The Western Australia government’s flight to the cloud has encountered turbulence at five separate agencies.
In an Information Systems Audit Report released today, the WA Office of the Auditor General gave failing marks on cloud to Department of Fisheries, Department of Sport and Recreation, Metropolitan Redevelopment Authority, Public Sector Commission and Public Transport Authority.
“None of the five agencies could demonstrate effective management across all of the key areas relating to their implementation of a cloud based service with a consequent risk to the confidentiality, integrity and availability of information,” the audit found.
“Common weaknesses included not assessing business risks and costs and benefits of shifting to the cloud, inadequate contractual arrangements, and weaknesses in the IT security and business continuity arrangements.”
One example cited was the agencies failing to specify in contracts that data was not to be stored offshore even though that’s what they wanted, the audit said. The audit found that one agency’s back-up data was in fact stored offshore.
There were also no contractual requirements related to data security controls, service continuity or performance reports, according to the audit.
The Department of Finance and State Records Office is now producing additional guidance about offshore storage and other cloud issues, it said.
Of the five agencies, four did not effectively manage risks associated with cloud, the audit found.
“In particular, these risks related to information security and sovereignty, system performance, unauthorised access, legal and regulatory compliance and loss of access to the system, service or information. If these risks are not managed properly, they could have a significant impact on an agency’s key objectives and operations and result in the loss or disclosure of information.”
Only two agencies had written a business case to support their decision to the move to the cloud, the audit found.
Three of the agencies suffered from a range of information security weaknesses, including known software vulnerabilities that had not been fixed or updated and a lack of encryption for sensitive information on backup tapes.
All five WA agencies acknowledged problems and pledged to resolve the issues.