Queensland appears to be getting the fundamentals of a central infosec scheme right. It has a clear policy with an unambiguous list of mandatory principles, even if it was written back in 2009.
There’s no confusion about who the peak authority for cyber security is. There’s no mandatory third-party certification of compliance, but agencies are required to conduct annual self-assessment - government CIO Andrew Mills insisted to iTnews that all applicable bodies had successfully handed these in for 2014.
Mills also said Queensland agencies are expected to run penetration testing on all “critical online services”. The government oeprates a centralised vulnerability scanning program, and applies central monitoring to its internet gateway
Its central scheme – Information Standard 18 - is another that borrows heavily from ISO 27001.
Queensland’s big problem, however, is legacy IT. It is arguably the nation’s capital for out-of-support software.
In his 2012 audit of the state’s IT environment, then-GCIO Peter Grant calculated 19 percent of all technologies were outside vendor support. At the time, only 54 percent of agencies had successfully migrated off Windows XP.
The state’s audit office said in 2014 that security remained the number one IT control concern it had for Queensland agencies.
In the 2013-14 year, security concerns made up 84 percent of all IT-related internal control issues identified, up from 64 percent in 2012-13.
The audit team narrowed their concerns down to a number of commonly held weaknesses, like staff members having an inappropriate level of access to systems, users having an inappropriate level of access to sensitive or restricted transactions that could lead to fraud, and poor management of user accounts.