WA Auditor General disappointed in agency treatment of information security

More than half of Western Australia's government agencies are not meeting benchmark expectations laid out by the state's Office of the Auditor General when it comes to the management and availability of confidential information.

Auditor General Colin Murphy said that after performing the Information Systems Audit Report for the eighth year, he is disappointed to see little or no improvement in controls year on year and that agencies are not treating the matter with the seriousness he believes it deserves.

"Information security and business continuity have not improved, scores fluctuate year to year, but the trend remains flat," Murphy said in a statement. "Given these categories relate to the security of information and the availability of services, I am very concerned about the lack of progress."

In his latest report [PDF], the Auditor General found that out of the 45 agencies audited across six key business applications, the most common weakness was in the compromising of sensitive information. The audit also exposed weaknesses in operational, procedural, and process controls that could potentially impact delivery of key services to the public.

"Many of the weaknesses I consistently report are easy to remedy such as poor password management and ensuring data recovery processes are in place and updated in the event of an incident," Murphy said.

"I may have to look at ways to make agencies more accountable for IT weaknesses and it may include naming agencies not addressing or taking action to rectify concerns."

This year's audit focused on six control categories: The management of IT risks, information security, business continuity, change control, physical security, and IT operations.

The report found there were many internal agency weaknesses, such as that information security policies did not exist, were out of date, or not approved; that network, application, and database passwords were easy to guess; that applications and operating systems were being used without critical patches applied; that highly privileged generic accounts were shared with many staff and contractors; that firewalls and intrusion detection/prevention systems were not configured correctly, leaving exposures; and that there was no virus protection software on many applications and systems.

As a result, 454 general computer control issues were reported to the 45 agencies audited in 2015, compared with 398 issues at 42 agencies in 2014.

The audit found that only 10 agencies met the department's expectations for managing their IT environments effectively, compared with 11 in 2014.

"More than half of the agencies are not meeting our benchmark expectations in three or more categories and the overall result showed a 3 percent decline on the prior year," the report says.

"Change controls and physical security are managed effectively by most agencies, but the management of IT risks, information security, business continuity and IT operations need a much greater focus."

General computer controls including controls over the IT environment, computer operations, access to programs and data, program development, and program changes were also audited. Murphy's department found that although the applications were working effectively, all had weaknesses, with the most common being poor policies, procedures, and security.

"These weaknesses could affect service delivery and compromise the security of the thousands of sensitive records held in the applications," the report says.

According to the Auditor General, some of the weaknesses included easy to guess passwords, software updates not applied, failure to remove accounts belonging to former staff, as well as manual data entry, processing, and manipulation.

Murphy said there are lessons in this report for all agencies, not just for those audited, about the management of IT systems. He said that if the recommendations tabled are taken on board, there should be an improvement in next year's audit.

"Agencies are urged to take note of the findings and act on the recommendations to ensure the confidentiality and integrity of information. Many of the issues raised in the report are simple and inexpensive to correct and agencies should address those identified as soon as possible," he said.

In May, Murphy declared that there were significant savings to be gained if government services were moved online.

In the Delivering Services Online audit report, Murphy acknowledged that Western Australia is not as advanced as some other Australian jurisdictions in delivering common services online, pointing out current services such as applying for birth certificates or a replacement driver's licence remain paper based, despite growing customer demand and the technology being available.

Among other things, Murphy pointed out at the time that the state government could save more than AU$2.2 billion over 10 years if half of all phone and mail transactions were moved online.