A critical assessment of the NSW Government’s ICT security by the state's Auditor-General could see the enforcement of minimum security standards across all of its ICT acquisitions.
The NSW audit office released its review of Electronic Information Security on October 20, with Auditor-General Peter Achterstraat warning that, “the Government is not able to assure the people of NSW that all its agencies are properly safeguarding sensitive private information”.
The report found that, although agencies were instructed to establish Information Security Management Systems (ISMS) which complied with international standards ISO/IEC 27001 in 2007, up to two-thirds of them have failed to meet this requirement.
A lack of proper accountability and scrutiny lies at the heart of the Government’s complacency when it comes to ICT security, says the document.
“Agencies were told to get certified to the international standard, but there was no deadline, no effective monitoring, and no consequences if they didn’t,” said Achterstraat.
The report strongly advises that the NSW Government establish improved information security governance arrangements as well as a new ICT Strategy by June 2011.
Among its recommendations for the new plans, it advises that the State needs to ensure that:
- Information security is built into all public sector ICT systems from design through to implementation and disposal
- All ICT products, services and assets adopted by agencies include common standards for information security and, in time, a common and secure infrastructure is used across the public sector
These indicate that if the NSW Government were to adopt these recommendations, its ICT suppliers may be required to comply with the standards as well.
Similar criticisms were directed toward the Victorian Government’s ICT infrastructure in 2009.
In response, the Victorian Department of Treasury and Finance released a set of information security standards which align with ISO 27001, and made it compulsory for agencies to deliver an implementation plan within a 6 month timeframe and to report their progress against this plan.
The Victorian Standards, which are presented as a model framework in the Auditor-General’s report, require agencies to undergo independent penetration testing, to implement risk management protocols for portable devices, and to introduce tougher identification requirements for public sector staff.
The Department of Premier and Cabinet’s (DPC) response to the report confirms that the Government will take the Auditor-General’s recommendations into account in the formulation its new ICT Strategy.
While he describes the need to mandate security certification requirements as “contestable”, the DPC’s Director-General, Brendan O’Reilly says that the Government supports the establishment of minimum standards.
“The Audit recommends establishing minimum standards and requirements for consistent processes to manage and information assurance risks, as well as strengthening accountability through improved scrutiny and transparency. These initiatives are supported, subject to the outcome of the reforms currently under consideration by Government.”
The NSW Whole-of-Government ICT Strategy People First expired on 30 June. The first stage of the strategy’s renewal, the High Level Review, is due to be submitted to the NSW DPC, Treasury and the Department of Services, Technology and Administration by the end of October 2010.