The ACT government has been told to lift its data security game after the territory's auditor-general raised serious concerns with its policies and the data handling practices of public servants.
The audit of the territory’s data security practices also reveals that the government is without a government-wide data breach response plan, despite suffering a breach as recently as late 2018.
The report, released on Friday, is highly critical of the ACT public sector’s compliance with mandatory requirements under the government’s ICT security policy.
The policy, which was refreshed last August, requires that directorates and agencies comply on an annual basis to assist whole-of-government data security management.
But there is currently not requirement for them to demonstrate their compliance with the ICT security policy, unlike the reporting under the ACT protective security policy framework.
As such, the audit found that compliance with the ICT security policy is not effective and that agencies have “not clearly understood their data security risks and requirements”.
“By not complying with the ICT security policy requirements, the ACT public service is not well placed to understand what data agencies are responsible for, the risks of this data being breached and controls to be implemented across government to manage this risk,” the audit states.
The audit, which was released the same day as the Prime Minister's cyber security plea, said all but a single agency had effectively documented its system security risks, and that was for a single system.
In total, 89 percent of critical IT systems were without a current “security risk management plan that demonstrated and documented data security risks and controls”.
While much of the blame in this area was levelled at agencies, the audit was also critical of the government’s shared services arm, which despite having effective tools and processes in place, is “experiencing a significant backlog of security assessments”.
It found that Shared Services, on average, takes over three months to commence a critical IT system security assessment and a further eight months to complete a critical IT system security risk management plan.
The audit also said that the government was without “whole-of-government data breach response plan to manage and coordinate resources and stakeholders in the event of a major data breach”, though there are currently plans for such a document.
“Following a significant data breach of the ACT Government’s online directory in November 2018 the Security and Emergency Management Senior Officials Group reviewed roles and responsibilities for cyber security across the ACT Government network,” the audit states.
"The security and emergency management senior officials group intends that these actions will be completed by July 2020.”
The audit also found that individual agencies “are not well placed to response to a data breach or loss of system availability and need to invest more effort in documenting and testing how to restore functionality of critical business systems”.
This risk of a potential data breach is also aggravated by what the audit said was a lack of data security awareness among public servants stemming from a lack of education.
“A particular area of risk note is a lack of user education on how to use data securely,” the report states.
“A lack of awareness has been demonstrated in a lack of understanding on how to share data securely, as well as recognised when a data breach has occurred and needs to be reported.
“This increases the likelihood of a data breach and its potential impact.”
While the audit noted that staff in the Community Services Directorate were found to “demonstrate a good understanding of what data was considered sensitive personal information”, this was not the case for all agencies.
“Users in other audited agencies did not demonstrate an awareness of the risks associated with sensitive personal information, and of sharing this data via email or USB drives and were also unaware of the acceptable file sharing mechanisms that are available to them,” the audit states.
The audit also found that unauthorised cloud-based IT services are continuing to be used by public servants, which it said “presents a risk to ACT government agencies’ data security”.
This is despite the IT security policy requiring that all IT systems, including cloud services, be registered with Shared Services, which it has not been able to successfully maintain.
“Typically, these cloud-based services are identified and downloaded by ACT government agencies’ employees,” the audit states, adding that the software is largely for “image and document conversion”.
“The use of these services presents a risk of exposing sensitive data to cloud-based service providers with unknown data security protections, as well as licencing and legislative compliance risk.”
Shared Services has also been working with directorates to map cloud services and other IT systems across government and identify any shadow IT since receiving funding in 2018.
It is now preparing to ramp up this work, with new functionality being implemented to automatically discover IT systems and assets across the government’s IT network.
“Until this is successfully implemented and producing the expected results, there will not be a collective and comprehensive understanding of ICT systems across ACT Government and therefore accountabilities for data assets," the audit states.