South Australia: Where small doesn't equal insecure

South Australia proves that being a small state with an even smaller budget is no excuse for letting information security fall by the wayside.

The state’s IT security policy is forensic in its detail - at 224 pages, and linking back to an additional 135 manuals and standards, any SA government infosec professional would be well within his or her rights to feel a bit daunted by the document.

Roughly based on ISO 27001, SA’s Information Security Management Framework is a risk-based scheme presenting a sliding scale of recommendations to agencies based on the relative sensitivity of their systems and the data they contain.

Importantly, it makes it painfully clear that a number of the provisions are mandatory. It also makes it painfully clear that the buck stops with the agency chief when it comes to a failure to secure this information.

Score: 5/9

Like most of the jurisdictions reviewed, South Australia does not demand that agencies get their compliance with ISO 27001 independently certified - although it strongly encourages that they do.

But CIOs and infosec execs are by no means left to rest on their laurels. The one-time Office of the Chief Information Officer - now rebranded as the digital government wing of the Department of Premier and Cabinet - demands annual self-assessments of ISMF compliance.

The state also has a track record of sending other parties in to stick their noses into the state of cyber affairs.

In 2014 the OCIO commissioned an external assessor to review the compliance record. It found most agencies had started down the path to full compliance against the ISMF, with all boxes due to be ticked by 30 June 2017.

The consultant did pick out some pretty big holes in the security of web applications, however - one agency was caught sending user credentials in clear text; others had insufficient password controls or lockouts for customer-facing web applications; and another allowed a request to a non-existent file to expose the server path to the audit team online.

But all in all, the findings didn’t generate the same sense of looming catastrophe as other state infosec audits. The SA auditor general also conducts a compliance reviews as part of his annual report to parliament.

South Australians should be relieved there are at least minimal places for incompetence to hide.

Want to see how all the states and territories stack up? Download our State of Security report. Do you work for the government? Let us know how you would have scored your state here.