A damning report from Australian National Audit Office (ANAO) has revealed serious flaws in the IT security arrangements of six commonwealth government agencies.
Entitled 'Operation of The Classification System for Protecting Sensitive Information' the report reveals that the IT&T environments of the six unnamed agencies the ANAO audited have inadequate security protection levels.
The audited agencies all had sensitive information to protect, with three of the six respon-sible for protecting national security information. "Paper and electronic files were often exposed to unauthorised access because of various breakdowns in the protection of information in use or in transmission," states the report, which was tabled this month.
Common breakdowns included "sensitive information stored on insecure electronic networks, and computers left on without the protection of screen saver passwords."
All six of the agencies hold sensitive information in both electronic and paper-based form, with two of the six agencies operating secure networks, and two running mainframes with large databases.
The audit found that agencies operating mainframes, with high-volume transaction processing, had better IT security than organisations with a LAN based environment, however those with mainframes were found to have weaknesses in their LAN environment.
According to the report, "The access management controls on local area networks (LANs) were often not configured or implemented in accordance with ACSI 33 (the Australian Communications Electronic Security Instrucions 33 -- a Defence Signal Directorate's publication).
Areas requiring attention include passwords, the number of log-on attempts and inactive user accounts.
These weaknesses are of concern as all the networks carried sensitive information.
"The audit found that more attention needs to be given to establishing effective monitoring and review processes, particularly in relation to IT&T audit trails to ensure security policies and procedures are operating as management intended," said the report.
According to ANAO, all six agencies audited are failing to give sensitive information adequate protection.
Dean Kingsley, Partner, Secure e-business at Deloitte Touche Tohmatsu, commented that for many organisations IT security, outside the context of e commmerce, was "way down the priority list" since it was viewed as an overhead rather than an enabler.