PwC review lauds ATO's security practices

The Australian Taxation Office is on top of its game when it comes to information security, an independent investigation has found.

PricewaterhouseCoopers was commissioned last December to do a comprehensive four-month long review of the security practices at the Tax Office.

In his summary notes, PwC partner Mark Ridley, said that as an organisation, "the Tax Office is highly conscious of information security and considers the security of the information with which it is entrusted as a serious business issue."

Furthermore, "the Tax Office compares favourably with other organisations - particularly with regard to security culture - and a strong sense of responsibility for security exists amongst Tax Officers."

The ATO undertook the review as a preventative measure after high profile cases overseas such as in the US and UK that resulted in the loss or disclosure of sensitive information.

"It was clear during the course of this review with meetings with Senior Executives and Management from across the organisation, that the Tax Office generally has a lower appetite for risk in relation to stewardship of client information than many other organizations which we see," the report reads.

"While this evidently stems from the large volumes of personal and corporate sensitive information which the Tax Office processes on a daily basis, the Tax Office appears more security conscious when compared to other organisations with large customer and financial databases."

The ATO came up trumps in many areas. The investigation, titled Information Security Practices Review, also found the ATO's information security governance structures are "generally sound"; it has a clear corporate stance on security matters; has effective education and awareness programs; has a well defined security classification framework; has a range of effective security monitoring mechanisms; and has incident response mechanisms in place.

Page Break

The investigation covered five key areas: potential "hot spots" such as work practices and areas representing higher risk to the organisation; information security policy and governance frameworks; implementation of security policy "in action"; monitoring mechanisms; and response mechanisms.

As a result of the review, the Tax Office said it will:

• Align corporate risk management practices and policies more closely with security risk management;
• Revise existing policies to strengthen security practices for staff who work away from the office and the secure transfer of bulk data;
• Revise frameworks so staff better understand who is accountable for an information risk;
• Provide additional tools and technologies to help staff better manage documentation, especially those who work away from the office;
• Strengthen assurances that all security requirements are being met when transferring information with other organisations;
• Strengthen routine checks to ensure our systems are working securely, and
• Ensure a consistent, co-ordinated response to any information security incidents.

"We will implement the priority recommendations over the next two years and build on our strong foundation of keeping taxpayer information secure," said Tax Commissioner Michael D'Ascenzo.