Information security holes continue to plague the NSW public service, with the 2015 NSW Financial Audit report finding that 85 per cent of the 169 ICT issues raised were related to security vulnerabilities or poor practice.
While the number of repeated issues has fallen from 30 per cent in 2014 to 22 per cent in 2015, a number of agencies continue to fall short of basic security requirements, according to the yearly report.
NSW agencies are required to have security controls in place to prevent or detect the unauthorised use of data systems and programs, as breaches can have severe consequences for agencies’ data and systems.
Seventy-nine per cent of the reported issues related to inadequate administration, access and password practices, and most problems occurred when agencies were restructuring their IT systems. Information security is often overlooked during transition phases, and can result in an extended period of vulnerability to security breaches due to how long it can take to fully implement IT solutions.
Of the non-security related issues, system change controls accounted for 12 per cent of the total. These relate to the control and verification of procurement and implementation processes for hardware and application and database management systems (and other software). Problems related to data centre and network operations have been all but eliminated, and now account for only three percent of IT issues.
The report also found that some agencies were not fully complying with the NSW Government Digital Information Security Policy (DISP) (updated in 2015) by failing to implement an Information Security Management System based on a comprehensive assessment of the agency’s risk of having their digital information and digital systems compromised.
Disaster recovery also continues to be a blind spot for public service agencies. Since an incriminating audit in 2012, the NSW audit office has strenuously urged agencies to prepare thorough IT disaster recovery plans (DRP) – however, of the 30 agencies reviewed in the 2015 Financial Audit, four did not have a DRP. Three agencies' DRPs had not been tested, and one agency had no DRP for one of its four significant financial systems.
NSW is not the only jurisdiction to receive low scores for disaster planning. Last year, the Queensland Auditor-General found two sizeable Queensland departments with no central disaster recovery plan.
Security in general is a serious concern for public service agencies nation-wide. Despite having a relatively sophisticated security ecosystem, Australia has been outranked by a number of other nations in the Asia Pacific region in terms of cyber-security readiness, according to the Australian Strategic Policy Institute’s 2015 report on Cyber Maturity in the Asia-Pacific Region.
“Australia’s score could improve with the release of a new cyber strategy and a more streamlined cyber policy structure to complement the country’s operational cyber improvements”, the report stated.
At the Federal level, both the (then) Defence Minister and the Minister for Defence Materiel and Science have warned that Australian IT systems will increasingly be targeted by cyber-attacks. In response, Malcolm Turnbull has announced measures that will increase national co-operation with the United States in investigating and advocating against cyber-crime.
The Queensland Government has also recently announced a new $12.5 million whole-of-government Cyber Security Unit to help shore up its information security defences.