Defence is continuing to experience problems with outsourced IT service providers making undocumented changes to its infrastructure.
The problems were first highlighted by the Australian National Audit Office (ANAO) back in 2015-16.
“The ANAO identified that unauthorised changes were made by the external organisation to applications and IT systems and that Defence was not aware of the proposed changes prior to implementation,” it said at the time.
“These weaknesses increase the risk of Defence’s business processes being compromised, network performance being impeded and unauthorised access to data.”
A year later, the ANAO remarked that “controls were implemented to address these weaknesses, resulting in closure at 2015–16 year end”.
However, it said that the controls had “not been sustained”, forcing the auditor to re-raise the issue in 2016-17.
One year on, change management remains an issue.
The ANAO said late yesterday [pdf] that it had tested a sample of “infrastructure changes executed by the service provider” and had “identified continuing weaknesses in the IT infrastructure change management process.”
“These weaknesses included one instance where no evidence or supporting documentation could be provided that appropriate testing occurred prior to the implementation of a change; and three instances where no evidence or supporting documentation could be provided of a post-implementation review being undertaken as required by Defence,” the auditor said.
In better news for Defence, the auditor reported the agency had assumed far greater oversight of system access privileges being granted to users.
Back in 2014-15 [pdf], the auditor called out a range of issues, including failure to monitor privileged user access and not revoking privileges when they were no longer required.
Many of these concerns have now finally been addressed.
The auditor noted that in the past year, Defence had “reviewed and rationalised the number of individuals with privileged access, commenced a review of generic accounts with privileged access, and rationalised the number of users with access to change management tools.”
“From January 2018, Defence ICT security commenced obtaining appropriate reports
from the service provider to confirm privileged users’ access that was no longer required was promptly removed,” the auditor added.