blog Those of you who have been reading Delimiter for some time will know that for much of the past half-decade, Western Australia’s Auditor-General has been warning that the State Government’s IT security is pretty abysmal. Every year Auditor-General Colin Murphy and his team run a series of tests on various departments and agencies in the state, and every year they find huge holes that hackers could presumably drive buses through in the State Government’s IT security. There was a similar report in March 2010, and another one in June 2011. Now there’s a new audit, with similar findings. You can download the full audit report here (PDF), and here’s a few quotes from Murphy’s media release issued yesterday (PDF):
The general computer control audits and capability maturity model assessments involved an
assessment of 44 and 36 agencies respectively against six general computer control categories: IT operations, management of IT risks, information security, business continuity, change control and physical security. Mr Murphy found that more than half of the agencies assessed had not established adequate controls to manage IT risks, information security and business continuity.
“I was pleased to note that eight agencies had made improvements in at least one of the categories
without regressing in another,” he said. However, only three of the 36 agencies we assessed were rated as having mature general computer controls.”
The application controls section of Mr Murphy’s report looks at five business applications at four agencies and while most of the applications were working effectively, numerous weaknesses were identified with the WA Police (WAP) Firearms Register and supporting systems.
“As a result of our findings, we have no confidence in the accuracy of basic information on the number of people licensed to possess firearms or the number of licensed or unlicensed firearms in Western Australia,” Mr Murphy said. “In the absence of reliable information, WAP is unable to effectively manage firearms licensing and regulation in WA.”
What really annoys me about the IT security debate in Australia is that we see a lot of high-level commentary from organisations such as the Defence Signals Directorate about so-called ‘cyber-security’ threats emanating from countries such as China, but when it comes to implementing basic IT security policies in Government, our departments and agencies seem to be pretty clueless. In my opinion, it wouldn’t take much of an investment to hire a few dedicated IT security staff on a permanent basis to examine each major State Government department and ensure that they’re getting the basics right. The fact that our Governments can’t seem to do this is something of an indictment. I mean … in 2013, having a business continuity plan in place should be a basic condition for operating any government department.
It’s also worth noting that I’ve reported on at least half a dozen of these type of reports in State Government over the past half-decade. NSW has similar problems, as does Queensland and Victoria. The ACT claims it doesn’t, but I’m not sure I believe it, and I’m sure the other jurisdictions also have similar issues beneath the surface. It’s time we started getting this stuff right — it’s basic IT hygiene, after all.