Almost half of all Queensland government departments and agencies have access control issues that have left information systems exposed and vulnerable, a review by the state's audit office has found.
Weaknesses were identified across 60 per cent of 69 public sector entities, which failed safeguard tests documented in a report by Queensland Auditor General Len Scanlan.
Access controls were of particular concern as they were raised at 45 per cent of the entities reviewed, he said, and constituted 65 per cent of all problems raised in relation to general information systems controls.
The audit found users were being granted inappropriate levels of access, which allowed public sector employees rights to access and modify data.
Scanlan said accounts for users who had left organisations were still active and there was a failure to monitor system audit logs to identify inappropriate activities.
He said there are also inadequate controls over passwords with users not even required to submit a password to gain entry to a system.
About 33 per cent of entities reviewed did not have formal security policies and the Auditor General has recommended the establishment of information steering committees in each department to maintain good governance, secure public records and undertake risk assessments.
"The effectiveness of general information systems controls and the integrity of business data can be undermined by poor information security and changes to the environment in which systems operate. The continued identification of IS control weaknesses over the past three years, particularly in relation to access controls, and their negative impact on confidence in the integrity of an agency's data is of concern to me," Scanlon said.
A security review relating to Internet infrastructure including routers, firewalls and servers was also undertaken exposing major vulnerabilities that could allow a hacker to take over an entire network.
Scanlon has recommended a single point of responsibility for security and risk assessment before the introduction of IT systems, the installation of operating systems that have been security hardened, greater use and installation of security patches and the elimination of inherent weaknesses across the public sector.