Online Qld govt services fail to meet demand, contain security holes

The Queensland Audit Office tabled its report (PDF) on the state's online service delivery today, finding that it does not meet customer expectations and that certain personal information could be better protected.

The audit examined the service delivery of Brisbane City Council; the Department of Science, Information Technology Innovation and the Arts' Smart Service Queensland business unit; the Departments of Transport and Main Roads; the Department of Tourism, Major Events, Small Business and the Commonwealth Games (DTESB); and the Queensland Treasure and Trade's Office of State Revenue.

The report found that the audited departments had not kept up with the increased demand for online services, or used technology effectively. It also pointed to the state's previous 2009 ICT strategy document, Toward Q2 through ICT (PDF), highlighting that the departments it audited failed to reach the former target of having 50 percent of services made available online by 2012.

"Strategic leadership and central direction has been notably ineffective, and departments have not implemented comprehensive strategies for managing all their service delivery channels. As a result, service delivery methods remain disparate across departments," the report read.

Furthermore, not one department appears to know what services they provide and which channels — face-to-face, telephone, mail, or online — are being used to deliver them.

"No department has a document that identifies all their services, the channels used to deliver those services, and how performance of each channel is assessed."

Yet for those departments that are engaging in delivering services online, the report shows immediate benefits. The report notes that DTESB, which formed a limited online services strategy in 2011 for its business and industry website, has seen 98 percent of its customer services delivered online for September 2012. Previously, this figure was 67 percent in December 2010.

Together with the Office of State Revenue, it closed its counter services, netting a saving of about AU$1.1 million between the two departments. Drawing on previous research from studies in the UK, the report notes that a single transaction in person costs AU$16, while an online one costs AU$0.12. It goes on to clarify, however, that no one channel of service delivery will meet all customer needs.

When it came to protecting customer information sent online, however, the report notes that the technology used by the departments that were audited was not up to the task, and that "the current state of technology is hindering progress to deliver more services online".

It notes that while there have been no reports of major security incidents, it issued a warning stating that they are "not well prepared for internet security attacks that are becoming more sophisticated and targeted".

Security in general does not appear to be a top priority, with the report noting that none of the departments audited has a security plan, and the departments' end-to-end security designs do not contain any documentation that could be used to enable risk identification.

When it came to credit card information, the report noted that all audited departments were compliant with the Payment Card Industry Digital Security Standard (PCI-DSS), but that non-financial information is potentially an issue for the Office of State Revenue and Smart Service Queensland. Two departments/business units in particular were singled out in the report as having significant security issues.

Smart Service Queensland is responsible for the security of the Queensland Government website (www.qld.gov.au), but its department does not conduct penetration testing of any kind. The report noted that it would be difficult to identify risks and vulnerabilities.

Smart Service Queensland has promised to develop an online information security plan and implementation schedule. A recommendation to conduct penetration testing was not included in the report, and Smart Service Queensland has not indicated in its response that it intends to undertake any in the future.

The Office of State Revenue did perform a penetration test in July 2012; however, this revealed a large number of security risks. A plan has been developed to address the risks, but the report does not note when the vulnerabilities will be closed or if they have already.

The Office of State Revenue does note in its response, however, that regular penetration testing will form the basis of assessing and documenting security designs to mitigate, risks and that it is currently updating its online services applications and documentation.