The Victorian Auditor-General last week released the report, Local Government: Results of the 2008–09 Audits, with recommendations for two areas of ICT usage in councils: user access and IT security policies.
The report is similar in tact to the WA Auditor General’s Report Information Systems Audit Report (Report 2 – April 2009), released earlier this year. Both reports indicate ongoing problems that amount to systematic IT security issues.
The Victorian Auditor-General found that "councils need to balance the requirement to provide staff with ready access to systems and information to enable them to perform their roles; with the obligation to protect sensitive information, guard against manipulation of financial data and prevent unauthorised changes to their IT systems."
According to the Report, considerations for password policy include:
- Complexity and length;
- Regular enforced password changes;
- Restricted use of historic passwords; and
- Non-disclosure of passwords by staff members.
In terms of IT security, the Auditor-General found 84 per cent of councils had a formal process for granting user access to new members of staff. However, only 69 per cent reviewed the access levels on a regular basis.
The Auditor-General underscored the following as important when considering IT security:
- Physical security of assets;
- Password policies;
- User access policies;
- Policies regarding internet and e-mail access and use;
- Backup procedures and storage;
- System Administrator rights and restrictions; and
- Archiving procedures.
The Auditor-General said that councils should prepare, formalise, document and inform users of their IT security policy; and should develop, implement and enforce a policy that:
- Restricts user access of staff members to only the IT systems that they require to undertake and perform their role;
- Regularly reviews user access levels to ensure that they continue to be appropriate; and
- Addresses password complexity and requires regular changing of passwords.
The Victorian Auditor General’s Report echoes many of the same recommendations contained in the WA Auditor General’s Report Information Systems Audit Report (Report 2 – April 2009), which identified many similar issues, but even basic problems such as:
- Active network accounts for former employees of agencies;
- Generic accounts that allow access to networks by unidentified individuals and that had no passwords or easy to guess passwords. In one agency, by using these accounts and guessing passwords, Audit was able to access almost 700 000 sensitive records via the Internet;
- Network account and password details for generic accounts ‘posted’ on computer monitors;
- Three agencies that were not logging or monitoring network use or unsuccessful log on attempts; and
- Three agencies that were not updating network operating software in line with vendor recommendations to address known security vulnerabilities.