Audit: Agencies under fire for lax security

Six Australian government agencies have come under fire from the Australian National Audit Office (ANAO) for their lax security.

The report on a 2005 audit of security management was released yesterday and is called Internet Security in Australian Government Agencies. The Australian National Audit Office (ANAO) found 31 specific risks - as defined by the Defence Signals Directorate (DSD) - in agency Web servers.

Three percent of risks were high level, 32 percent were medium level and 65 percent of risks were low-level risks. The ANAO made 51 suggestions for improvements.

Alarmingly, the ANAO report also concluded the current level of Internet security in six government agencies was insufficient, and that none of the agencies fully complied with the Protective Security Manual (PSM) and ACSI 33.

The PSM is a list of common standards for protective security for all Australian Government agencies and contractors with eight points including security policy and personnel security. ACSI 33, part of the PSM, breaks down risk management into five simple steps - context, identifying, analyzing, assessing and developing a plan and is mandatory for all commonwealth agencies.

The audited agencies were Australian Customs Service, Australian Federal Police (AFP), Australian Radiation Protection and Nuclear Safety Agency, Department of Education and Workplace Relations, Department of Industry, Tourism and Resources and Medicare Australia.

None of the agencies had ICT security documentation that complied with the PSM and ACSI 33, and lacked a systematic and coordinated program for ongoing management of ICT security-related risk assessments. Security policies and system security plans were not linked to ICT risk assessments and plans, and the agencies lacked system security plans.

The ANAO report stated agencies had only limited business continuity plans, if at all.

"While several of the six agencies had initiated development of business continuity and disaster recovery plans for Internet services, only one had sound plans in place," the report stated.

"Two agencies largely depended upon the knowledge of key staff and had few documented procedures. Documents were found in draft form and some plans had not been regularly reviewed.

"A majority of the agencies audited had implemented standard operating desktop procedures that did not comply with ACSI 33. Non compliance was found in inappropriate password management, user account privileges inappropriately administered, no documented procedures for incident detection and response and management of hardware and the use of remote access was not adequately secured."

E-mail filtering in all agencies was found to be inadequate. Only one of the agencies had sound disaster recovery plans in place. Two agencies were found to depend on the knowledge of key staff and few agencies had documented procedures, some documents were left in draft form and some plans had not been regularly reviewed.

The report also recommended the Department of Industry, Tourism and Resources document the coverage of Internet services within business continuity and disaster recovery plans in 2006-07, introduce requirements for documenting benefits versus risk before purchasing new technologies and review e-mail blocking tools with a view to "improving the blocking of malicious e-mails".