The Victorian Auditor-General’s latest interim results report has identified a number of key ICT weaknesses inthe operations of the state’s 11 portfolio departments. The report, tabled in the Victorian Parliament on 28 July 2010, singled out system-wide security vulnerabilities, a lack of private data protection, contracts and procurement recording and poor oversight of outsourced ICT providers as central areas of concern.
Auditor-General Des Pearson identified weaknesses regarding the procurement process of portfolio departments. The recording and management of contracts was of particular issue, with departments found to differ in “the number of registers they have, what information is recorded in registers, and what use is made of the information.”
The Department of Primary Industries (DPI) and the Department of Education and Early Childhood Development (DEECD) were found to record all contracts in a register regardless of their type or value, while the Department of Health (DOH) records all capital contracts on a capital management system. The remaining eight departments were found to only record contracts above $100,000. The report recommends that departments should record all contract data in a register irrespective of value.
Mr Pearson also made findings and recommendations pertaining to a number of unspecified departments.
ICT system security across the departments, including controls over password and remote system access, were deemed “poor” by the report. It was found that that there was “limited monitoring of the integrity of the operation of security systems.”
“Six portfolio departments had password settings with no complexity or length requirements, no history set to prevent repeating passwords, and no expiration time frame,” Mr Pearson said.
Security issues were also noted in relation to the remote log in controls at CenITex, the Victorian government ICT shared services agency accessed by four departments, which were not configured to log user activity and stop users from unlimited failed attempts to access systems.
Weaknesses in policies and procedures governing information security in three unspecified departments were observed, with senior management in one department found to have not approved its own information and security policies and procedures.
The confidentiality and integrity of personal information located on department ICT systems were found to be compromised. Furthermore, a shared services environment accessible by three departments discovered to be using actual personal information in the human resource system and payroll system during testing of applications.
Department oversight of outsourced ICT providers, cited as a concern by the Auditor-General in a previous audit, was highlighted as another key concern, the report finding that “five of the six portfolio departments using CenITex services had not sought a letter of comfort to adequately assure themselves about the effectiveness of CenITex controls”.
A further three departments were found to be “not adequately monitoring the performance of outsourced IT providers,” while two departments were reported as not possessing “service level agreements with their IT service providers.”
The effectiveness of systems for recording ‘conflict of interest’ declarations were found to vary between the departments, with four found to “take a systematic approach to gathering and recording declarations,” while the other seven departments were deemed to “not take a systematic approach but store declarations in various areas, such as on personnel files and procurement files.”
The security of the payment process of the departments was also assessed, the report observing that “while all portfolio departments stored the EFT (Electronic Funds Transfer) file on a secure network, four portfolio departments did not protect the file so that changes could not be made.”
The report recommends that penetration testing of ICT networks, which assesses the ability of a system or network to withstand unauthorised external entry, take place at least annually at each department to help bolster EFT security.