As private enterprises struggle to meet the December 21 Privacy Legislation deadline, Commonwealth agencies are floundering in their efforts to meet their own privacy standards.
The agencies are required by the Protective Security Manual (PSM) to consider the security implications of their electronic information systems and to devise policy and plans to ensure the systems are appropriately protected.
According to Andrew Bewick, federal business manager for security consultancy 90East (Asia-Pacific), the whole psyche of security behaviour within Commonwealth departments is "not up to scratch".
"There isn't any document control in many departments. The Defence Department has been doing it well for decades, but the Australian Taxation Office, for example, has employed thousands of new consultants to deal with the implementation of the GST; how could all these staff be trained to operate securely in such a short timeframe?
"[In addition] often the IT solution put in place [within a department] does not correlate with the business processes. There is a lack of understanding of the issues and focus of the core business. People just think they will get someone in to put in the firewall, do the encryption, but [the technology] is not being linked back to business processes."
Seeking to resolve these kinds of issues, the Australian National Audit Office (ANAO) has contracted 90East to conduct a review of its IT security environment, policies and practices.
Bewick said ANAO conducted an audit of itself against 10 other government departments and "weren't happy with the results", so called for tenders for an external audit.
"The audit department wanted to ensure that its shop was in order. It wants to be a model, especially for departments that want to connect up to Fedlink," he said. FedLink will be used to secure intra-government communication as well as government online initiatives.
Peter Green, ANAO's chief information officer, said the agency decided on an external review to ensure it was up to date with the PSM and other government and NOIE (National Office for the Internet Economy) initiatives.
The review, which will be completed by the end of the year, is worth between $100,000 and $200,000, and will result in an action plan for the ANAO.
The audit will include a revision of ANAO's security policy, assessment of the security management framework, assessment of the security aspect of the configuration of the IT infrastructure, configuration of the laptop SOE, Internet and remote support infrastructure, and identify gaps between the assessments and best practice e-security requirements.
Green said the next step after the completion of the action plan would depend on the results and magnitude of the issues.
The ANAO outsources its IT to Unisys. "Any threat exposed by the report, may be resolved by us, Unisys or result in a new tender," Green said.