Tasmanian Audit Office reveals 'excessive' online attack risks

The Tasmanian Audit Office has revealed that all five of the state government departments audited for a new report released this week were at excessive risk from online attacks.

A report from the Tasmanian Audit Office released on Thursday has revealed that at least five state government departments were open to excessive risk from online attacks.

The Tasmanian auditor-general's report (PDF) No. 8 of 2014-15, Security of information and communications technology (ICT) infrastructure, outlines a number of weaknesses in the audited departments' digital security.

The audit was conducted on five of the state government's departments, including Treasury; the Department of Primary Industries, Parks, Water and the Environment; the Department of Health and Human Services; the Department of Premier and Cabinet; and the Department of Police and Emergency Management.

The Audit Office found that although information was generally safe and secure with reasonable backup and access restrictions, all of the audited departments were at excessive risk from online attacks, due to a lack of Australian Signals Directorate-recommended mitigation strategies.

Two other identified common areas of weakness were a lack of testing of backups, and access permissions.

The audits found that there was widespread failure by departments to take a strategic approach to IT security, including a lack of IT security plans, incident recording systems, business continuity, and disaster recovery plans.

The Audit Office said in its report that while departments had reasonable security over most of their facilities, infrastructure, and servers, there were areas of inadequate security at most departments.

Common problems, according to the report, included lack of policy on physical security, construction weaknesses, and limited CCTV coverage.

"As a result of the high number of weaknesses identified, I concluded that there were areas of inadequate security at most departments," said Tasmanian Auditor-General HM Blake in the report. "Common problems included lack of policy on physical security, construction weaknesses, limited CCTV coverage, excessive risk from cyber attacks, and lack of testing of backups.

"I am also concerned at the lack of a strategic approach to ICT security. Hopefully, the ICT Security Framework referred to will address these matters," he said.

However, Blake also stressed that despite uncovering a number of weaknesses among the reviewed departments, it did necessarily follow that the departments had not been taking their IT security seriously.

"Evident from this report, and from submissions made by secretaries, is that, generally, departments had reasonable security over most of their facilities, infrastructure, and servers, and I, and the community, should be confident that data is, or that steps are being taken to ensure, appropriately secure," he said.

At the time of the audit, a whole-of-government project was under way to produce an IT security framework for the departments. The project's terms of reference included producing a government IT security manual; however, the work was not sufficiently advanced to be considered in the audit, and the Audit Office's testing as done at an individual department level.

In a departure from its usual practice, the Audit Office decided not to table the report at the earliest available opportunity -- which would have seen it published in December or January -- and instead waited to allow the five audited departments enough time to strengthen their security before announcing their potential vulnerabilities publicly.

"The response time was extended by three months. As indicated from responses provided, departments have used this time well," said Blake.

The Tasmanian Audit Office's findings come just two months after NSW Auditor-General Grant Hehir revealed that potential security vulnerabilities found in the NSW roads management network could lead to accidents and vehicle congestion.

Meanwhile, in June last year, an audit conducted by the Australian National Audit Office said that seven Commonwealth agencies examined by the audit office did not meet the top four security strategies made mandatory by the Australian government in 2013.