Jurisdictions are having various levels of success in addressing endemic Information Systems (IS) control issues, with little improvement in persistent security issues in Western Australia and Victoria.
Queensland was the only jurisdiction under scrutiny in 2012-13 that made meaningful improvements in IS security controls. Queensland’s ongoing level of IT scrutiny appears to be a significant factor in its success, a fact that could form an important lesson for other public sector agencies around the country.
Western Australian agencies have made no improvement in administering and implementing Information Systems (IS) controls over the previous year, a report by the Western Australian Auditor-General has found.
In the Annual 2012-13 Assurance Audits, the Auditor-General Colin Murphy identified 282 weaknesses in IS Controls, the same figure as 2011-12.
In the report, the Auditor-General focused on those agencies “with significant computer environments to determine whether their controls are appropriately designed and operating effectively”.
58 per cent of issues were deemed to be “requiring action as soon as practicable” and 41 per cent were rated as minor. The Auditor-General only found one “significant” IS control problem.
IT Operations accounted for 44 per cent of all weaknesses identified, while Security accounted for 32 per cent.
Whilst the majority of the issues identified are “relatively simple to fix”, the Auditor-General was concerned that “if not resolved they leave agencies potentially vulnerable to significant disruption and costs”.
These findings follow a comprehensive Information Systems Audit Report released by the Auditor-General in June 2013.
The report found that 92 per cent of Western Australian Government agencies had ICT security issues. Flaws in data storage and systems controls meant that many information systems were not meeting basic security benchmarks for the second year in a row.
In 2013, 56 per cent of agencies had security issues so severe that they failed to meet the benchmark for effectively managing information security. In 2012, this figure was 50 per cent.
Despite the report finding that the Department of Health had no preventative or detective controls to limit unauthorised access to its Emergency Department Information System (EDIS) or Hospital Morbidity Data System (HMDS), no funds were allocated in the 2013-14 Western Australian State Budget to specifically address these issues, according to Intermedium’s Budget IT Tool.
A comprehensive Information Systems Audit will be released in early 2014.
In the Whole of Government Security Management Framework released in November 2013, the Victorian Auditor-General John Doyle indicated that he was less than impressed with agency security and control standards.
“Agencies have not effectively implemented Victorian Government information security policy and standards. Agencies are potentially exposed to cyber-attacks, primarily because of inadequate ICT security controls and immature operational processes.”
The Auditor-General revealed that the Department of Treasury and Finance had not effectively overseen agency standards, controls and compliance since 2010.
The Victorian Government has demonstrated its commitment to addressing the Auditor-General’s concern through the recent announcement of a new State Cyber Security Strategy, which is currently under development and expected to be implemented in early-2014.
Unlike Western Australia and Victoria, Queensland agencies achieved some success in managing IS Control issues. In 2012-13, the Queensland Auditor-General Andrew Greaves found 22 high or moderate control weaknesses in seven Departments, down from 67 issues in 11 Departments in 2011-12.
Furthermore, the proportion of IS control weaknesses relating to security has also been on the decline. In 2012-13, security accounted for 14 of the 22 IS control issues identified (64 per cent) compared to 56 of the 67 issues identified in 2011-12 (83 per cent).
Of the 22 IS control issues, only one was deemed “high risk” by the Auditor-General. The Department of Community Safety (DCS) did not have a formal system security plan for its Emergency Services Computer Aided Dispatch (ESCAD) system which coordinates dispatches and incident management for the Queensland Ambulance Service and the Queensland Fire and Rescue Service.
DCS is currently taking steps to address the Auditor-General’s concerns.
Despite the improvement in IS controls, Greaves believes there is still room for improvement.
“While the total number of control weaknesses identified has declined, internal control structures are not yet as strong as they need to be for risk of fraud and material error to be reduced to acceptable levels,” stated Greaves.
For more information, please contact the Editor (02) 9955 9896.