ABS gets tough on internal data access

Following the arrest of a staff member, the Australian Bureau of Statistics is implementing all of the recommendations that were made to the organisation to strengthen its sensitive information controls.

The Australian Bureau of Statistics (ABS) continues to implement the recommendations that were made in a recent review into the ABS sensitive information controls.

The review (PDF) was independently conducted by Belinda Gibson, former deputy chair of the Australian Securities and Investments Commission (ASIC), and provided recommendations around four key areas: Access controls, culture and training, financial disclosures, and IT monitoring and surveillance.

Some of the specific recommendations included requiring staff to declare their financial assets annually, and conducting a close review of all IT access lists to ensure that only necessary persons are included.

The review followed the arrest of an ABS staff member by the Australian Federal Police (AFP) in May 2014. AFP and the ASIC found that the staff member had allegedly disclosed sensitive statistics that were under embargo.

During a Senate Estimates hearing on Tuesday, Ian Ewing, ABS deputy Australian statistician for the economic and environment statistics group, said that all recommendations made to the organisation in the review are currently being implemented.

"The review found that our systems of controls were broadly consistent with those that you would expect in agencies undertaking similar work. But there are a number of recommendations as to how we might strengthen our culture around information security and promote awareness of the need to maintain information security; those recommendations are being implemented now," he said.

Ewing added that two key areas of review that the ABS is looking into are increasing the level of disclosure by staff, and the rigour and formality around identification reporting of potential conflicts of interest.

ABS chief operating officer Chris Libreri said that reviewing staff access to sensitive data is now "far more pervasive" than how the organisation had done in the past.

In a separate audit by the Australia National Audit Office that looked at the information security processes of Australian government agencies, it was concluded that the ABS is one of several government agencies found to be well protected from internal security issues, but insufficiently protected against external attacks.