NSW’s auditor-general Peter Achterstraat today rubbished the State Government’s IT security procedures in a new report, saying the state could not guarantee to its residents that it was keeping their information secure and away from prying eyes.
In the report, Achterstraat wrote that NSW had been issuing edicts about electronic information security for a decade, with agencies having been directed since at least 2001 to develop and implement security policies around how they hold personal information and certify their IT systems.
After a number of earlier policies, the auditor wrote, agencies were again told in 2007 to get their security systems certified to international standards.
“But there was no deadline, no effective monitoring and no consequences if they didn’t,” wrote the auditor. “The Government does not know how well agencies are securing sensitive personal information.”
Central to the problem is that there is no central decision-making body which has the authority and the “teeth” to make the State Government agencies comply with the necessary standards, according to Achterstraat, with an absence of clear direction and strong leadership in the area.
“A fundamental re-think about electronic information security is needed,: the auditor wrote. “Government needs to reform the overall arrangements within which agencies manage information security. If anything, IT security is going to get harder, not easier. Technological change is speeding up. The level and sophistication of external threats is increasing.”
“And to improve services efficiently, public sector agencies will need to make more use of the personal data they have and share more data with others.”
The report recommended that a number of measures be taken within the State Government to improve its IT security. For starters, a new state-wide ICT strategy should be published that would establish new electronic information security governance arrangements by June 2011.
New lines of organisational accountability should be established, security baked into all new IT systems, mandatory training provided to public servants who deal with sensitive information, and so on. “It is important that a new ICT strategy with a strong focus on IT security and improved IT security governance arrangements, [is] implemented quickly,” wrote the auditor.
In a response to the report, Department of Premier and Cabinet director-general Brendan O’Reilly pointed out that there had been no systemic information problems within the State Government noted as part of the audit — broadly the audit had only found that the state did not know how well its agencies were implementing security policy, and had pointed to some specific examples of problems.
However, O’Reilly acknowledged the importance of the issue, and said the Government’s existing policy in the area — contained in Ministerial Memorandum M2007-04 — was being reconsidered. And the opportunity exists to better address the problem through the State Government’s current review of ICT strategy.
NSW is not the first state in Australia to be faced with the wrath of its auditor over information security. At various stages over the past few years a number of reports have pointed to the same problem in other states.
For example, in March this year Western Australia’s Auditor-General issued a serious warning to the state’s departments and agencies to beef up their IT security practices, with a report finding that most were not even using basic security techniques such as encryption of sensitive data on laptops and USB keys.