Scott Ryan (President) Share this | Link to this | Hansard source

As I have flagged to leaders, I wish to make a brief statement now and the Speaker will be making a similar statement in the House of Representatives. I wish to address an article published by an ABC journalist based on a confidential working draft of an internal review conducted by KPMG into the Protective Security Policy Framework alignment on behalf of the Department of Parliamentary Services. I wish to assure senators that this article does not reflect the true state of the department's protective security maturity. The department continues to work closely with the Australian Signals Directorate in managing Australia's cyber-resilience. As senators have previously been advised, DPS worked in partnership with the Australian Cyber Security Centre and ASD in dealing with a cybersecurity incident in January 2019. I note that the ASD commented in its 2018-9 annual report:

The Department of Parliamentary Services had implemented security practices that helped to identify and restrict the extent of the compromise, minimising the potential impact.

In October 2018, the Attorney-General's Department launched PSPF reforms aimed at improving clarity, reducing unnecessary red tape and fostering a strengthened security culture across government agencies. DPS then commenced a program to demonstrate acceptable maturity against the new criteria, including the engagement of KPMG to provide advice to assist DPS to further mature its protective security practices. The department has in fact achieved a maturity rating of 'managing' against 85 of the 88 relevant PSPF criteria and against a further three criteria was rated as 'developing'. The department did not rate 'ad hoc' against any of the 88 criteria.

Without commenting directly on this confidential draft document, it reflects early fieldwork by KPMG and was not scrutinised or verified by the department and does not incorporate a body of work undertaken to demonstrate the department's PSPF maturity rating of 'managing' for the relevant criteria. Comments in the article that methods to prevent cyber-intrusions are at a low level of maturity are incorrect. The final report of the alignment review in July 2019 did not make adverse findings in relation to the department achieving an acceptable maturity rating. These matters and related ones will be dealt with through the relevant Senate committee as appropriate. I thank senators.