Nairn disappointed with ANAO report: launches workgroup

Special Minister of State Gary Nairn has expressed disappointment at the findings of a report into Internet security by Australia's National Audit Office (ANOA).

While Nairn considers the findings timely, he said it also highlights some issues surrounding areas of governance, processes and security technology in government agencies.

These area are critical, the minister said, for agencies to rollout the proposed e-Government strategy.

Six Australian government agencies have come under fire from ANAO for their lax security.

Dubbed the Internet Security in Australian Government Agencies report, it found 31 specific risks - as defined by the Defence Signals Directorate (DSD) - in agency Web servers.

Three percent of risks were high level, 32 percent were medium level and 65 percent of risks were low-level risks. The ANAO made 51 suggestions for improvements.

Alarmingly, the ANAO report also concluded the current level of Internet security in six government agencies was insufficient, and that none of the agencies fully complied with the Protective Security Manual (PSM) and ACSI 33.

"Given these circumstances it doesn't help anyone if we approach this with a witchhunt mentality," the minister said.

"I have asked the Australian Government Information Management Office (AGIMO) to look at ways we can get the message to CEOs and to help CIOs put in place the necessary structures, processes and tools to meet the requirements.

"The ANAO has provided detailed reports to each of the agencies that were audited and they all accept the findings. ANAO and the government will not make public any of the detail as this would compromise security."

Nairn said AGIMO will now be looking to conduct briefings to Government CEOs to "bring them up to date with the changing nature and sophistication of the external threat," and also include a "Better Practice Guide" for CEOs to help in understanding the structures, processes and funding they need to address Internet security.

Workshops will also be provided in conjunction with the Defence Signals Directorate (DSD) and Attorney General's Department for CIOs and technical staff on the steps needed to fully implement the measures outlined in the 2005 PSM and ACSI 33 standards.

The audited agencies were Australian Customs Service, Australian Federal Police, Australian Radiation Protection and Nuclear Safety Agency, Department of Education and Workplace Relations, Department of Industry, Tourism and Resources, and Medicare Australia.

None of the agencies had ICT security documentation that complied with security standards with limited business continuity plans.

E-mail filtering in all agencies was found to be inadequate.

The report also recommended the Department of Industry, Tourism and Resources document the coverage of Internet services within business continuity and disaster recovery plans in 2006-07, introduce requirements for documenting benefits versus risk before purchasing new technologies and review e-mail blocking tools with a view to "improving the blocking of malicious e-mails".