SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Three steps to secure compliance with Australia’s new technology asset stocktake requirements

Wed, 28th Aug 2024

The recently introduced PSPF Direction 002-2024 requires Australian Government entities to identify and actively manage their technology assets. 

Compliance is imperative. By June 2025, all government entities and their suppliers must complete a technology asset stocktake on all internet-facing systems or services to identify all technology assets managed by, or on behalf of, the entity. This directive is a crucial step towards strengthening cybersecurity posture and ensuring efficient IT asset management.

Growing Unmanaged Assets Create A Security Gap

The PSPF's mandate's definition of technology assets extends to "any hardware, software or information system, platform, mobile application or as-a-service offering, which stores, processes, transmits or transforms official or security classified information belonging to, or utilised by, the Australian government."

Most agencies are fortunate to have strong technologies in place for protecting "managed" physical and virtual assets – traditional endpoints like servers and laptops that are controlled by agencies and set up and configured by their IT or security teams.

However, the world has seen an explosion of "unmanaged" physical and virtual assets – employee-owned smartphones and tablets, security cameras, building management systems, and much more that sit outside IT or security's usual purview. 

These technologies have delivered new efficiencies in the way we work, but the flip side is that they have introduced new vulnerabilities and complexities that legacy security technologies are not designed to identify, profile or defend.

Unmanaged assets have turned the once-well-defined security perimeter into a dynamic, borderless frontier and have created security gaps that cyber criminals can exploit. Intrusions outside traditional managed assets are sharply growing, and the convergence of technologies brings with it vulnerabilities and an attack surface that leaves teams in a reactive state.

Three Steps to Comply With PSPF and Build Cyber Resilience 

Organisations can take the following three steps to ensure they build compliant cyber resilience and meet the new demands: 

1. Get the technology in place 
Navigating the complexities of compliance starts with investment in the right tech. Organisations must prioritise IRAP-assessed solutions that offer visibility of the entire attack surface, allowing for early detection, rapid response and the mitigation of potential high-risk vulnerabilities. By investing in a proactive stance, companies can not only ensure future proofing with compliance of changing regulations but can also fortify their defences against evolving cyber threats.

2. The next step is all about the processes. 
The hardening of the Government's technology management practices will compel organisations to undergo a comprehensive risk management transformation. This includes implementing cybersecurity risk measures, specifically addressing supply chain security, including risk assessments for suppliers and service providers.  Engaging with regulatory bodies such as Australian Signals Directorate (ASD) is crucial. Establishing communication channels ensures organisations stay informed about whether they must comply, while offering opportunities to share threat intelligence and actively contribute to the overall cybersecurity ecosystem.

3. Get the people on board 
From the employee level to the boardroom, adopting a cybersecurity-conscious culture is paramount. Particularly when over half (55%) of organisations in Australia report they lack complete control and management personally provided devices connected to the company network. Therefore, educating the workforce through regular training and awareness programmes ensures that employees become the first line of defence against potential threats.

The countdown to compliance is on. Government organisations must recognise that this ticking clock is not merely about meeting regulatory deadlines, it's a commitment to securing the future. Adequate cybersecurity now demands constant vigilance. With the right technology, processes and training in place, organisations can stay safe and in line with regulations, no matter the industry. 

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X