) and other protections in place.
New cyber security mandates
One of the core findings of the report is that the state’s public sector “does not use its size and economy of scale to address cyber security risks in a coordinated way.”
“The Victorian public sector has over 3000 entities that deliver services to the public,” it states.
“Without a coordinated approach, many agencies are duplicating their efforts and not using the public sector’s economy of scale to efficiently manage cybersecurity risks.”
While acknowledging that whole-of-government coordination was part of a plan released in 2021, the auditor is concerned about limited progress to date.
It was only able to point to a lone instance of whole-of-government advice being prepared, on Office 365 (now M365) last year.
Other attempts at whole-of-government coordination, such as getting entities to share their ‘Secure Score’ numbers - a security posture measure natively produced by M365, proved difficult as the overseeing agency, Digital Victoria, has no powers to force agencies to hand over their scores.
Only 27 percent did so voluntarily.
VAGO recommended the Department of Government Services (DGS), which formed this year and encompasses Service Victoria, “work with relevant agencies”, including the Office of the Victorian Information Commissioner, to create new whole-of-government guidance and “mandates”.
The mandates are a key feature: as they would potentially give DGS and Service Victoria more teeth from a monitoring and standards enforcement perspective.
The auditor wants mandates that cover "all classes of identities and devices used to access public sector resources."
DGS has agreed “to inform and support” the development of the new guidance and mandates.
It was unsure which body would ultimately issue the guidance, nor of the specific timelines for release and implementation, though put a target completion date of the end of June 2024.
M365 implementations
VAGO’s report also analyses a sample of eight agencies’ use of M365, which it said illustrates the piecemeal approach to cyber security in Victoria.
It found, among other things, that only four agencies it analysed “require MFA for all users” of M365.
However, it appears implementation falls well short of even the requirements, with “94 percent, or 617,000, user accounts at audited agencies not registered for MFA”.
At one of the eight agencies, VAGO said MFA hadn’t been set up for 48 percent of M365 users owing to usability concerns.
“The agency told us this… user group can experience significant difficulties with MFA,” the report states.
“When we asked what the impact would likely be if this group’s accounts got compromised, the agency could not tell us.
“The agency confirmed that it has not conducted a comprehensive risk assessment [as to whether the] perceived ‘difficulties’ outweigh the implications of the accounts being compromised.
“Agencies cannot skip a significant control only because it is difficult to implement.”
VAGO also found agencies consuming M365 via government shared services provider Cenitex were “not clear about their security roles and responsibilities”, and the extent to which they could customise controls to reflect their security risk.