WA agencies fail to meet international security standards

An audit by the Western Australian auditor general has found that each of the state agencies it looked at failed to meet the requirements of the international standard for information security.

Not one of 21 Western Australian agencies audited by the state's auditor general has been able to meet the international 27002 standard for information security.

The Office of the Auditor General Western Australia, headed by Colin Murphy, focused on three areas in its annual information systems audit report (PDF). These were a gap analysis of 21 agencies against the international standard for information security, ISO 27002; an audit of application controls for five business units within four state government departments; and a general computer controls and capabilities assessment of 44 agencies.

The gap analysis found that although two agencies came close, none actually met all the requirements of ISO 27002.

Overall results of the 21 agencies against the assessed categories. Image: Office of the Auditor General Western Australia

"Ninety percent of the sampled agencies had serious shortfalls in meeting the security standards across multiple categories. It is likely that this result is relevant to most agencies across government, and demonstrates a lack of good security practices across the public sector."

The report also noted that the size of the agency has no effect on whether it follows good or bad security practices.

It stated that many agencies are not taking the first steps to meet the standard by having a strategy for identifying and assessing risks, and said half of the agencies failed to rate well in the information security risk management department.

"This is an important area of initial focus to identify, assess, and treat risks, and allows agencies to take a strategic approach to managing information security. In the absence of a strategic approach, agencies lack focus and the approach to security becomes ad hoc. This can lead to agencies wasting resources on areas of minimal risk, while leaving critical areas exposed."

Failing to undertake a risk assessment usually indicates that the organisation has weaknesses across all of its other security-related areas, some of which are key to being resilient against an attack.

"Fifteen agencies did not have effective controls in place for Information Security Incident Management or IS Acquisition, Development and Maintenance. These agencies will not be able to detect and respond to incidents that threaten the security and availability of their environments."

The report suggested that agencies need to take a more methodical approach to ISO 27002, but also said that the Australian Government Information Security Manual, developed by the Defence Signals Directorate (now Australian Signals Directorate), would be a good reference for agencies to come back to when attempting to implement and understand good practices.

The auditor general's finding on application controls was a little more promising. This audit looked at:

  • The Department of Finance's ProgenNet application for coordinating office accommodation

  • The Department of Heath's Emergency Department Information System and Hospital Morbidity Data System, which manage emergency department workflow and data collection, and personal and medical information, respectively

  • The Department of Mines and Petroleum's Royalties Online application, which petroleum producers use to submit "royalty returns" similar to tax returns

  • The Western Australia Police's (WAP) Firearms Management System.

ProgenNet had no significant security or control issues, with its concerns being on smaller issues, such as the length of time in which passwords expire, monitoring logs, and putting in place service level agreements with suppliers.

The Department of Heath's emergency system was praised as an effective application for workflow, but the audit found that it is possible for records to be anonymously altered, or that if accountability for a mistake is needed, there is no audit trail for alterations. Its own investigation into the matter found that no mistaken alterations have occurred, however.

The morbidity system was also found to be working as intended, but because data is obtained and transferred through insecure methods, or because security patches have not been applied, it could be possible for data to be accessed by unauthorised users or an attacker.

"Patient information was collected from private hospitals using thumb drives, and from public hospitals using an insecure file transfer protocol (FTP) which sent information in clear text across the network. Both of these methods leave the information vulnerable to unauthorised access."

The Department of Mines and Petroleum's Royalties Online system was the only application to have essentially no flaws.

"Only minor issues were identified during the audit, and all where promptly dealt with by the department and no longer pose any long-term risk."

However, the audit of WAP's Firearms Register was decidedly damning. The report said that the register has numerous weaknesses in how data is input, processed, and reported, and that it has "no confidence in the accuracy of basic information on the number of people licensed to possess firearms or the number of licensed or unlicensed firearms in Western Australia".

The report went on further to claim that the failure of this system means that WAP cannot manage gun ownership in the state.

"In the absence of reliable information, WAP are unable to effectively manage firearms licensing and regulation in WA."

In many cases, WAP has some information necessary to help it manage the regulation of firearms, but inconsistencies in the register mean that WAP is unable to rely on the information provided. One particular case that the report highlighted was that over 300 firearm licence holders appear to have firearms, despite being classified as unfit to possess them.

"We advised WAP of this issue during the course of the audit. They advised they were aware of it prior to our audit and had commenced a review to determine the accuracy of the information. At completion of our audit, they had followed up approximately 50 percent of the 'unfit to issue' licence holders listed in the system and found no firearms in the possession of these licence holders."

Likewise, when a firearm is correctly licensed to a person, but that person passes away, there are no records to indicate whether the firearms have been seized. Potentially, 988 firearms have not been accounted for in this manner.

On the general computer controls and capabilities front, the auditor general assessed control audits at 44 agencies and capability assessments at 36. It scored organisations in six key areas on a sliding scale from 0 to 5 based on their management process. 0 represented no recognisable processes at all, and 5 showed that good practices are followed and optimised. The audit set a benchmark for 3, meaning that agencies should have processes that are documented and communicated.

Across the 36 agencies that capability assessments were conducted at, only three made the benchmark in all of the categories of IT operations, management of IT risks, information security, business continuity, change control, and physical security. The report also notes that half of the agencies it looked at failed to achieve the benchmark for three or more categories.

It said that the majority of its findings at agencies were rated as moderate, and that this should warrant action by those affected as soon as possible.

"It should be noted that combinations of issues can leave agencies with serious exposure to risk."