Confidential personal information gathered by Victorian government agencies "can be, and has been, easily compromised", according to a report published today by the state's Auditor General.
Confidential personal information gathered by Victorian
government agencies "can be, and has been, easily compromised",
according to a report published today by the state's Auditor
General.
In each department unauthorised people
could access personal information quickly and easily
Victorian Auditor-General
The audit report, Maintaining the Integrity and Confidentiality
of Personal Information, found a plethora of security oversights,
blunders and poor practices that left citizens' personal data
highly vulnerable to exposure.
The audit examined security governance and risk management
arrangements at three Victorian Government agencies, including the
departments of Premier and Cabinet, and Treasury and Finance. It
did not name the third department.
"While we examined only three departments, the ability to
penetrate databases, the consistency of our findings and the lack
of effective oversight and coordination of information security
practices strongly indicate that this phenomenon is widespread,"
the report said.
The audit found that "in each department unauthorised people
could access personal information quickly and easily" because "the
information was not appropriately classified" and "the database
controls were either missing or not operating".
Further, because the departments didn't maintain or regularly
review system logs, they had no way of knowing if their systems had
been breached and personal information in their care had been
accessed without authorisation.
The Auditor General's office found that departments were storing
and exchanging information in unsecured formats.
"Data was transmitted from the three departments by emails in
formats that were easily read," the report said. "This means they
could be accessed by someone other than the intended recipient.
"Personal information was stored on portable storage devices,
CDs and DVDs that are vulnerable to loss, in easily-read formats.
Personal information was exchanged via personal email accounts,
some of which were particularly vulnerable to unauthorised access.
Extracts or whole copies of personal information from the selected
databases were stored in unsecured shared drives on departmental
networks accessible by unauthorised staff."
These departments were providing information to third parties
such as IT services providers and hosting companies which were "not
required to certify that their security arrangements at least equal
public sector requirements".
It also found that the Victorian Government has to date failed
to implement "a comprehensive suite of standards to guide and
support effective information management and security practice
across the public sector".
"The Department of Treasury and Finance and the Department of
Premier and Cabinet have not fulfilled their responsibilities to
develop and maintain whole-of-government information security
standards and guidance, to improve the coordination of identity and
information management systems at state level, and to provide
policy advice on emerging trends and issues in identity and
information management," the report said.
The Auditor General's report recommended that the departments
should:
Clarify their roles, responsibilities, policies and standards regarding information security
Assign responsibility for information security to senior management
Develop more robust risk management practices
Train staff in good security practices and the importance of information security
Assess threats and vulnerabilities and take steps to address them.
