In his annual report on Information System Management in state government agencies, the Auditor General
for Western Australia has identified serious weaknesses in the way many agencies manage their IT systems.
The two-part Information Systems Audit Report, tabled in Parliament, found that government agencies were often failing to implement comprehensive controls over their IT systems and that this was creating serious risks to the confidentiality and integrity of data.
The first part of the report found that potentially sensitive information stored on government laptops, USB memory sticks and other portable storage devices (PSDs) was not well protected at seven agencies. The report also found that 750 government laptops had been reported lost or stolen from government agencies over the past three years.
Acting Auditor General, Glen Clarke, said the report gives a wake up call to government agencies, particularly those that handle personal and sensitive information.
“Most agencies have an increasing number of laptops and PSDs and there is a pressing need for agencies to act on the security risk these devices pose,” Mr Clarke said.
Portable storage devices are increasingly used throughout government as they allow flexible working arrangements and easy access, storage and transfer of large amounts of data.
“While these devices have their benefits, their portability also places them at greater risk of being lost or stolen and the information stored on these devices needs to be protected.
“None of the seven agencies we examined had adequately considered or addressed these risks.
The seven agencies examined were the Curriculum Council, Department of Commerce, Department of Education, Department of Water, Royal Perth Hospital, Western Australia Police and WorkCover WA.
The report found that the Western Australia Police was the only agency that had addressed the risks associated with flash drives, ensuring that staff only use encrypted devices. None of the agencies knew exactly how many PSD’s they owned or the potential security risks of their PSD’s.
The Department of Commerce and Royal Perth Hospital did not know how many laptops they owned, increasing the risk that laptops and the information stored on them could be lost or stolen without them knowing.
“All of the agencies examined are moving to address the risks associated with their laptops and PSDs and I strongly encourage every agency across government to act on the recommendations of this report to quickly address this growing security issue,” Mr Clarke said.
The second part of the report looked at application and general computer controls.
All the computer applications reviewed support the provision of critical public services and contain hundreds of
thousands of sensitive records relating to the general public*. Four key business applications at four agencies were reviewed.
The Acting Auditor General found weaknesses in security and data processing controls that could potentially impact delivery of key services to the public.
The most common types of control weakness identified were security weaknesses (55 per cent) such as easy-to-guess passwords, unauthorized user accounts and failure to remove accounts belonging to former staff.
Data processing control issues, which can lead to wrong information being stored, made up 28 per cent of the
weaknesses identified and the remaining were operational issues, such as insufficient staff training.
“At two of the agencies we were able to guess the passwords and gain access to highly sensitive information and at three agencies we found that former staff were still able to access confidential information and databases,” Mr Clarke said.
“At one agency we found that confidential information such as client names and address details was unnecessarily attached to other data sent to contractors.
“This is unacceptable. The community needs to know that the information government agencies hold is treated with the respect and discretion it deserves.”
The general computer control audits determine whether the computer controls effectively support the
confidentiality, integrity, and availability of information systems. Fifty-two agencies were reviewed and of those, 42 were benchmarked against five categories of accepted good practice for IS management.
Fifty-one per cent of agencies failed to meet the information security benchmark and access controls in particular were weak posing the risk of unauthorised access to bank account and credit card details and staff payments.
“Access controls are the most basic and inexpensive control to implement and there is no excuse not to have them in place,” Mr Clarke said.
Other issues include the lack of a user activity log meaning that security breaches can go undetected. Anti-virus software was not in place or had not been updated at some agencies and there was a lack of security policies and practices.
“While we saw some initial signs of improvement from last year, too many agencies continue to ignore the risks from not effectively managing their information systems.
“I urge agencies to take note of the findings and act on the recommendations of this report.”
Source: Office of the Auditor General for Western Australia
The summary of the report can be found here; the full report can be found at http://www.audit.wa.gov.au/reports/pdfreports/report2010_02.pdf. A note to media indicates that the agencies and the specific applications reviewed in the second part of the Information Systems Report are not publicly reported to reduce the risk of any reported weaknesses being exploited.