Queensland: Legacy IT bringing down infosec efforts

By on
Queensland: Legacy IT bringing down infosec efforts

[Blog post] Can a tough IT security regime overcome the legacy risk?

Queensland appears to be getting the fundamentals of a central infosec scheme right. It has a clear policy with an unambiguous list of mandatory principles, even if it was written back in 2009.

There’s no confusion about who the peak authority for cyber security is. There’s no mandatory third-party certification of compliance, but agencies are required to conduct annual self-assessment - government CIO Andrew Mills insisted to iTnews that all applicable bodies had successfully handed these in for 2014.

Mills also said Queensland agencies are expected to run penetration testing on all “critical online services”. The government oeprates a centralised vulnerability scanning program, and applies central monitoring to its internet gateway

Its central scheme – Information Standard 18 - is another that borrows heavily from ISO 27001.

Score: 5/9

Queensland’s big problem, however, is legacy IT. It is arguably the nation’s capital for out-of-support software.

In his 2012 audit of the state’s IT environment, then-GCIO Peter Grant calculated 19 percent of all technologies were outside vendor support. At the time, only 54 percent of agencies had successfully migrated off Windows XP.

The state’s audit office said in 2014 that security remained the number one IT control concern it had for Queensland agencies.

In the 2013-14 year, security concerns made up 84 percent of all IT-related internal control issues identified, up from 64 percent in 2012-13.

The audit team narrowed their concerns down to a number of commonly held weaknesses, like staff members having an inappropriate level of access to systems, users having an inappropriate level of access to sensitive or restricted transactions that could lead to fraud, and poor management of user accounts.

Want to see how all the states and territories stack up? Download our State of Security report. Do you work for the government? Let us know how you would have scored your state here.

Got a news tip for our journalists? Share it with us anonymously here.
Paris Cowan
Paris Cowan joined iTnews in July 2013 after a stint at Intermedium, a news and data analysis firm based exclusively on government IT procurement. At Intermedium, Paris reported on new IT projects underway in state and federal agencies, interviewed public sector CIOs and was subsequently promoted to Online Editor in June 2012. While public sector IT will remain her key focus at iTnews, she has been given a broader remit to cover technology programs across several industries.
Read more from this blog: The State of Security

Most Read Articles

Log In

  |  Forgot your password?