As part of what has become an annual tradition in Western Australia, the state auditor general has slammed the security of a number of WA government IT systems.
The WA Office of the Auditor General today released its annual information systems audit report. It is the ninth edition of the report and in his overview the state’s auditor general, Colin Murphy, expressed his frustration that basic security measures were continuing to be neglected by government agencies.
“Disappointingly, I must again report that many agencies are simply not taking the risks to their information systems seriously,” Murphy wrote in his overview.
“I continue to report the same common weaknesses year after year and yet many agencies are still not taking action. This is particularly frustrating given that many of the issues I have raised can be easily addressed. These include poor password management and ensuring processes to recover data and operations in the event of an incident are kept updated.”
A key issue is that security is frequently regarded as purely an issue to be addressed by IT departments, with agencies’ leadership failing to adequately engage with the issue.
‘As recent high profile malware threats have shown us, no agency or system is immune from these evolving and ongoing threats,” Murphy said. ‘The risk to agency operations and information is real and needs to be taken seriously.’
The number of agencies that in 2016 had mature general computer security control environments went backwards from 10 in the prior year to seven, the report states.
GCC covers six categories: Information security, business continuity, management of IT risks, IT operations, change control and physical security.
In addition, for the report key applications at five agencies were audited: Image and Infringement Processing System (IIPS) at WA Police; Navigate at the Department of Racing, Gaming and Liquor; the Laboratory Information Management Systems (LIS) at the state’s Chemistry Centre; the Corruption and Crime Commission’s Case Management and Intelligence System (CMIS); and the Department of Finance’s Project and Contract Management (PACMAN).
The report found that all five applications “had control weaknesses with most related to poor information security, policies and procedures”.
Among those weaknesses were that WA Police “shares sensitive information with third parties by transferring it in clear text across the internet.”
“It also stores sensitive information unencrypted on back up tapes,” the report states. “Encrypting this information would help protect it from unauthorised use,” the report notes (a line that in any context other than an audit report would probably be considered witheringly sarcastic in tone).
The report reveals that WA Police “shares infringement data, containing names, addresses and offence information, electronically with a third party vendor in an insecure manner”.
The vendor then uses that information, provided in clear text over the Internet “via a simple file transfer method”, to print and mail traffic infringement notices.
WA Police relies on its contractors to patch systems, but the audit identified unpatched known vulnerabilities. User access was not appropriately controlled, the report adds.