Five ACT government directorates are continuing to run systems on servers with end-of-life operating systems, five years after the territory’s auditor first warned of the need to upgrade.
Auditor-general Maxine Cooper today revealed 10 remaining instances of systems that use servers with unsupported operating systems in the 2016-17 audit [pdf] of the ACT's systems.
The audit is an improvement on 2015-16 when 34 instances of unsupported server operating systems were uncovered, spanning medical, personal details, land titles, territory revenue and assets, electronic documents and records systems.
Systems that remain on unsupported servers include the land titles business system, endoscopy reporting system, medical transcription system and e-development business system.
The audit office has been warning the government of the need to upgrade end-of-life server software since 2011-12.
The issues were partially resolved by the territory’s Shared Services agency during 2015-16 when 72 of the 106 identified servers were updated, and further plans put in place to upgrade the remaining servers.
But the audit office has again had to recommend that the directorates “obtain vendor support for operating systems that are unsupported”.
“While this reduction is positive, the continued use of unsupported operating systems on servers is a risk to the security and performance of the ACT government network,” the audit office said.
Responding to the audit, all five agencies said they were planning to decommission the supported services by July 2018, or had already replaced the unsupported machines.
Shared Services stressed to the audit office that a “program to progressively decommission the use of unsupported operating systemd on servers” was in place.
It also said it had implemented an "ICT security approved vulnerability mitigation solution" for systems on unsupported servers.
“Shared Services undertook a program to deploy Trend Deep Security agent to all servers with unsupported operating systems in mid-2016 to protect the servers against any threats,” it said.
“This software places a virtual ‘bubble’ around a vulnerable system, protecting it from attack until such time as the server can be decommissioned.”