Parliament House Falls Short on Essential Eight

Parliament House

The department that operates the Australian Parliament House's computing network has implemented seven of the mandatory Essential Eight cyber security strategies below the required standard, the Australian National Audit Office has found.

The audit assessed whether the Department of Parliamentary Services (DPS) has an effective baseline of cyber security controls. The ANAO concluded the baseline was only partly effective.

DPS provides IT services to 4,817 users and manages 10,951 end-user devices across the Parliamentary Computing Network. Its users include parliamentarians, their staff and other parliamentary departments, each with differing business and security needs. The department was the subject of a high-profile cyber security incident in 2019.

Under the Protective Security Policy Framework (PSPF), non-corporate Commonwealth entities must implement the Essential Eight strategies to Maturity Level Two. The ANAO found DPS was relying on risk-management approaches to cover the gap between implemented and required controls. For the seven strategies using risk mitigations, those approaches fell short of the standard needed to address the risk.

"The Essential Eight cyber security strategies have not been fully implemented in accordance with the requirements of the Protective Security Policy Framework, primarily because the department is relying on compensating controls without adequate coverage of all systems and risk management of identified vulnerabilities," the report states.

The audit found governance weaknesses familiar to information management professionals. DPS had not completed identification and documentation of key systems and ICT assets. Inventories of key information, assets and risks were outdated. Key cyber security policies were incomplete or not endorsed by the department's Security Committee.

The department lacked a single source of truth for identified risks and issues, and available registers were not complete. Limited evidence supported previous PSPF self-assessments, although the most recent assessment in 2024-25 was backed by control testing. The Information Security Working Group, the body meant to coordinate cyber security and business alignment, had not met in the 12-month period examined.

The ANAO also found DPS accepted risks above its own tolerance when approving new technology systems. Systems in active use required re-assessment and approval. Significant ICT staff turnover over the previous 18 months complicated ongoing risk management.

The ANAO made two recommendations. DPS should review its governance arrangements and risk assessment processes, and develop and implement a prioritised, risk-based program of uplift activities to achieve PSPF compliance. DPS agreed to both.

The department said it commenced a comprehensive review of its cyber security governance in December 2025. Funding from the 2026-27 Budget will support a Parliamentary Information and Cyber Resilience project to address critical cyber, information security and operational resilience risks in the network.

The full report is available at www.anao.gov.au

 

Business Solution