The auditor-general has given the Australian Taxation Office (ATO) a clean bill of health around the use of its portable storage devices (PSDs), but has voiced concerns about how two other agencies handled them.
As part of the audit (PDF), the Australian National Audit Office (ANAO) examined the systems of the ATO, Insolvency and Trustee Service Australia (ITSA) and Australian Hearing, on the grounds that these agencies were "representative of Commonwealth agencies and ICT systems, and each uses the PSDs included within the scope of [the] audit".
It found that the ATO had managed the risks associated with PSD use, but that ITSA and Australian Hearing need to implement further measures.
In particular, ANAO recommended that agencies assess the use of PSDs in their risk-management activities, develop and document mitigation strategies, review their security policies to account for PSDs, implement hardware and software controls for PSDs, undertake security and awareness training and update their incident-response procedures for the theft or loss of PSDs.
ITSA and Australian Hearing were unaware of the number of USB flash drives, CDs and DVDs that were in circulation within their organisations. The audit identified that ITSA had a number of privately purchased and non-encrypted USB devices in use, while Australian Hearing had USB devices, CDs and DVDs that had been provided by external sources and contained marketing material.
The lack of a complete central register of USB devices and a lack in password protection or encryption on the USB devices themselves meant that "if one were to be lost or stolen, any information held on the device would be easily accessible".
In contrast, the ATO was able to state that it had about 2500 USB devices, each of which were restricted to a specific brand that required biometrics to use. Additionally, staff had to apply to be issued with one, further keeping records of their use. In the case where private USB devices were introduced to the ATO's systems, its file transfer-monitoring system could also assist in identifying the user responsible for any unauthorised data transfer.
The auditor-general stressed the importance of keeping PSDs secure, citing previous cases of losses, such as when the Department of Defence lost a USB device containing confidential information on a Qantas flight.