ATO passes USB audit, others stumble

Summary:The auditor-general has given the Australian Taxation Office (ATO) a clean bill of health around the use of its portable storage devices (PSDs), but has voiced concerns about how two other agencies handled them.

The auditor-general has given the Australian Taxation Office (ATO) a clean bill of health around the use of its portable storage devices (PSDs), but has voiced concerns about how two other agencies handled them.

(usb guy image by Andreas Brandmaier, CC BY 2.0)

As part of the audit (PDF), the Australian National Audit Office (ANAO) examined the systems of the ATO, Insolvency and Trustee Service Australia (ITSA) and Australian Hearing, on the grounds that these agencies were "representative of Commonwealth agencies and ICT systems, and each uses the PSDs included within the scope of [the] audit".

It found that the ATO had managed the risks associated with PSD use, but that ITSA and Australian Hearing need to implement further measures.

In particular, ANAO recommended that agencies assess the use of PSDs in their risk-management activities, develop and document mitigation strategies, review their security policies to account for PSDs, implement hardware and software controls for PSDs, undertake security and awareness training and update their incident-response procedures for the theft or loss of PSDs.

ITSA and Australian Hearing were unaware of the number of USB flash drives, CDs and DVDs that were in circulation within their organisations. The audit identified that ITSA had a number of privately purchased and non-encrypted USB devices in use, while Australian Hearing had USB devices, CDs and DVDs that had been provided by external sources and contained marketing material.

The lack of a complete central register of USB devices and a lack in password protection or encryption on the USB devices themselves meant that "if one were to be lost or stolen, any information held on the device would be easily accessible".

In contrast, the ATO was able to state that it had about 2500 USB devices, each of which were restricted to a specific brand that required biometrics to use. Additionally, staff had to apply to be issued with one, further keeping records of their use. In the case where private USB devices were introduced to the ATO's systems, its file transfer-monitoring system could also assist in identifying the user responsible for any unauthorised data transfer.

The auditor-general stressed the importance of keeping PSDs secure, citing previous cases of losses, such as when the Department of Defence lost a USB device containing confidential information on a Qantas flight.

Topics: Security, Government, Government : AU, Hardware

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.