"Australian Signals Directorate's lauded but non-compulsory top four security controls"
But still 4 too many for them to implement.
Government agencies in the Australian state of Victoria will have two years to move from near ground zero to stand up fully-fledged and updated information security, risk, and governance policies. The requirements are a big ask for agencies in the southern state, previously described as in information security turmoil after …
I was infosec manager for one agency 4 years ago. Put everything in place, policies, procedures, lined up the technology.
Went through and passed an audit (which of course only looked at the paperwork, not what was really in place) - and the whole lot was tossed the minute the last be-suited drone from whichever Big 4 Consulting firm that had been engaged, walked out the door. By decree of the CIO.
Said CIO is still serially CIO-ing (from Linkedin, he averages about 15 months per job). But he keeps on getting hired, the incompetent twat that he is.
I lasted a year before I quit in disgust.
With that approach, nothing will ever change. Absolutely nothing. Only a breech so bad they'd sacrifice the tossers on the altar of public opinion with serious jail time, could possibly fix this. Will happen the day I win the Tatts or when hell freezes over, whichever comes first.