Western Australia's Auditor General Colin Murphy late last week delivered a scathing report into the security of state government IT systems, billing it as a "wake-up call" to departments and agencies.
In the report, Murphy's office examined 65 agencies in general, and drilled down into detail for five agencies which collected sensitive information about state residents. The auditor was not impressed with his findings. The agencies were not named.
"I found fundamental weaknesses in all of the key areas of information security at the agencies examined," he said of the five agencies examined in detail. The rest also displayed signs of problems.
"The results of the general computer and application controls audits reinforces my concern that many agencies are continuing to ignore the importance of effectively managing their information systems ... agencies leave themselves vulnerable to computer system failures, unauthorised access to information, loss of information and fraudulent activity," Murphy added.
Some of the problems the audits found included:
- A lack of IT security policies
- Former employees' accounts had not been deleted
- Generic accounts with no passwords, or passwords that were easy to guess. By using these accounts and guessing passwords, Murphy's office was easily able to access 700,000 sensitive records via the Internet
- Passwords left on post-it notes on monitors
- A failure to log or monitor network use or unsuccessful log-on attempts
- Security patches and updates not being applied
- Information being stored in databases that had no passwords and known security weaknesses
- Default software passwords being used
- Confidential documents saved to unsecured network servers
- USB drives connected to sensitive computers
- A lack of police checks or confidentiality agreements for staff dealing with sensitive data
The problems were widespread throughout other agencies as well, with more cursory checks on 41 other agencies finding that over 60 per cent did not have effective controls to manage IT risks, information security and business continuity.
Murphy wrote that in many cases, many of the security controls overlooked by departments and agencies did not require expensive technology or specialist resources. "Good controls can be achieved through the appropriate implementation and management of basic policies, procedures and practice," he wrote. "I expect agencies across government to take note of the findings and recommendations of this report."