Western Australia's Auditor General Colin Murphy late last week delivered a scathing report into the security of state government IT systems, billing it as a "wake-up call" to departments and agencies.
Western Australia's Auditor General Colin Murphy late last week delivered a scathing report into the security of state
government IT systems, billing it as a "wake-up call" to
departments and agencies.
I found fundamental weaknesses in all of the key areas of information security at the agencies examined
WA Auditor General Colin Murphy
In the report, Murphy's office examined 65 agencies in general,
and drilled down into detail for five agencies which collected
sensitive information about state residents. The auditor was not
impressed with his findings. The agencies were not named.
"I found fundamental weaknesses in all of the key areas of
information security at the agencies examined," he said of the five
agencies examined in detail. The rest also displayed signs of
problems.
"The results of the general computer and application controls
audits reinforces my concern that many agencies are continuing to
ignore the importance of effectively managing their information
systems ... agencies leave themselves vulnerable to computer system
failures, unauthorised access to information, loss of information
and fraudulent activity," Murphy added.
Some of the problems the audits found included:
A lack of IT security policies
Former employees' accounts had not been deleted
Generic accounts with no passwords, or passwords that were easy
to guess. By using these accounts and guessing passwords, Murphy's
office was easily able to access 700,000 sensitive records via the
internet
Passwords left on post-it notes on monitors
A failure to log or monitor network use or unsuccessful log-on
attempts
Security patches and updates not being applied
Information being stored in databases that had no passwords and
known security weaknesses
Default software passwords being used
Confidential documents saved to unsecured network servers
USB drives connected to sensitive computers
A lack of police checks or confidentiality agreements for staff
dealing with sensitive data
The problems were widespread throughout other agencies as well,
with more cursory checks on 41 other agencies finding that over 60
per cent did not have effective controls to manage IT risks,
information security and business continuity.
Murphy wrote that in many cases, many of the security controls
overlooked by departments and agencies did not require expensive
technology or specialist resources. "Good controls can be achieved
through the appropriate implementation and management of basic
policies, procedures and practice," he wrote. "I expect agencies
across government to take note of the findings and recommendations
of this report."
