Audit finds NSW IT security policy lacking

The NSW Government has been unable to ascertain how well agencies are securing citizens' sensitive personal information, according to an Auditor-General's report.

Although the state had a Security of Electronic Information policy in place, NSW Auditor-General Peter Achterstraat found that agencies' compliance and certification was not effectively monitored.

"The Government cannot say with any certainty whether agencies have implemented its policy," Achterstraat wrote in his 34-page report (pdf).

"That information which does exist suggests at least two thirds of agencies have not complied with the Government's policy."

The current policy was implemented in 2007, and required agencies to use information security management systems that complied with the international ISO/IEC 27001 standard.

But according to an online survey conducted by the Government CIO in late 2007, only 26 of 97 agencies had part of their information security management system certified.

The Auditor-General argued that NSW's 2007 policy lacked a deadline, effective monitoring and consequences for agencies that failed to comply.

Highlighting security standards put in place in the UK, Victoria and Queensland, Achterstraat called for NSW to establish a new ICT strategy and electronic information security governance arrangements by June 2011.

"There has been an absence of clear direction and strong leadership to ensure that people's private details are held securely by all government agencies," he wrote.

"The people of NSW have every right to expect their and their families' private details are secure regardless of which government agency holds it."

Noting that the audit had "not identified any systemic information security problems within the NSW Government", the Department of Premier and Cabinet acknowledged a need to consider "future risks and possible problems".

In his response to the audit, Departmental Director-General Brendan O'Reilly wrote that the current Security of Electronic Information policy was being reconsidered.

"The Audit recommends establishing minimum standards and requirements for consistent processes to manage and information assurance risks, as well as strengthening accountability through improved scrutiny and transparency," O'Reilly wrote.

"These initiatives are supported, subject to the outcome of the reforms currently under consideration by Government."