Tax Office passes USB security audit

Powered by SC Magazine
 

Smaller agencies ordered to overhaul security.

The Australian Tax Office is enjoying a rare dose of good news today after the Auditor General found its security standards up to scratch in a report released today.

Two smaller agencies didn't fare as well and are set for a security overhaul in 2012.

Insolvency and Trustee Service Australia (ITSA) and Hearing Australia wore a security smack-down after the national auditor found gaping holes in the management of portal devices like phones and USB sticks used to carry corporate data.

The agencies had outdated policies for the use of devices, lacked processes to track corporate USBs and did not use encryption on any portal device, the ANAO found.

Hearing Australia reported that encryption could cause some of its medical equipment to stop functioning.

One staffer at ITSA reported that “USBs had become the norm” to transport large corporate documents because shared devices were not available.

At that agency, policy for handling storage was at least five years old and staff training was typically only done on an informal basis when employees were hired.

Neither of the two agencies had a mechanism to track the movement of files from the corporate network to portable devices.

The auditor said that the use of personal smart phones including BlackBerrys and iPhones on the agencies' corporate networks was less concerning because of in-built security controls.

Both agencies pledged to begin security revamps next year, and will replace portable devices with corporate issued, tracked and encrypted devices. Both also promised to install infrastructure to manage devices and refresh training and policy.

The ATO, by contrast, was thoroughly praised for its efforts to secure devices.

All 2500 corporate USBs used at the agency were encrypted, required biometric fingerprint authentication and restricted to a single brand.

Staff were forced to go through an approval process before they could be issued with a device and even then were restricted in the types of documents that could be transferred onto the devices.

The report praised the ATO after “only” 44 of 322 responding agency staff said they had not had training in portable device security in the last year.

Government agencies have until 31 July next year to comply with new portal device security standards detailed in the Protective Security Policy Framework.

Copyright © SC Magazine, Australia


Tax Office passes USB security audit
 
 
 
Top Stories
Photos: iTnews Benchmark Awards countdown begins
Just a few days left until entries close for 2014.
 
Australian Govt to rethink cyber security strategy
Six-year old policy to be refreshed.
 
The failure of the antivirus industry
[Blog post] Insights from AVAR 2014.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 1076

Vote