After being strongly criticised by the Auditor General for widespread failings when it comes to information security, the WA Government has opened a new Common Use Agreement (CUA) which will offer agencies services aimed at minimising their vulnerability to attack.
Beginning on 8 March 2012, the new two-year Information Security Management Services(ISMS) CUA (or whole-of-government panel) will be mandatory for all WA agencies to use, and will cover four categories of procurement:
- Consultancy and advisory;
- Auditing and compliance;
- Training and awareness; and
- Testing services.
The establishment of the ISMS CUA comes as a direct response to a damning report released by the WA Auditor General in June 2011, which highlighted major cyber security vulnerabilities across all of the WA agencies that were subject to information security testing.
Of the 15 agencies tested, only one was able to detect a hostile scan launched by the Attorney General, which targeted each of the agency’s websites. These scans, which were launched using “unsophisticated” tools and methods, and were able to identify numerous vulnerabilities which could have been exploited for future cyber attacks, such as distributed denial-of-service (DDOS) attacks.
The report also revealed that penetration tests conducted by IT contractors were limited in value due to the absence of broader information security assessments at state agencies. The Auditor General said that these tests gave agencies a “false sense of security”.
The Auditor General found that all 15 agencies failed to take a risk-based approach to deal with potential cyber threats, a key finding which prompted the creation of the mandatory CUA.
Six contractors have been included on the ISMS CUA:
- L7 Solutions;
- CQR Consulting;
- Stantons International;
- Protiviti; and
The services covered by the ISMS CUA were previously offered under the WA Government’s ICT Services CUA. The latter agreement will continue to offer other security services that are not covered by ICMS, such as firewall, antivirus and anti-malware installation.
The two year CUA may be supplemented with two one-year extension options upon expiry. The current CUA will expire on 7 March 2014.
To begin the remediation of the issues identified by the Auditor General, agencies have been encouraged to complete a Cyber Security Health Check Self Assessment, to come to an understanding of their current cyber security status and capacity. The results will determine which services may need to be procured.
The ISMS agreement bears many similarities to South Australia’s eProjects Panel, which offers cyber security assessment, auditing and consulting services through the Panel’s Cyber Security Services Portal.
Information Security Management Systems are also a requirement for all SA agencies, in accordance with the SA Government’s Information Security Management Framework. According to the Framework, all SA government agencies must acquire ISMS services in accordance with the ISO 27000 series of international standards. WA agencies must now also abide by the same set of international standards, according to the ISMS CUA.
Vulnerability to cyber attack is not exclusive to the State jurisdictions, however. The Australian Parliament House (APH) website was taken offline for two consecutive days in February 2010 due to a DDOS attack launched by cyber group Anonymous. The delayed launch of a revamped APH website, which was 12 months behind schedule and $615,000 over budget, was largely attributed to increased cyber security-related matters.