A review of Victoria's online initiatives by the state's Auditor General's Office has recommended a sweeping threat-and-risk assessment of information systems and data for all state government agencies.
Assessments should then be conducted periodically, the review said, which found "quality of planning and documentation in relation to information security varied widely between agencies".
The Auditor General also identified the need for information security training, as well as reporting procedures for security incidents. Disaster recovery planning also rated poorly, with the report stating that "none of the agencies reviewed had an adequate disaster recovery plan for their Internet and e-mail services, including Web sites".
The report also said there was an expectation that those agencies which outsourced would have a service provider that would manage risk and security controls, but security was not included in the contracts.
Wireless networking also came under attack in the report, which identified weaknesses in network configuration and architecture.
"All agencies should perform a formal risk assessment prior to establishing wireless infrastructure as part of their computer networks, and seek expert advice in relation to the adequacy of this security," the report said.
All agencies reviewed had firewalls but had a mix of practices associated with their management; the Auditor General recommended formal processes be introduced as well as an improvement in firewall configuration.
A technical examination of Web and e-mail servers and other Internet devices found a range of weaknesses.
"Some of these vulnerabilities were considered a high risk to the security over those systems. Many of these security weaknesses were a result of the agency not appropriately hardening the systems prior to implementation and not allocating the level of resources required to update security patches and test security on a regular basis," the report said. (www.audit.vic.gov.au/reports)