When the most popular Australian standard ever produced concerns itself with risk management, then you know you’re onto a hot topic.
With current risk drivers such as international terrorism on one side and the Privacy Act on the other, risk management has proved to be a major issue for management to grapple with, and none more so than those in government agencies. But just how coordinated is the approach to risk management within government organisations?
It seems there is still considerable work to do.
Of the 6000-plus standards that Australian Standards (AS) currently maintains, the most widely used is AS/NZS 4360, a generic “beginner’s primer” standard on risk management.
And by world standards in standards, Australia is leading the field. “We were the first to come up with a risk management standard in this region,” says AS director of business standards Mark Bezzina. “Our standard is incorporated into ISO standards. The UK National Health system uses our standard. We’re lucky to have had all stakeholders in risk management across all areas — public and private sector, industry, vendors, users — agree on an approach.”
Indeed as emphasis on the subject grows, AS/NZS 4360 is just one of a number of standards on risk management exercising management minds, with some specifically focusing on issues in IT and the public sector (see “Setting the Standards”, page 43). “The subject was very fragmented in the early days,” Bezzina says. “But we’ve gathered together representative people from varied backgrounds to develop a coordinated approach.”
Risk in the Public Sector
But having standards is one thing. Doing something useful with them is something else altogether. Just how important is risk management within government organisations? Clearly, it is increasingly becoming a major issue.
“Generally people are more au fait with the idea of discussing corporate management and risk management in a business sense than a government sense,” says Ian Commins, partner in Brisbane law firm MacGillivrays. “There is a difference. The role of government agencies is to generate public benefit and political stability. And a primary function of government agencies is to keep records. A significant risk is that these records can be infiltrated or used for improper purposes.”
However, risk management increasingly is exercising government minds. At the Queensland Audit Office (QAO) the main purpose of a briefing published late last year on “Information Governance and Access Controls” was to: “raise awareness of the importance of controls over information in the Queensland Public Sector and to encourage agencies to give special attention to improving access controls in particular”.
“You only have to read the newspapers to realise that information is a valuable asset to government and protection of access to information is critical to ensure that this asset is not lost, amended, misused, inappropriately disclosed or damaged,” Auditor-General Len Scanlan writes.
He also points out that these issues are particularly pressing when you consider the public sector’s legal obligation and enforceable right to collect information, and the nature of much government information on a national or international security level.
His QAO paper continues: “We are in an era where everyone is very security conscious, but this is inconsistent with our attitudes towards access controls as reflected in our behaviour towards IT security compared with our practices of locking doors at home, cars, etc.”
IT As a Source of Risk
Since the advent of data storage systems, keyword searching, the Internet and the Web, IT has proved itself to be an invaluable tool in the management of information. But with these same technologies, organisations have also opened themselves up to increasingly greater and more sophisticated security breaches.
The Australian Federal, Queensland, South Australian and West Australian police, in association with AusCERT, have recently published the 2003 Australian Computer Crime & Security Survey. A fifth of respondents were from the public sector. According to the survey, 42 per cent of respondent organisations experienced one or more computer attacks that “harmed the confidentiality, integrity or availability of network data or systems”.
The US equivalent survey in 2002 found that about 90 per cent of respondents had detected computer security breaches within the previous 12 months, and 80 per cent acknowledged financial losses as a result.
Only 11 per cent of respondents to the Australian survey felt they were managing all computer security issues reasonably well, and two-thirds of organisations increased their expenditure on network security in the past 12 months as a result of computer security incidents or concerns.
The trend shows a continuing shift towards “a greater occurrence of externally-sourced harmful attacks and fewer internally-sourced harmful attacks”. Of those who experienced attacks which harmed data confidentiality, integrity and availability, 91 per cent experienced externally-sourced attacks and 36 per cent experienced internally-sourced attacks (that is, external attacks outnumber internal, a reversal of the accepted wisdom).
Only a minority of respondent organisations hold specialist IT security certifications, and 38 per cent were dissatisfied with the level of IT security qualifications, training or experience within their organisations.
So what to do about it?
In legal circles, computer crime is often dealt with as a separate issue to such crimes as theft. This is largely because the crime of “asportation”, which means feloniously taking away, is not relevant in a situation where data is corrupted or copied, but not removed.
Commins says most legislation splits hacking into two issues — the misuse of computer systems and the misuse of information. This latter is further divided into:
- improper access to data
- improper use of data
- improper alteration of data.
This has raised some interesting anomalies, which the 2003 computer crime survey suggests leads to some jurisdictions needing to determine whether or not a criminal offence has even been committed. “In Western Australia,” the report notes, “the definition provided for ‘things capable of being stolen’, under Section 370 of the WA Criminal Code, does not include ‘information’. Hence a situation where a person copied a client database from his former place of employment may in fact not be a criminal offence.”
In this case, civil avenues of redress might have to be considered, or resorting to the misuse or unlawful use of computer systems provisions in the legislation.
Commins says Commonwealth and state legislatures have taken a more serious view of computer crime in recent years. In the past, because there was no violence involved, it was regarded as a “simple offence”. Now, it is an “indictable offence”, which pushes it into a whole new category.
Outside of legal avenues, there are the usual e-security measures, firewalls, backups, hot, warm and cold desks, mirror sites and so on ad infinitum, which constitute an industry in themselves and which apply equally to public and private sectors.
On top, there are public sector codes of practice and standards aplenty, such as the Queensland government’s IS (for “information systems”) 18. Some of these are so advanced that agencies are offering their services as IT security experts. The WA government’s Office of E-Government has done just that with GovSecure, which has a range of products and services relating to information security assurance and Internet and network security, including a methodology and software tools for security standards implementation, on offer to other government agencies.
IT As a Risk Management Tool
Of course, there are other sources of risk than IT security breaches. There are budgetary requirements, fiduciary issues, legal obligations and of course compliance with standards, certifications and privacy legislation.
In these, IT can take on the more positive role of a tool to assist in the monitoring and management of risk.
Bezzina says Australian Standards has discussed the topic of IT risk management tools in committee, but has chosen not to produce a standard because it is loath to endorse any specific packages. He does say, however, that you should be careful when choosing a tool with a proprietary system that impinges on intercommunication functions.
Alastair Sharman, risk management specialist with the Brisbane-based e-Security cluster of organisations (to which Commins also contributes) and operations manager with IT security firm Electronic Warfare, says there are a variety of risk management tools, “some very good and intuitive and some that aren’t so good”.
You can find tools to undertake the collection of data, analysis of data and produce automated reports, “but at the end of the day it’s not the sophistication of the tools but the skills of the people who manage risk, manage the data and analyse the results.
“Better tools require a higher level of training,” Sharman says. “But be careful, as those trained often move on, leaving the RM system on a desktop and never used.”
Documentation and the procedures to follow are more important. “A mediocre tool well-used (and that might be an Excel spreadsheet) is probably better than a sophisticated tool not used properly, or at all.”
IT Projects — a Risky Venture
The topic of IT projects and risk management is important enough to have spawned the birth of a multi-trillion dollar industry covering hardware and software suppliers, IT consultants, analysts and outsourcers, not to mention a media always hungry for a good story.
One need only mention the federal government’s “whole of government” outsourcing policy to realise that there are enough different agendas to create whole levels of risk in need of management.
According to the Standish Group, almost three-quarters of IT projects in 2000 failed for various reasons and to various degrees. Some 49 per cent were completed late, over budget or below specification, while another 23 per cent were cancelled. And according to the MIT Technology Review, software projects often devote 80 per cent of their budgets to repairing flaws they themselves produced.
A depressing view, but enough to convey the impression that IT projects themselves are worthy of serious risk management consideration.
How Stands the Public Sector?
So much for the issues.
With all the standards, policies, legislation, codes and directives in the world, it still comes down to putting it all into practice. So how do government agencies rate on the risk management ladder?
Or, more precisely, how long is a piece of string?
Brad Greer, president of the Association of Risk & Insurance Managers of Australasia (ARIMA), says that “each government agency would be at a different position”, depending on certain criteria, which he lists as:
- how long it has been looking at risk management
- the commitment from the top for risk management to actually happen rather than providing lip service or thinking it is only insurance or health and safety
- the resources that have been provided to facilitate the process, and
- the position risk management sits in the structure, under legal, HR, audit, treasury or somewhere else, in addition to where it sits with authority in the structure — high enough to make an impact with internal politics being played.
Sharman says: “Some areas of government are better [than the private sector], others are behind. The implementation of standards and principles of procedure are largely ahead of the private sector.” He says that federal agencies are ahead of the pack, thanks to greater resources and national security issues, followed by state agencies and then local government. “Some locals are not doing anything,” he says. “The larger ones are managing a lot of financial info and going online, so they are moving better.”
John Roberts, vice-president and chief of research for Gartner, says that half of organisations generally have no disaster recovery plan. He sees no reason why this should be any different in the public sector. “They don’t have customers who can go somewhere else,” he says, “so there is a different sense of financial risk. Risks of failure for private enterprise are greater.” In other words, governments do not normally go bankrupt.
The QAO is not so impressed with Queensland public sector agencies’ sense of urgency. “The controlling of access to systems and information does not appear to be getting the attention it requires . . . Given that our focus has been primarily on financial systems, it is a reasonable assumption that the same difficulties will also apply to non-financial systems as well . . . Over the past four years it is evident that despite the extent of shortcomings reported by my officers there has been little noticeable improvement.”
That was last year. And now?
Jodie Siganto, managing director of Bridge Point and another member of the e-Security cluster, seems to agree there are still problems. She says that, “based on anecdotal information, implementation [of e-security measures in Queensland agencies] has been fairly poor”. She puts that down to a resourcing issue rather than lack of interest. “They have been recruiting more people and getting more focused on implementing risk management.” Sharman agrees that the allocation of resources is a major issue.
Siganto stresses that there has been no major security incident regarding Queensland’s government IT, but this might be a mixed blessing. “When speaking with managers offline, they say they’d love an incident, just to prove the need for resources.” She baulked at the suggestion of anyone volunteering to provide such a service.
“New South Wales is more compliant and moving faster,” she adds. “They did have a major incident a few years ago, and that polarised their focus.”
Despite all the technological and legislative fixes, it comes down to broader issues of attitude, resources and people.
Bezzina says: “If there’s one thing that really needs to be considered, it’s the understanding of information as an asset. Sometimes organisations are struggling with defining requirements and support. They have trouble holding onto really good people, who are being poached into the private sector.
“It’s a very wide area, very technical, and you need this very strange sort of person who can stretch their mind from the general to the specific.”
Which probably explains why risk management manuals sell so well.
Setting the Standards
The following are the relevant Australian standards on risk management (in suggested order of incorporation to an RM program):
- AS/NZS 4360 (1999) — first published 1995, this is a generic RM standard. The most recent edition was produced in 1999, and it is in the process of being revised for publication in 2004. It is the “most used standard we’ve ever produced”, says Mark Bezzina, AS director of business standards.
- HB 254 (2003) — “A Guide to Control Assurance and Risk Management” — handbook designed for board level management.
- HB 231 (2000) — “Information Security Risk Management Guidelines”. This handbook is the major standard for IT, supporting both the 4360 and 17799 (see below) standards that called for risk assessment of information, particularly for internal risk. It is currently being reviewed for possible revision.
- HB 248 (2001) — “Organisational Experiences in Implementing Info Security Management Systems”. This covers a range of organisational case studies, primarily in the private sector.
- AS/NZS ISO/IEC 17799 (2001) — “Information Technology — Code of Practice for Information Security Management”. This is a joint standard based on international standards (was previously AS 4444).
- HB 240 (2000) — “Guidelines for Managing Risk in Outsourcing Utilising the AS/NZS 4360 Process”.
- HB 143 (1999) — “Guidelines for Managing Risk in the Australian and New Zealand Public Sector”. This covers general RM principles.
In addition, there are various standards on corporate governance that may have relevance to the public sector.
Australian Standards’ Mark Bezzina says the above standards are widely disseminated and incorporated into a number of specific agency protocols, including the Defence Signals Directorate (DSD) guidelines.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.