Western Australian Auditor General Colin Murphy has once again found cyber vulnerabilities with state government agencies in his annual Information Systems Audit Report.
According to the report (PDF), business application audits were carried out on four test agencies including the WA Police, the Department of Finance, the Department of Health and the Department of Mines and Petroleum.
Murphy noted that there were a number of weaknesses with the WA Police firearms management system including the firearms register.
For example, inaccurate recording showed more than 300 firearm licence holders still had firearms listed against their licence despite being classified by state police as unfit to own firearms. There were 25,000 instances where WA data could not be reconciled with the national CRIMTRAC database.
“As a result of our findings, we have no confidence in the accuracy of basic information on the number of people licensed to possess firearms or the number of licensed or unlicensed firearms in Western Australia,” he said in a statement.
“WA Police must act on the recommendations of this report to ensure the integrity and functionality of the firearms management system and to provide the community with some assurance that firearms can be suitably managed in this state.”
Turning to the Department of Health, Murphy found control weaknesses with its emergency department information systems (EDIS).
“These weaknesses mean that staff could anonymously alter data relating to treatments provided and times of admission and discharge,” he said.
“We analysed data logs capture by the EDIS over the last two years against data entered by staff and found no alterations had occurred.”
The report recommended that the Department of Health should improve change management controls and consider implementing user authentication for each staff member.
Murphy also found control weaknesses with the department’s hospital morbidity data system, (HDMS) including the potential for unauthorised access to data.
“This can occur through insecure methods used to obtain and transfer data or because recommended software security updates are not implemented,” he said.
For example, patient information was collected from private hospitals using USB keys and from public hospitals using an insecure file transfer protocol which sent information in clear text across the network.
Murphy recommended that this data should be collected using encryption or secure Web access.
The report also found that 90 per cent of 21 agencies reviewed had serious gaps in their management of information security when assessed against better practice international standards.
“The standard sets out controls for ensuring computer systems are designed, configured and managed to preserve the confidentiality, integrity and availability of information,” he said.
In addition, 36 agencies were assessed against six computer control categories: IT operations, management of IT risks, information security, business continuity, change control and physical security.
Murphy found that more than half of the agencies assessed had not established adequate controls to manage IT risks, information security and business continuity.
“I was pleased to note that eight agencies had made improvements in at least one of the categories without regressing in another,” he said.
“However, only three of the 36 agencies we assessed were rated as having mature general computer controls.”
Follow Hamish Barwick on Twitter: @HamishBarwick