Australian Gov’t Agencies Under Fire for Lax Security

Six Australian government agencies have come under fire from the Australian National Audit Office (ANAO) for having lax security.

Figures from the 2005 audit of security management of Internet security in Australian government agencies conducted by the ANAO were released yesterday and found 31 specific risks as defined by the Defence Signals Directorate (DSD) in agency Web servers.

Three percent of risks were high level, 32 percent were medium level, and 65 percent were low-level risks. The ANAO made 51 suggestions for improvements.

Alarmingly, the ANAO report also concluded the current level of Internet security in six government agencies is insufficient, and none of the agencies fully complies with the Protective Security Manual (PSM) and ACSI 33.

The PSM is a list of common standards for protective security for all Australian government agencies and contractors with eight points, including security policy and personnel security. ACSI 33, part of the PSM, breaks down risk management into five simple steps—context, identifying, analyzing, assessing and developing a plan—and is mandatory for all commonwealth agencies.

The audited agencies include Australian Customs Service, Australian Federal Police, Australian Radiation Protection and Nuclear Safety Agency, Department of Education and Workplace Relations, Department of Industry, Tourism and Resources, and Medicare Australia.

None of the agencies has ICT security documentation that complies with the PSM and ACSI 33, and all lack a systematic and coordinated program for ongoing management of ICT security-related risk assessments. Security policies and system security plans are not linked to ICT risk assessments and plans, and the agencies lack system security plans.

The ANAO report states agencies have only limited business continuity plans, if at all.

“While several of the six agencies had initiated development of business continuity and disaster recovery plans for Internet services, only one had sound plans in place,” the report states.

“Two agencies largely depended upon the knowledge of key staff and had few documented procedures. Documents were found in draft form and some plans had not been regularly reviewed.

“A majority of the agencies audited had implemented standard operating desktop procedures that did not comply with ACSI 33. Non-compliance was found in inappropriate password management, user account privileges inappropriately administered, no documented procedures for incident detection and response and management of hardware and the use of remote access was not adequately secured.”

E-mail filtering in all agencies was found to be inadequate. Only one government agency has sound disaster recovery plans in place. Two agencies were found to depend on the knowledge of key staff, and few agencies have documented procedures. Some documents were left in draft form, and some plans had not been regularly reviewed.

The report also recommends the Department of Industry, Tourism and Resources document the coverage of Internet services within business continuity and disaster recovery plans in 2006-07, introduce requirements for documenting benefits versus risk before purchasing new technologies, and review e-mail blocking tools with a view to “improving the blocking of malicious e-mails.”

-Michael Crawford, Computerworld Today (Australia)

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.