Audit finds WA unis fail to fix known security weaknesses

An independent audit has found that many of Western Australia's universities and state training providers have failed to resolve the cheap and easy-to-fix information system weaknesses that they were informed about in previous years.

The Western Australian auditor general has tabled his report into the state's universities and training providers, finding that although they were generally performing well, they suffered from a number of easy and cheap-to-fix information system issues.

WA Auditor General Colin Murphy conducted the independent review (PDF), and said in a statement that he is pleased that the financial controls and reporting practices at all four state universities and three state training providers have achieved a "better practice" status, an improvement on the previous year.

However, in addition to assessing financial statements, controls, and key performance indicators (KPIs), the audit included an examination of the information systems at Curtin University of Technology, Edith Cowan University, Murdoch University, the University of Western Australia, and 11 state training providers. The examination of these systems indicated an increase in the number of weaknesses — although the audit did increase its focus on security this year.

Nevertheless, Murphy said that the results are disappointing, considering the number of weaknesses that were already known to the audited organisations.

"The number of information system control weaknesses increased, and it was disappointing to note that 39 per cent of these were also unresolved from previous audits," Murphy said.

The auditor general's previous audits found 108 information system weaknesses in 2010, improving to 85 in 2011. However, for 2012, it identified 132 weaknesses. Although a "weakness" does not necessarily imply a security issue, the report further indicated that 46 percent of those identified from the latest audit are specifically security related. Non-security-related weaknesses related mainly to operations such as backups, support, monitoring, and logging.

The auditor general's report indicates that of all weaknesses, 70 percent were rated as moderate and required that action be taken "as soon as possible"; 29.5 percent of weaknesses were identified as minor; and the remaining 0.5 percent accounted for a single weakness classified as "significant", which has since been rectified.

"Most disappointing is the fact that many of the [information system] issues can be resolved with minimal effort and with little expense — and yet, if left unresolved, have the potential to compromise the confidentiality, integrity, and availability of computer systems and information," Murphy said.

An additional Information Systems Audit Report from the auditor general is expected to be released in mid-2013, and go into further detail on its audit results.

The auditor general recommended that universities, state training providers, and other agencies ensure that the information system issues brought to its attention be addressed in a timely manner.