The NSW State Government has been slammed for slack information security practice and has been told it could learn a lesson from Victoria, Queensland and the United Kingdom.
An absence of central security oversight and enforcement has resulted in widespread non-compliance across state government agencies, according to a report by the NSW Audit Office, despite almost a decade of feeble efforts to force NSW agencies into line.
Two thirds of NSW departments that bothered to respond to previous audits were found to be non-compliant with the international IT security standard ISO 27001.
"The government cannot say with any certainty whether agencies have implemented its policy. As a result, the government does not know how well agencies are securing sensitive personal information," the report read.
"Agencies were again told to get certified to the international standard. But there was no deadline, no effective monitoring and no consequences if they didn't.
"This is not a new problem. The government has been issuing edicts to agencies about electronic information security for a decade with little impact."
It said the data of NSW taxpayers is not safe in the hands of the State Government.
"The government is not able to assure the people of NSW that all its agencies are properly safeguarding sensitive private information," Auditor-General Peter Achterstraat said.
He believes that the state has a disregard for IT security.
"The analogy is that if you buy a car you need to make sure it comes with seatbelts," Achterstraat told ZDNet Australia. "There has been a lot of talk and not a lot of action."
But Achterstraat praised the Victorian Government for its security standards which it enforces on its agencies, including the use of independent penetration testing, tougher two-factor authentication, and stronger data classification and management.
He cited similar good security practices in place in the Queensland Government and across the UK.
The report has hit home with the NSW government, which has fast-tracked a broad, high-level ICT review into the way it implements ICT structure and governance.
Achterstraat said he is confident a security overhaul will be key to the review, but has warned to name and shame security-slack agencies if nothing is done by this time next year.
In the report, he said that the government's push to consolidate ICT infrastructure presents opportunities for security reform, but also said that it will amplify risks and need tighter access and network security controls.
Premier and Cabinet Director General Brendan O'Reilly accepted the report's conclusions but denied NSW has systemic problems.
"It should be noted that the performance audit has not identified any systemic information security problems within the NSW Government. There is nevertheless the need to properly manage information security risks, and consider future risks and possible problems," O'Reilly said in the report.
The audit comes two weeks after a scathing report into the security of Victoria's water industry, and six months after an audit discovered gross security failures and handling of personal data across Western Australian government departments.
The NSW audit report said that hypothetical consequences of IT security breaches within the State Government could include:
- Financial or identity theft
- Criminals erasing records
- Medical records altered
- Witness intimidation.