WA auditor could name and shame worst infosec offenders

A frustrated WA auditor general has warned he is seriously considering reversing his policy of not identifying the state government agencies with the weakest IT defences after they failed to improve their dismal cyber security postures.

“My practice is not to name agencies that have information system weakness for fear that this could encourage attempts to exploit the weaknesses," Colin Murphy wrote today, introducing the results of his 2015 survey of security provisions in the state government [pdf].

“However, I am now reviewing that position and seeking advice as to whether the naming of high-risk agencies is necessary in order to achieve essential change."

Last year, Murphy said his pentesters were able to break into two sensitive state government networks on their first go using the password ‘password’.

In this year’s report, the results are even worse.

In 2015, Murphy’s whole-of-government IT security survey uncovered 454 problems, up from 389 in 2014.

It also identified a 3 percent decline in the number of agencies meeting the audit office’s bare minimum infosec benchmark, sending the proportion below half.

The office’s eighth annual infosec audit was also the first to map sector-wide progress on key metrics year-on-year over the term, revealing that WA has not improved at all in terms of business continuity and basic information security since the first audit was conducted in 2008.

“I am disappointed to see little or no improvement in controls year on year and agencies not treating this matter with the seriousness it deserves,” Murphy wrote.

“Many of the weaknesses I consistently report are easy to remedy such as poor password management and ensuring data recovery processes are in place and updated in the event of an incident.

“I may have to look at ways to make agencies more accountable for IT weaknesses and it may include naming agencies not addressing or taking action to rectify concerns."

Five core agency systems were reviewed in greater depth as part of the 2015 audit round.

The system managing the crimes, sentences, behavioural incidents, and release into the community of WA corrective services prisoners was found to be plagued by data errors and manual processing.

The audit team found that prison sentences are manually exported into a spreadsheet to be calculated before they are manually re-entered into the official offender management system.

The report also revealed confidential court warrants, including those relating to young offenders, are being stored either in unlocked cabinets or electronically in a shared email system.

Elsewhere in the state, the audit office found 40 percent of all staff at the Department of Environment Regulation had privileged administrator access to its controlled waste tracking system. It also caught the Department of Commerce sending scanned credit card details via unencrypted email.