ACT Govt repels over one million intrusions

Auditor-General commends 'robust' security.

The ACT auditor-general has credited the territory government’s ‘robust’ ICT security regime for defending against more than one million attacks in the nine months to 31 March.

An audit report, released Friday, found ACT’s Shared Services ICT security “overall satisfactory” in protecting a network of 18,000 public servants, 37,500 students, 5000 teachers, and Canberra Institute of Technology students (pdf).

But not all directorates and agencies relied on the state’s Shared Services ICT offerings, despite it being the government’s preferred supplier.

ACT auditor-general Maxine Cooper noted that externally hosted agency websites were not as secure, with at least one documented compromise in the nine-month period.

She reported that such breaches could be minimised if all directorate and agency websites were hosted on the ACT Government network or by a government-endorsed suppliers.

Cooper found administrative structures and processes that supported whole-of-government ICT policies and procedures “satisfactory”, but there were shortcomings in security governance and mobile security plans.

Use of handheld devices, or “portable platforms” that could access the ACT Government’s networks and the internet was growing, but it was unclear who owned data on a device provided to an employee.

Despite a “well-structured and wide ranging” Shared Services ICT security template, only five percent of the government’s 1025 information management systems had a system security plan, and 2.24 percent had undergone threat and risk assessments.

“It is not clear to Audit why there are so few security plans or threat and risk assessments,” Cooper wrote.

“This may be a problem related to communication between Shared Services ICT and directorates and agencies, who own the data in the systems.

“There is great scope for expanding the use of system security plans and threat and risk assessments given how few have been prepared.”

“Whole-of-government information security roles and responsibilities and communication processes are not overall well defined and documented; this hinders communication,” Cooper noted.

Shared Services ICT agreed to prepare roles and responsibilities documents and seek to establish mandatory website hosting requirements by 1 January next year.

A spokesperson for the unit reported that it would complete a “significant body of work on policy, protocols and procedures for mobile technology” by 1 October 2012.

Shared Services ICT also agreed to evaluate whole-of-government electronic records management options to improve record keeping, security and collaboration between directorates.