Victoria is troubled by a mysterious case of a disappearing cyber security strategy.
In November 2013 then-Technology Minister Gordon Rich-Phillips got a headstart on a damning auditor-general’s report released later the same week by announcing the state would call in infosec guru Alastair MacGibbon to create a new whole-of-government cyber security strategy.
That was the first and last we heard of it.
A spokesperson for the Department of Premier and Cabinet - which now has responsibility for IT after the remit went from agency to agency over the last few years - told iTnews the policy had “provided some good insight into how to approach cyber security at a state level”, but was ditched in favour of aligning Victoria with the impending result of the federal government’s cyber security review.
This means the state is still stuck with its 2012 policy, which centres on the Commonwealth Information Security Manual, including the ASD top four.
Don’t feel bad if you’ve lost track, the public service’s infosec professionals have too.
In his 2013 review, auditor-general John Doyle reported that at least one security manager admitted he had never seen his own agency’s IT security policy.
Additionally, one in four outer-government agencies had never heard of the whole-of-government policy.
A new government and governance structure doesn’t seem to have helped. When asked about the status of the whole-of-government policy, a DPC spokesperson said the state had “a range of policies, standards and guidelines that span across multiple domains”.
She said final authority on public sector infosec lay with the newly-amalgamated Office of the Commissioner for Privacy and Data Protection (CPDP).
But the whole-of-government policy is only accessible from the website of DPC’s enterprise solutions division.
The confusion is almost certainly taking its toll. In 2013 Doyle and his team conducted penetration testing across a sample of Victorian government agencies.
They managed to find passwords to a Victorian government bank account, and “easily hacked” a local admin’s password, which handed them control of some 6000 devices on the agency’s network.
Little wonder then that figures supplied to the auditor-general by the Australian Cyber Security Centre indicated that Victoria, alongside WA, accounted for the most “serious” security incidents out of all the states and territories in 2012.