Australian govt security awareness criticized

A newly published report from the Australian National Audit Office into information security awareness and training for Australian government agencies is somewhat ambiguous in tone. The ANAO has previously recommended that agencies "develop and schedule periodic education and awareness programs for non-security personnel addressing agency security standards", "develop a structured and proactive security awareness education and training strategy" or "promote security aftercare arrangements in security education and training activities" - in other words, they have clearly been advised to sharpen up their act in this area. The latest report says:

"Overall, the audit concluded that the security awareness and training arrangements at the audited organisations were generally adequate and operating as intended. Nevertheless, there is considerable scope to enhance the effectiveness of the organisations’ security awareness and training programs. The main areas for improvement relate to more thoughtful planning, including tailoring the approaches used in light of the organisations’ security risk profiles, and better monitoring to help identify security awareness techniques that are not effective or working well. In addition, the audited organisations would benefit from improved record keeping to assist them manage the timely delivery of, and attendance at, security awareness training."

So although they are 'generally adequate', the security awareness and training arrangements evidently need better planning, monitoring and record-keeping. Only one of the four agencies audited had an actual awareness and training plan - the rest presumably make it up as they go along.

The report continues: "none of the organisations had any training or briefings targeted at the
roles and responsibilities of security cleared staff". I find this somewhat hard to believe. Security cleared staff presumably handle protectively marked information, systems etc., but despite the clearances, their obligations towards protecting those information assets are not spelled out to them? Seems odd. It's not as if the requirements are undefined - the government's Protective Security Manual surely lays out the most important aspects in black and white.

"None of the audited organisations had regular and structured processes in place to assess the impact and success (or otherwise) of their security awareness and training activities." So the agencies are investing an unknown but presumably significant amount in security awareness and training but not bothering to see whether all this public money is well spent?

This is hardly rocket science. Awareness and training strategies, plans and metrics are straightforward enough, aren't they?

Oh well, perhaps we can anticipate sales enquiries from our Australian colleagues. We'd love to help them with planning, delivering and measuring best practice awareness and training programs ...