A report by the Victorian Auditor-General’s Office (VAGO) reveals that the state’s government agencies don’t properly understand and oversee cybersecurity services delivered by third-party providers.
In Victoria, government agencies can use a third-party service provider to manage their cybersecurity. However, agencies remain accountable for cybersecurity risks and must understand the responsibilities they have under any shared service arrangement.
State-owned ICT services provider Cenitex, which manages the suite of Microsoft 365 products used by Victoria’s government agencies, is responsible for determining and configuring cybersecurity controls for the tenancy.
Agencies are users, not owners, of these products and therefore are only responsible for their data in the Microsoft 365 tenancy.
VAGO’s ‘Cybersecurity: Cloud Computing Products’ report examined the effectiveness of Microsoft 365 cloud-based identity and device management controls across local and state government agencies.
The report concluded that Victoria’s agencies are not clear about their security roles and responsibilities under their shared service agreement with Cenitex.
“Not all audited agencies properly understand and oversee cybersecurity services delivered by third-party providers,” the report said.
“For example, some agencies who are part of the shared [Microsoft 365] tenancy think they are the owners of the tenancy and should be able to determine and configure cybersecurity controls.”
"If Cenitex and its clients are unclear on who is responsible for determining, implementing and overseeing controls, agencies may not be able to adequately manage their cybersecurity risks."
Among other key findings, the report concluded that agencies do not have fully effective Microsoft 365 cloud-based identity and device controls.
It also found that the Victorian public sector does not use its size and economy of scale to address cybersecurity risks in a coordinated way.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
