Western Australia's Department of Finance helpfully summarises the guts of the state’s cyber security policy in just 153 words.
Backed by a public service memorandum sent out in 2010, it asks that agencies write a security policy (but doesn’t dictate what it should contain), keep up with software patches (but with no minimum timeframe), and implement nebulous, unspecified “controls” on portable devices and USB drives.
In its defence, Western Australia does truly appear to be trying to get its IT governance together on a whole-of-government level.
In March it announced plans to appoint its first-ever government CIO, with a supporting office dedicated to devising and implementing IT policy throughout a state iTnews deemed to be the poorest performing in IT terms in the 2014 State of IT report.
The office opened in July, so only time will tell if it has a true impact on the sorry state of IT culture in the WA government - or whether it will become irreversibly tied up in the state’s IT savings drive.
One of its first jobs will be to pick up where the Department of Finance left off on a review of the state’s light-on cyber security policy. The review started in April and is due to hand down a new - and hopefully more enlightening - document before the end of the year, the office of the GCIO told iTnews.
*iTnews has given WA a mark of 2/9 according to our security maturity index. But some of you have contacted us to say even that is too generous. You have said the state doesn't have a formal information classification regime that warrants a full point. We concede that we may have been too lenient on the western state.
What do you think? Let us know here.
Just how impactful are whole-of-government policies anyway?
Last year state auditor general Colin Murphy found out what happens when IT security is governed according to the laissez faire approach.
He found the Department of Sport and Recreation was completely in the dark about its HR systems vendor Talent2 backing up data in its Melbourne data centre - even though its contract stipulated information wasn’t to leave WA. Agencies were generally unaware of whether their data could be stored offshore due to a lack of central guidance.
This IT security limbo may or may not have contributed to the June 2014 discovery that in 2013, the percentage of all 54 WA agencies meeting the auditor's minimum expectations in terms of information security had dropped to 40 percent. One agency allowed 'aaaaa' as a password. Another had over 2000 generic user accounts.
“It is clear from the basic security weaknesses we identified that many agencies have not implemented fundamental security controls to secure their systems and information,” Murphy concluded.
Want to see how all the states and territories stack up? Download our State of Security report. Do you work for the government? Let us know how you would have scored your state here.
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
