An audit report released last week has found problems with information system security and change management controls in the Victorian Government.
In his report, Portfolio Departments and Associated Entities: Results of the 2008–09 Audits, the Victorian Auditor-General revealed that "information system security and change management weaknesses were found in seven entities".
According to the report, internal control "encompasses the systems, policies and behaviours established by governing bodies and management to reliably and cost effectively meet their objectives".
Overall, the Auditor-General found that internal control measures were satisfactory across departments and agencies, however, the validity and security of data obtained from information systems is critical to the "reliability and integrity of financial information".
The past few months has seen a raft of reports critical of IT security in government departments. Late last month, the Victorian Auditor-General, Des Parson, said that the "confidentiality of personal information collected and used by the public sector can be, and has been, easily compromised."
The problem is not confined to Victoria: in early November the South Australian Auditor-General took aim at his government’s data integrity. A common problem, he found, was a lack of a business owner. This compromised the application of business criteria to information security.
This time around, the Victorian Auditor-General found that more users had access to privileged information that was operationally required. Other problems noted include:
- Poor password security;
- Software is obsolete and patches for vulnerabilities were not applied in a timely manner;
- Use of generic logon identifiers, where a number of users know the password and it is not possible to establish who performed a particular action; and
- Change registers do not identify all changes to information systems and there is no documented approval of some changes released into production.
The Auditor-General recommended that entities "regularly review IT system user access levels to confirm they continue to be appropriate and also enforce password complexity."