The Western Australian Auditor-General has highlighted a range of problems in the state’s management of its IT systems, including a lack of basic security and widespread theft of equipment.
Released 24 March, Auditor-General Glen Clarke’s second annual Information Systems Audit Report examined two main areas; the security of laptop and portable storage devices (PSD’s); and application and general computer controls. While the report covered all 56 state agencies, seven were examined in detail, representing a mix of large and small agencies including the Curriculum Council, Department of Commerce, Department of Education, Department of Water, Royal Perth Hospital, Western Australia Police and WorkCover WA.
The first part of the report, examining the security of laptops and portable devices, found that potentially sensitive information stored on government laptops, USB memory sticks and PSD’s was not well protected.
In the three years 2006 to 2009, 608 laptops were reported stolen out of a fleet of 28,150 across the seven agencies which were audited in detail. This represented a cost of $641,134 and the loss of sensitive financial, medical, legal and educational records.
“All seven agencies lacked comprehensive management, technical and physical controls over their laptops and portable storage devices to minimise the risk of them being lost or stolen and of sensitive information being accessed,” states Clarke.
The report found that none of the seven agencies knew exactly how many PSD’s they owned or the potential security risks of their PSD’s. The Department of Commerce and Royal Perth Hospital were both unaware of how many laptops they owned, increasing the risk that laptops and the information stored on them could be lost or stolen without them knowing.
Six of the seven agencies failed expectations by not enforcing access controls for laptops or portable devices that would help prevent sensitive data leaving the organisation.
All seven agencies were found to have critical software vulnerabilities due to a lack of patching, with WorkCover the only agency to enable laptop firewalls.
The 56 audited agencies’ application and general computer controls also came under strong criticism, with Clarke deeming the overall security and data processing controls in place across the state as “unacceptable”. 41 per cent of agencies across the state were found to have weak access controls, while 23 per cent were deemed to have poor network security.
“At two of the agencies we were able to guess the passwords and gain access to highly sensitive information and at three agencies we found that former staff were still able to access confidential information and databases,” Clarke said, with one agency allowing users to access accounts with a single character password that did not expire.
Two of the agencies were found to have stored unsecured credit card data that could be “accessible by any user” in direct violation of the Payment Card Industry (PCI) Data Security Standard. Auditors were also able to manipulate staff and contractor pay cheques stored on freely accessible folders before they were processed.
Many of the agencies were found to lack basic account access controls that stop users from accessing inappropriate sensitive data, with boot passwords scarcely employed, leaving laptop hard disks vulnerable to hacking. Contractor service level agreements were found to be not enforced by another agency.
Accompanying the report’s dim appraisal were a series of recommendations designed to improve the weaknesses detailed in the two main areas examined. A summary of these recommendations, many of which present possible future business opportunities for ICT service providers, are as follows:
Security of laptop and portable storage devices
All agencies should:
- Maintain comprehensive registers for their laptops;
- Consider the best way to record information about PSD’s;
- Ensure that basic access controls - ‘boot’ passwords and screen lock-outs – are activated as standard;
- Ensure that their external security controls and practices – including updating patches, and firewall strategies – meet their security needs; and
- Assess the threats and vulnerabilities to their laptops and PSD’s and implement policies, procedures and practices to mitigate those risks.
To mitigate risk, agencies should have two basic types of controls in place.
- Physical tracking and security controls to minimise the risk that laptops or PSD’s will be lost or stolen, including asset registers and safe storage and handling; and
- Security controls to prevent access to information stored on these devices if they are lost or stolen, including appropriate data policies, system and logon passwords, keypad locks, encryption and external device controls.
Application and general computer controls
All agencies should:
- Ensure that they have appropriate policies and procedures in place for key areas such as IT risk management, information security, business continuity and change control;
- Ensure that IT risks are identified, assessed and treated within appropriate timeframes and that these practices become a core part of business activities;
- Ensure good security practices are implemented, up-to date and regularly tested and enforced for key computer systems;
- Have a business continuity plan, a disaster recovery plan and an incident response plan; and
- Develop and implement physical and environmental control mechanisms to prevent unauthorised access or accidental damage to computing infrastructure and systems.
The full Information Systems Audit Report report can be accessed at:http://www.audit.wa.gov.au/reports/pdfreports/report2010_02.pdf