WA Govt agencies ignore constant warnings on IT security


news Western Australia’s Auditor General has warned that over a half of Government agencies are failing to heed advice on IT security.

In his annual Information Systems Audit Report, Auditor General Colin Murphy highlighted weaknesses in the way many agencies manage their IT systems and aired his concerns about the lack of improvement in this “serious matter”.

The two-part report, tabled in Parliament yesterday, looked at general computer controls across 45 government agencies in six categories: IT operations, management of IT risks, information security, business continuity, change control and physical security.

“These controls are recognised as good practice and ensure computer systems are designed, configured and managed to preserve the confidentiality, integrity and availability of information,” the Auditor General said in a statement.

The audit found over half of the 45 agencies were not meeting the benchmark in three or
more of the control categories.

Murphy said that, after eight years of carrying out the audit, “I am disappointed to see little or no improvement in controls year on year and agencies not treating this matter with the seriousness it deserves”.

“Information security and business continuity have not improved, scores fluctuate year to year, but the trend remains flat,” he said. “Given these categories relate to the security of information and the availability of services, I am very concerned about the lack of progress.”

Furthermore, he explained, many of the weaknesses reported are “easy to remedy”, such as poor password management and ensuring data recovery processes are in place to protect against possible incidents.

“I may have to look at ways to make agencies more accountable for IT weaknesses and it may include naming agencies not addressing or taking action to rectify concerns,” Murphy warned.

An additional audit of five key applications across the agencies found that, although the applications were working effectively, all had weaknesses, with the most common being “poor policies, procedures and security”.

Murphy suggested that these weaknesses could affect service delivery and “compromise the security of the thousands of sensitive records held in the applications”.

Common weaknesses found by the audit included “easy to guess” passwords, software updates that had not applied, failure to remove accounts of former staff and manual data entry, processing and manipulation.

Murphy said there lessons can be found in this report “for all agencies, not just for those audited”, which, if taken on board, should see an improvement in the results of next year’s audit.

“Agencies are urged to take note of the findings and act on the recommendations to ensure the confidentiality and integrity of information,” Murphy said, concluding:

“Many of the issues raised in the report are simple and inexpensive to correct and agencies should address those identified as soon as possible.”