Western Australia’s auditor general has again raised concerns about information security at state government agencies.
A new report, tabled today, includes an assessment of security capabilities at 45 agencies. The audit found overall agencies’ security postures were slightly poorer than in the preceding year.
“Change controls and physical security are managed effectively by most agencies, but the management of IT risks, information security, business continuity and IT operations need a much greater focus,” the report stated.
The Office of the Auditor General also assessed security controls across five key business applications employed within WA government: The Department of Commerce’s Complaints and Licensing System, the Department of Corrective Services’ Total Offender Management System, the Department of Environment Regulation’s Controlled Waste Tracking System, Gold Corporation’s Treasury System, and the Public Transport Authority’s SmartParker application.
“All 5 applications had some control weaknesses with most related to poor policies,
procedures and the security of sensitive information,” the audit concluded.
“We also found issues with operational, procedural and process controls that aim to ensure the applications function efficiently, effectively and remain available.”
Most of the issues should prove simple and inexpensive to fix, the report stated.
“I am disappointed to see little or no improvement in controls year on year and agencies not treating this matter with the seriousness it deserves,” auditor general Colin Murphy said.
“Information security and business continuity have not improved, scores fluctuate year to year, but the trend remains flat. Given these categories relate to the security of information and the availability of services, I am very concerned about the lack of progress.”
A report from the WA auditor general tabled in November revealed a raft of security problems within government agencies.
“Many of the weaknesses I consistently report are easy to remedy such as poor password management and ensuring data recovery processes are in place and updated in the event of an incident,” Murphy said.