Auditor slams WA Govt IT security

Auditor slams WA Govt IT security

Summary: Western Australia's Auditor General Colin Murphy late last week delivered a scathing report into the security of state government IT systems, billing it as a "wake-up call" to departments and agencies.

SHARE:

Western Australia's Auditor General Colin Murphy late last week delivered a scathing report into the security of state government IT systems, billing it as a "wake-up call" to departments and agencies.

I found fundamental weaknesses in all of the key areas of information security at the agencies examined

WA Auditor General Colin Murphy

In the report, Murphy's office examined 65 agencies in general, and drilled down into detail for five agencies which collected sensitive information about state residents. The auditor was not impressed with his findings. The agencies were not named.

"I found fundamental weaknesses in all of the key areas of information security at the agencies examined," he said of the five agencies examined in detail. The rest also displayed signs of problems.

"The results of the general computer and application controls audits reinforces my concern that many agencies are continuing to ignore the importance of effectively managing their information systems ... agencies leave themselves vulnerable to computer system failures, unauthorised access to information, loss of information and fraudulent activity," Murphy added.

Some of the problems the audits found included:

  • A lack of IT security policies
  • Former employees' accounts had not been deleted
  • Generic accounts with no passwords, or passwords that were easy to guess. By using these accounts and guessing passwords, Murphy's office was easily able to access 700,000 sensitive records via the internet
  • Passwords left on post-it notes on monitors
  • A failure to log or monitor network use or unsuccessful log-on attempts
  • Security patches and updates not being applied
  • Information being stored in databases that had no passwords and known security weaknesses
  • Default software passwords being used
  • Confidential documents saved to unsecured network servers
  • USB drives connected to sensitive computers
  • A lack of police checks or confidentiality agreements for staff dealing with sensitive data

The problems were widespread throughout other agencies as well, with more cursory checks on 41 other agencies finding that over 60 per cent did not have effective controls to manage IT risks, information security and business continuity.

Murphy wrote that in many cases, many of the security controls overlooked by departments and agencies did not require expensive technology or specialist resources. "Good controls can be achieved through the appropriate implementation and management of basic policies, procedures and practice," he wrote. "I expect agencies across government to take note of the findings and recommendations of this report."

Topics: Government, Government AU, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • How dare they!

    Given the amount of time, cost and effort spent on IT Controls in Banks to comply with Govt standards, this is a bit rich!

    The IT Controls found lacking are the easiest ones to fix and the ones that private companies dealt with years ago. My view is that senior management needs the boot. Not understanding IT is no excuse to paying lip service to basic IT Controls. Having workiable, compliant processes should be viewed as foundation, not extention!

    Sadly, they'll roll in a number of consultants, do a lot of audit and presentation work, have leadership meetings and then think about it some more. If left to any half decent IT staff, this can be sorted in weeks.
    anonymous
  • doesn't surprise me in the least

    DET are notoriously bad for security patching thinking they are immune to all attacks, and vulnerabilities, which in the real world they aren't!
    anonymous