Australian government departments have until September to outline how they will comply with all 36 of the security controls outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) under the prescriptive first deliverable from the fledgling Digital Transformation Office (DTO).
The DTO's Digital Service Standard (DSS) outlines 16 different areas that government bodies must address in guiding their transformation towards digital delivery, ranging from the design of multi-disciplinary teams – led by an experienced service manager – to service integration, user and usability research, and ongoing use of analytics to identify benefits and potential further improvements.
The scope of the standard includes all new government services and existing high volume services – and all will be transitioned with security as a core competency.
Point 6 of the standard deals with information security, instructing government bodies to “Assess what personal user data and information the service will be providing, using or storing and put in place appropriate measures to address security risks, legal responsibilities and privacy considerations.”
The requirement for mandatory and full PSPF compliance extends earlier guidelines for government bodies, which have already had their hands full focusing on the Australian Signals Directorate (ASD)'s Top 4 mitigation strategies – application whitelisting, systems patching, restricting administrative privileges, and creating a defence-in-depth system.
Expanding this to the 36 areas covered by PSPF is likely to require a significant boost in resources and a revisitation of information-security strategy by most agencies – particularly given new research from Gartner that suggests the transition from legacy-first to digital-first government IT introduces a whole new range of risks. Some 91 percent of the 2800 CIOs surveyed by Gartner agreed that the shift to digital government creates new types and increased levels of risk for traditionally risk-averse government bodies.
Much of this risk comes from attempts to maintain long-entrenched legacy systems that present both operational and security risks. Yet while legacy modernisation was a key priority of surveyed CIOs – ranked fifth, it outpaced even security, which came in sixth – Gartner warns that “securing the funds to invest in legacy modernization may be a stretch, especially for those at the federal or national level.”
This, because around one-third of respondents were already seeing their IT budgets declining – particularly in the Asia-Pacific region, where budget declines were “particularly acute in all tiers”.
Gartner foresees a longer-term transformation to digital government, with government IT organisations “slowly” reducing their infrastructure provision as they shift services to cloud providers and data centre operators.
“They will serve as a broker of those foundational service and orient IT capabilities from 'legacy first' to 'digital first' by inserting a 'why not cloud?' step into all planning,” the analysis predicts.
“By shifting the management and provisioning of infrastructure to centralised government shared-service entities or to viable commercial vendors, government CIOs can lead by example and update IT management techniques to adopt the design-for-change mindset that is essential in the digital age,” said Gartner research director Rick Howard in a statement.
“When interrelated processes and services are coordinated and delivered by multiple government and nongovernment organisations – enabled by context-sensitive data exchange – government performance and social outcomes will be truly transformed.”
With the DTO now laying down expectations for Australia's government IT transformation, the bar has been set and the hard work on security and other transformational areas will now begin in earnest. By September this year, agencies will be expected to have formalised digital transition plans that will outline how and when they will adopt the DSS – including benchmarks and a framework for dashboard reporting against each of the outlined requirements.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
- Spooked by big-name hacks, executives ignoring surge in internal security breaches
- Targets unprepared as malware-tools competition continues driving attack surge
- Want to hack Wall St? Hit their suppliers
- The week in security: Government departments given infosec guidance as cloud threatens security workers
- Strategic Support Key to Success of Government Cybersecurity Programs