If government agencies, especially in the states, find themselves inundated by meeting requests from IT security firms, they only have themselves - and their Auditors-General - to blame!
The Victorian Government Auditor-General, Des Pearson, is the latest to highlight that the "confidentiality of personal information collected and used by the public sector can be, and has been, easily compromised."
While the Victorian Auditor General examined only three Departments in his report "Maintaining the Integrity and Confidentiality of Personal Information", he found "the ability to penetrate databases, the consistency of our findings and the lack of effective oversight and coordination of information security practices strongly indicate that this phenomenon is widespread."
Mr Pearson’s report follows similar criticism contained in his review of local governments, the South Australian Auditor General’s Annual Report, and the WA Auditor General’s Report Information Systems Audit Report (Report 2 – April 2009), released earlier this year.
Des Pearson goes further than the earlier reports, indicating the fundamental problem is an absence of top level governance, saying:
"The Department of Treasury and Finance and the Department of Premier and Cabinet have not fulfilled their responsibilities to develop and maintain whole-of-government information security standards and guidance, to improve the coordination of identity and information management systems at state level, and to provide policy advice on emerging trends and issues in identity and information management."
Under the state’s governance arrangements, responsibility and accountability for departmental performance rests with departmental secretaries. However, our findings from within three departments, and our wider discussions in the sector, demonstrate that departments and the wider public sector need better direction about information security and management. More timely development of standards and guidance relevant to local conditions and risks is needed; as is better identification and effective management of risks, including emerging whole-of-government risks; better education and awareness-raising across the sector; and allocation of resources to achieve the minimum standard required."
Most critically, he noted:
"The central direction and effective coordination of the broad scope of information security risks remains weak. Neither the Department of Treasury and Finance nor the Department of Premier and Cabinet have addressed all aspects of information security following the disbanding of the Office of the Chief Information Officer and its supporting committees in 2006."
Jointly responding to the Auditor-General’s report, the Secretaries of the Department of Premier and Cabinet and the Department of Treasury and Finance reported that "steps are also being taken through existing Whole-of-Government forums to ensure a coordinated and consistent approach to information security continues to be promoted".
They also commented that "in September 2009, a new Ministerial Direction was issued by the Minister for Finance under the Financial Management Act 1994, mandating a risk based approach to the management, collection and storage of information and also referencing the DTF standards ‘Information Security Management Framework’ and ‘Information Security - Data Classification and Management’.