Victorian Auditor-General warns about poor ICT security

Government security under scrutiny

Nearly 12 months after security gaps were first flagged across Victorian agencies’ ICT systems, little progress has been made, the state’s Auditor-General, John Doyle, has warned.

This warning coincides with a new report tabled in Parliament noting that ICT systems across government still remain open to security breaches. Moreover, software patch management and ICT disaster recovery planning require urgent attention.

“Disappointingly, some 45 per cent of audit findings from previous years are yet to be rectified,” the Auditor-General John Doyle said.

He noted that agencies must accelerate the rate at which they have resolved previous audit findings. “They need to make sure their underlying processes are improved so that audit findings do not re-occur.”

Audit updates, published in the Information and Communications Technology Controls Report 2013-14, can be found here.

Disappointing results

This report looks back on the progress made around 364 audit findings that encompassed 39 organisations. The overall thrust has been to examine the growth of ICT outsourcing to the private sector, a broader adoption of cloud services and access to industry expertise.

"While there may be many potential benefits from these services, the risks associated with such an approach needs to be understood and actively managed by entities that are taking up such arrangements,” Doyle said.

“Overwhelmingly, a recurring finding is the need to improve ICT security controls. [There's] inadequate management of ICT security accounts for a large proportion of the ICT audit findings reported during our financial audits.”

Doyle noted that the Auditor-General’s Office will closely monitor agencies' progress in rolling out more comprehensive ICT security programs. He added that agencies are “addressing low-risk ICT audit findings at a better rate than medium-risk and high-risk findings”.

The Auditor-General’s audits have examined user access and authentication controls, as well as audit logs. Patch management and better planning around disaster recovery and business continuity also came under scrutiny.

Room to improve

Based on current findings, the Auditor-General’s Office notes that there is room to improve at all levels of security planning and implementation. This factors in better security planning and access controls. The focus is on potential breaches involving ICT systems, networks or communications infrastructure.

Moreover, security assurance programs need closer attention, the audits found. These assurances encompass access to data processing services, shared services, outsourcing arrangements and use of cloud computing, either domestic or off-shore.

The audits found ICT disaster recovery planning remains weak. There are few formalised disaster recovery plans or frameworks. These limit agencies’ abilities to respond to a “significant ICT disaster” and in a methodical and timely way.

Follow Shahida Sweeney on Twitter: @ShahidaSweeney

Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia