12 years on, audit finds WA government entities still don't get infosec

They're slowly getting better though, with 15 passing the auditor-general's probe this year.

Western Australia's auditor-general has once again called out state agencies for not taking IT risks seriously, acknowledging that while they are getting better, there are still many entities that failed to meet the benchmark for minimum practice.

The report [PDF] presents the results of the general computer control (GCC) audits and capability assessments, with the objective being to determine whether computer controls effectively support the confidentiality, integrity, and availability of information systems.

Focusing on information security, business continuity, management of IT risks, IT operations, change control, and physical security, the audit found 15 entities met the benchmark, compared to 13 in 2018.

In 2019, the audit found a total of 522 GCC issues from 50 state government entities.

"This was a slight reduction from the 547 issues reported at 47 entities in 2018. However, entities are not addressing audit findings quickly, with 45% of the findings reported in 2019 relating to previously reported audit findings," the report said.

The 12th audit of its kind, the report echoed many of the concerns highlighted in previous years. In 2019, however, entities improved their controls across five of the six categories.

With a scale ranging zero to five, the auditor-general expects state entities to hit at least a three, which would see them have documented and communicated processes that are mandated, along with standardised procedures that are not necessarily sophisticated but are the formalisation of existing practices.

The report said that only four entities had consistently demonstrated good practices across all six control categories: The Department of the Premier and Cabinet, which has been at level three or higher for seven years; Racing and Wagering Western Australia, with six years; Western Australian Land Information Authority, which has performed at level three or higher for four years; and also hitting the benchmark for four years is Curtin University.

The number of entities that met the benchmark for information security increased from 47% to 57% in 2019.

"However, a large number of entities are still not managing this area effectively," the report said.

See also: How to become a cybersecurity pro: A cheat sheet (TechRepublic)

Weaknesses found included inadequate or out-of-date information security policies; no reviews of highly privileged access to applications, databases, and networks; a lack of processes to identify and patch security vulnerabilities within IT infrastructure; no information security awareness programs for staff; a lack of staff training and development in information security; a lack of information classification policy or procedures; and weak password controls without multi-factor authentication.

While the report doesn't name and shame specific organisations, it details case studies, mentioning one government entity had a cloud-based finance system that saw over 190 users have access to sensitive information, including bank account details, as a result of insecure authentication and weak default passwords.

"At one entity, we found that plain-text payment files used for processing EFT payroll payments to employees, could be accessed and modified by an excessive number of users. The entity also did not regularly check if there were changes to these payment files," the auditor said.

Under business continuity, the audit also found that many entities continued to not have adequate business continuity and disaster recovery plans in place.

Where the management of IT risks was concerned, 78% of entities met the auditor's expectations. This was a 9% improvement from last year and a 42% increase from the first assessment in 2008.

In 2018, 82% of state government entities had hit level three or above where IT operations were concerned; in 2019, that dropped to 80%.

Weaknesses found included a lack of service level agreements with IT vendors; inadequate contract management; weak governance over IT operations; IT strategies not being in place; a lack of access reviews and segregation of duties across systems; inappropriate processes to monitor cybersecurity events; unmaintained asset registers; and IT equipment that are unable to be located.

Offering another unnamed case study, the audit revealed one entity had procured IT services without going to tender.

"In this case, there were multiple contracts with a single vendor which were below the tender threshold (AU$250,000). However, in aggregate over the year, the committed spend with this vendor was AU$2.5 million which is well above the tender threshold," the report said.

Under change control, the report showed practices have slowly improved since 2008, with 80% of entities meeting the benchmark in 2019.

Physical security had also improved, but the audit found many entities still had no reviews for staff and contractor access to server rooms, a lack of humidity controls in server rooms, and no fire suppression system installed in server rooms.

Auditor-general Caroline Spencer said she was concerned that information security and business continuity had shown little improvement, with many entities failing to meet the benchmark for minimum practice.

"This is of significant concern given the value of personal and corporate information entities hold," she wrote. 

"It is my view that entities need to be as vigilant in protecting their personal and corporate information, by implementing the same level of controls including monitoring and protection, as for other valuable assets, such as cash, bank account access, and other physical assets. 

"Maturity across all sectors and entities has a way to go in this regard."

MORE FROM THE WEST