Victorian Auditor-General's Office

Cybersecurity: infrastructure

Financial Year: 2024-2025

Overview

Why this is important

Victorian Government agencies are increasingly migrating into the digital world. As they do so, they become more exposed to the threat of cybercrime. In 2022, cybersecurity was classified as the 7th most significant state risk in Victoria. 

In 2021, the Victorian Government released 2 key strategies: Victoria’s Cyber Strategy 2021 and A future-ready Victoria – Victorian Government Digital Strategy 2021–2026. These strategies highlight the need to adopt new digital technologies and ensure that Victorian Government services are secure. The release of these strategies was accompanied by $50.8 million to bolster the state’s cybersecurity resilience, support local cyber businesses and develop a more dynamic and competitive cyber sector.

Applying best-practice cybersecurity controls is paramount to mitigate the risks of cybersecurity incidents. Public sector bodies vary in the extent to which they have transferred their in-house software services to those offered in the cloud. 

Our 2023 report Cybersecurity: Cloud Computing Products highlighted the prevalence of cybersecurity incidents, noting that 90 per cent of Victorian Government agencies experienced a cybersecurity incident in 2022. We also found widespread issues with multi-factor authentication, with 94 per cent of user accounts at audited agencies not registered for this function. 

Understanding the extent to which foundational controls for infrastructure compliance are in place and working effectively is important because this information shows whether controls are working as intended and successfully mitigating against the risk of cybersecurity incidents.

 

What we plan to examine
 

We plan to examine the effectiveness of agencies’ asset management in relation to the cloud environment and the effectiveness of controls associated with cloud-based infrastructure.

 

Who we plan to examine
 

 All departments and Cenitex.

 

Further information

This is the second in a series of engagements examining cybersecurity in the Victorian Public Service.

 

Back to top