NBN Co access controls found lacking
An audit report into government agencies has found that the National Broadband Network Company (NBN Co) has a weakness in documenting user-access controls, potentially compromising financial information from the government-owned company.
In its audits of the Financial Statements of Australian Government Entities report for the period ending 30 June 2011, the Australian National Audit Office (ANAO) conducted reviews of all financial statements and accounts of federal government departments and entities. In examining NBN Co, the office analysed IT security controls of NBN Co's financial systems, and found them to be lacking.
"The ANAO identified weaknesses in the area of access controls, including a lack of consistent monitoring of users' access — notably users with privileged access — together with instances where approval of new standard users was not documented," the ANAO said in the report.
These identified weaknesses would increase the risk of potential unauthorised system changes that "could compromise the confidentiality, integrity and completeness of financial information", according to the ANAO. NBN Co told the ANAO that since the audit, it has implemented procedures for monitoring access, and the automated controls for the approval of users had since been "enhanced" to address these issues.
Among the other findings in the report, the ANAO was critical of the Tertiary Youth Internet Management System (TYIMS) in the Department of Education, Employment and Workplace Relations. This system is an internet-based application that manages the payment of apprentices and employers of apprentices under the Australian Apprentices Incentive Program. According to the ANAO, the software of the system was open to people making unauthorised changes to it without being detected. In response, the department has put in additional access controls, and is looking at implementing an audit log to keep track of changes to the system. These changes are expected to be completed this month.
The ANAO said that the implementation and the operation of the Military Integrated Logistics Information System (MILIS) had improved since the last report, with Defence implementing a configuration-management tool and commencing a review of the change-management and configuration-management tool controls and processes.