Digital Service Standard raises the bar for government agencies' IT security compliance

Australian government departments have until September to outline how they will comply with all 36 of the security controls outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) under the prescriptive first deliverable from the fledgling Digital Transformation Office (DTO).

The DTO's Digital Service Standard (DSS) outlines 16 different areas that government bodies must address in guiding their transformation towards digital delivery, ranging from the design of multi-disciplinary teams – led by an experienced service manager – to service integration, user and usability research, and ongoing use of analytics to identify benefits and potential further improvements.

The scope of the standard includes all new government services and existing high volume services – and all will be transitioned with security as a core competency.

Point 6 of the standard deals with information security, instructing government bodies to “Assess what personal user data and information the service will be providing, using or storing and put in place appropriate measures to address security risks, legal responsibilities and privacy considerations​.”

The requirement for mandatory and full PSPF compliance extends earlier guidelines for government bodies, which have already had their hands full focusing on the Australian Signals Directorate (ASD)'s Top 4 mitigation strategies – application whitelisting, systems patching, restricting administrative privileges, and creating a defence-in-depth system.

Expanding this to the 36 areas covered by PSPF is likely to require a significant boost in resources and a revisitation of information-security strategy by most agencies – particularly given new research from Gartner that suggests the transition from legacy-first to digital-first government IT introduces a whole new range of risks. Some 91 percent of the 2800 CIOs surveyed by Gartner agreed that the shift to digital government creates new types and increased levels of risk for traditionally risk-averse government bodies.

Much of this risk comes from attempts to maintain long-entrenched legacy systems that present both operational and security risks. Yet while legacy modernisation was a key priority of surveyed CIOs – ranked fifth, it outpaced even security, which came in sixth – Gartner warns that “securing the funds to invest in legacy modernization may be a stretch, especially for those at the federal or national level.”

This, because around one-third of respondents were already seeing their IT budgets declining – particularly in the Asia-Pacific region, where budget declines were “particularly acute in all tiers”.

Gartner foresees a longer-term transformation to digital government, with government IT organisations “slowly” reducing their infrastructure provision as they shift services to cloud providers and data centre operators.

“They will serve as a broker of those foundational service and orient IT capabilities from 'legacy first' to 'digital first' by inserting a 'why not cloud?' step into all planning,” the analysis predicts.

“By shifting the management and provisioning of infrastructure to centralised government shared-service entities or to viable commercial vendors, government CIOs can lead by example and update IT management techniques to adopt the design-for-change mindset that is essential in the digital age,” said Gartner research director Rick Howard in a statement.

“When interrelated processes and services are coordinated and delivered by multiple government and nongovernment organisations – enabled by context-sensitive data exchange – government performance and social outcomes will be truly transformed.”

With the DTO now laying down expectations for Australia's government IT transformation, the bar has been set and the hard work on security and other transformational areas will now begin in earnest. By September this year, agencies will be expected to have formalised digital transition plans that will outline how and when they will adopt the DSS – including benchmarks and a framework for dashboard reporting against each of the outlined requirements.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government ITdigital servicegovernment agencies'Digital Transformation Office (DTO)Rick HowardGartnerinformation securityIT SecurityAustralian Government

More about CSOEnex TestLabGartnerISM

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place