Tax CIO acts on security criticism

Australian Taxation Office (ATO) chief information officer Bill Gibson will keep a closer eye on the organisation's security governance following a number of criticisms in an audit report. Gibson has joined the ATO's security committee after it was recently reconstituted to include the CIO.

Australian Taxation Office (ATO) chief information officer Bill Gibson will keep a closer eye on the organisation's security governance following a number of criticisms in an audit report.

Gibson has joined the ATO's security committee after it was recently reconstituted to include the CIO. The group of seven senior ATO employees meet monthly to identify risks and strategies to combat them. This includes both IT and physical security.

The committee is also responsible for submitting reports of security incidents to other government security agencies such as the Defence Signals Directorate.

Other changes have seen the committee, chaired by second commissioner Greg Farr, now report directly to the ATO Executive. 

Gibson refused to comment on the Australian National Audit Office (ANAO) report, published last week, when ZDNet Australia contacted him. Titled Tax Agent and Business Portals, the report found inadequate reporting of security incidents across the ATO.

"The ATO's IT security incident management process was well established," the report said, "however, significant incidents were not reported to the Defence Signals Directorate as required".

ATO assistant commissioner Robert Ravanello said Gibson joined the committee about two months ago.

"In the last three or four months we've changed the composition of the committee.

"It was at one level of the business, but now it's at a more senior level. [For instance], the CIO is now on it," Ravanello said.

"The organisation wanted to make sure people with key influencing decisions had visibility of security."

The ATO has been issuing digital certificates to tax agents in place of passwords in order to improve the security of its tax agent portals. However, the ANAO report said the ATO may still be "exposed to a higher level of IT security risk than is considered acceptable".

"The ATO does not have the capability for the timely production of a clear and meaningful end-to-end view of a user's actions within the Portals, " the report said.

"This is particularly important when reviewing transactions performed to detect possible security breaches."

ANAO made six recommendations -- all of which were agreed to by the ATO. They included:

  • Develop a performance measurement framework to prove the Portals are delivering business benefits.
  • Review IT security controls and clearly define roles and responsibilities of key stakeholders.
  • Reduce risk by establishing security baselines and then providing assurance that the baselines have been implemented and maintained.
  • Strengthen -- and review regularly -- user access controls.
  • Improve security reporting.

One project underway to alleviate some of these problems is a centralised audit logging system.

The ATO recently awarded a contract to local software house Tier-3 for its Huntsman security product, following a competitive tender.

The system will present a central view of all activity on ATO portals, by linking to the many separate logs across the ATO's numerous infrastructure layers.

"Currently we don't have an end-to-end auditing trail," said Ravanello.

"Our mainframe technologies were built before our portals, so it's not easy to link technologies together.

"Currently, to analyse any incident, you can look at any of the logs, but it requires some work to put a central picture together. [Huntsman] will allow us to do that forensic analysis."

The ATO has piloted the system, and will schedule its implementation with other systems' release schedules, according to Ravanello.

In its report, the ANAO said the project was expected to "significantly enhance the ATO's ability to track a user's actions within the Portals".