The objective of this audit was to assess the effectiveness of the management of cyber security risks by three government business enterprises or corporate Commonwealth entities. The entities selected for audit are ASC Pty Ltd, the Australian Postal Corporation and the Reserve Bank of Australia.

The three entities are at different stages in embedding a cyber resilience culture. T

he Reserve Bank has a strong cyber resilience culture, having established all 13 assessed behaviours and practices in the areas of cyber security governance and risk management, roles and responsibilities, technical support and monitoring compliance.

ASC is developing a cyber resilience culture, having embedded seven of the assessed behaviours and practices and working to more fully establish the other six cyber security behaviours and practices within its business processes.

While having embedded eight of the 13 assessed behaviours and practices, Australia Post has not systematically managed cyber risks, including not assessing the effectiveness of controls applied outside its specified cyber security risk management framework. Nevertheless, Australia Post is working towards embedding a cyber resilience culture.

One of the top for strategies not in place for “blocking unauthorised applications from executing on its corporate desktop and server environments” was application whitelisting, which AusPost claimed “would not be suitable for operations within particular environments”.

The audit has recommended AusPost conduct risk assessment for critical assets not yet assessed and immediately address any extreme risk uncovered, to which it has agreed.