The security of the NSW Government’s most sensitive IT systems is only as strong as their user controls, but according to the State’s Auditor-General many of these are far from adequate.
In his first report for 2013 Auditor-General Peter Achterstraat has looked back across the previous year’s findings, and calculates that ICT-related issues were up by 12 per cent compared to 2011 (from 214 to 286) and that 75 per cent of these related to information security or disaster recovery provisions.
The kinds of problems that Achterstraat came across in 2012 include a lax approach to the regulation of staff passwords, which meant that the last line of defence for many sensitive systems was unacceptably weak; and a failure to put an end to terminated employee’s ability to continue accessing these systems and agency files.
In response, the Auditor-General says he will step up the monitoring of agency compliance with requirements of the NSW Government’s new Digital Information Security Policy, starting from this year.
In November 2012, the State replaced its 2007 set of mandatory security requirements with Premier’s Memorandum M2012-15 Digital Information Security Policy, which states that all NSW Government Departments, statutory bodies and shared service providers are to have an Information Security Management System in place, and makes way for the establishment of a Digital Information Security Community of Practice.
On top of this, agencies are required to have:
- An information security policy;
- A nominated Senior Responsible Officer for information security;
- The appropriate classification of all digital information held by the agency; and
- A system for reporting any security breaches or other incidents.
As the Auditor-General pointed out, the level of monitoring and enforcement that that Government applies to this new policy will be crucial to achieving its stated aims, and cleaning up security practices across the public sector.
“In 2010, I identified weaknesses in implementing the  policy, particularly the lack of enforcing and monitoring agencies’ compliance with the policy.
“I am interested in how agency compliance with the policy will be enforced and monitored, particularly in light of the information security issues I reported in 2012. In 2013, I intend to monitor the level of agency compliance with the new policy,” he said in the latest report.
Applicable agencies are scheduled to have fully implemented all of the requirements of the new policy by December 2013, with a progress report due to the NSW ICT Board as soon as July.
The Auditor-General did, however, have some positive feedback for agencies, particularly NSW Health and the NSW Police Force, which were subject to criticism in 2012 for inadequate management of ICT services contracts.
“I am pleased with the agencies’ response to the audit in that they considered the audit an opportunity to continuously improve practices and value for money from IT services contracts,” he said.
For more information, please contact the Editor (02) 9955 9896.