WA’s exasperated auditor general is considering naming and shaming government agencies with IT system weaknesses to force them into action.
In his annual Information Systems Audit Report, auditor general Colin Murphy assessed 45 agencies against six control categories: IT operations, management of IT risks, information security, business continuity, change control and physical security. More than half had no defined controls in three or more categories, according to the report tabled in Parliament today.
“My practice is not to name agencies that have information system weakness for fear that this could encourage attempts to exploit the weaknesses,” he said. “However, I am now reviewing that position and seeking advice as to whether the naming of high-risk agencies is necessary in order to achieve essential change.”
Some agencies were found to be using the passwords ‘Password1’ and ‘guest’ and failed to run thousands of critical operating system and application patches. Others had not installed anti-virus software and stored sensitive information in widely accessible Excel spreadsheets.
Only ten agencies “met expectations for managing their environments effectively” in all categories, compared with 11 in 2014.
“After doing this audit for eight years I am disappointed to see little or no improvement in controls year on year and agencies not treating this matter with the seriousness it deserves,” Murphy added.
“Information security and business continuity have not improved, scores fluctuate year to year, but the trend remains flat. Given these categories relate to the security of information and the availability of services, I am very concerned about the lack of progress.
“I may have to look at ways to make agencies more accountable for IT weaknesses and it may include naming agencies not addressing or taking action to rectify concerns.”
The report also reviewed five business applications: Complaints and Licensing System – Department of Commerce, Total Offender Management System – Department of Corrective Services, Controlled Waste Tracking System – Department of Environment Regulation, Smart Parker – Public Transport Authority and the Treasury System – Gold Corporation.
All five applications were found to have weaknesses related to poor policies, procedures and the security of sensitive information including “easy to guess passwords, software updates not applied, failure to remove accounts belonging to former staff and manual data entry, processing and manipulation”.
There were 56 points of concern across the five applications, six of which were rated as significant.
The most serious include the poor security of sensitive data relating to young offenders including their charges and the sentences imposed and unprotected archived emails containing the credit card numbers of licence applicants.
“Agencies are urged to take note of the findings and act on the recommendations to ensure the confidentiality and integrity of information,” said Murphy.
“Many of the issues raised in the report are simple and inexpensive to correct and agencies should address those identified as soon as possible.”