WA agencies failing to secure sensitive data

An audit by the Western Australian auditor general has found that seven government agencies have failed to adequately protect sensitive data from being attacked or accessed by unauthorised personnel.

Western Australian government agencies are not adequately protecting sensitive information from attackers to prevent unauthorised access and data loss, according to Western Australian Auditor General Colin Murphy.

In his latest two-part audit report into the Western Australia government's information systems [PDF], Murphy looked at how seven government agencies -- Murdoch University, Legal Aid, Department of Health, Curtin University, Department of Local Government and Communities (DLGC), Drug and Alcohol Office, and Department of the Attorney General -- were managing the security of their databases.

He said 115 weaknesses were identified in all seven key areas that were examined. These seven areas included attack surface, account security, system hardening, patching, data protection, auditing and monitoring, and backdoors and misconfiguration.

The first four areas -- attack surface, account security, system hardening, and version/patching -- represented the greatest risk to databases and the information they contain, and yet the audit found these four areas made up 64 percent of the total findings, with 47 percent rated extreme or high.

Murphy highlighted several agencies did not have firewalls segregating databases and servers from the rest of the network or other agency networks, increasing the risk of compromising services running on the database or server itself.

Additionally, none of the 13 systems were encrypting sensitive data stored within their databases or on backups stored on tapes and off-site, the report said.

Murphy said the results of the audit were concerning, in particular because the weaknesses were in some easy-to-fix areas such as passwords, patching, and setting of user privileges. At the same time, the audit found there were copies of sensitive information across systems and poorly configured databases.

The second part of the report looked at key applications agencies rely on to deliver services to the general public, and whether there were any failings or weakness in these applications. The four agency applications that were reviewed for the audit included the Department of the Attorney General's integrated court management system; Legal Aid Commission Western Australia's LAW Office; the Department of Local Government and Communities' WA seniors card management system; and Drug and Alcohol Office of WA's services information management system 2.

Murphy said while the findings indicated all four applications were performing well, there were some weaknesses around data validation, manual processing, and information security.

"Particular areas of concern were around data access and logging, software patching and updates, and general security practices in agency IT environments,' he said.

"These weaknesses increase the risk to the confidentiality, integrity and availability of sensitive information that is entrusted to agencies.

"All the agencies we audit understand the criticality of their IT systems to their operations; however, too many underestimate the risks that exist to those systems."