Thursday, 13 February 2020
Statement by the Speaker
Parliament House: Security
I just need to make a statement to the House for the information of all honourable members. I draw the attention of members to an article published by an ABC 7.30 report journalist based on a confidential working draft of an internal review conducted by KPMG into the Protective Security Policy Framework, the PSPF, alignment on behalf of the Department of Parliamentary Services.
I wish to assure members that this article does not reflect the true state of the department's protective security maturity. The department continues to work closely with the Australian Signals Directorate in managing the parliament's cyber-resilience. As members have previously been advised, the Department of Parliamentary Services worked in partnership with the Australian Cyber Security Centre of the ASD in dealing with a cybersecurity incident in January 2019.
I note that the ASD commented in its 2018-19 annual report that:
The Department of Parliamentary Services had implemented security practices that helped to identify and restrict the extent of the compromise, minimising the potential impact.
In October 2018 the Attorney-General's Department launched the PSPF reforms aimed at improving clarity, reducing unnecessary red tape and fostering a strengthened security culture across Commonwealth agencies.
The Department of Parliamentary Services then commenced a program to demonstrate acceptable maturity against the new criteria, including engagement of KPMG to provide advice, 'To assist DPS to further mature protective security practices.' The Department of Parliamentary Services has, in fact, achieved a maturity rating of 'managing' against 85 of the 88 PSPF relevant criteria, and a further three criteria were rated as 'developing'. The department did not rate 'ad hoc' against any of the 88 criteria. Without commenting directly on this confidential draft document, it reflects early fieldwork by KPMG and was not scrutinised or verified by the department and does not incorporate a body of work undertaken to demonstrate the department's PSPF maturity rating of 'managing' for the relevant criteria. Comments in the article that 'methods to prevent cyberintrusions are at a low level of maturity' are incorrect. The final report of the alignment review in July 2019 did not make adverse findings in relation to the Department of Parliamentary Services achieving an acceptable maturity rating. I thank the House.