When the South Australian Auditor General tabled his annual report to Parliament, he made a number of clear observations that should resonate well beyond the South Australian border.
The Auditor summarised key messages from a number of audits undertaken throughout the year. One of the audits focussed specifically on Information Systems Management and Security.
"There should be the highest standards of security over government systems and information through the proper functioning and authorised access to the systems and information," the Auditor opened.
In the last year, four agencies were audited:
- South Australian Police (SAPOL);
- The Public Trustee;
- DTEI; and
A common problem was the lack of an identified business owner. The Auditor correctly noted that without a Business Owner it was quite difficult to apply business criteria to information security and to ensure its ongoing application.
The Auditor General backed up his claims with instances where:
- User security access rights were being applied far too loosely, and
- Some sensitive information had been sent across the government network to non-government entities without being risk assessed and considered for encryption.
Additional concerns were raised where key database management and operating system software was found to be out of date, and that removable media was being used for transport of confidential data without being encrypted.
The Auditor General indicated that further focus is necessary to "prevent risks of unauthorised access that could compromise confidentiality, integrity and availability of the systems and information."
He signalled his intention to continue "focus of review of government systems’ information security and control." This will include major existing, developing or newly implemented systems of government. He will also relate further with the Office of the Chief Information Officer on the Government agency wide implications of these matters.