Queensland Govt information security goes backwards

Queensland’s Auditor-General Andrew Greaves has discovered even more issues with IT controls within the state government in 2013-14 than he did the previous year, with escalating infosec concerns making up the bulk of his adverse findings.

Information system controls are bucking an otherwise positive trend across the rest of government, Greaves revealed today, with a 60 percent “significant decline” in identified financial control weaknesses recorded across the state.

“This demonstrates that internal control systems have matured following the machinery of government changes in 2012,” the Auditor said in his report, tabled today.

Despite the overall progress, IT is not getting any tighter inside Queensland agencies, with 25 IT issues making it onto the Auditor’s watch list in the past year, up from 22 in 2012 to 13.

The vast majority – 84 percent – of the issues identified in 2013 to 14 related to security controls, compared to just 64 percent in 2012 to 13.

“Information security control weaknesses remain the primary area of concern for departments,” the Auditor said.

The primary points of failure he highlighted were:

• Inadequate oversight as to who has access to sensitive systems and the appropriateness of an individual's seniority to view the information,
• Inappropriate access by some users to financial and data transactions leaving agencies vulnerable to fraud and information leaks,
• Overall vulnerability to external attack,
• A lack of monitoring of account activity meaning fraudulent activity could remain unnoticed.

The one positive he did pull from the year-long assessment was the automation of financial authorisations using the SAP ECC5 eForms solutions in an increasing number of agencies and departments, including the Queensland Police Service, Department of Premier and Cabinet and Department of Community Safety, among others.

“This is a positive move away from the manual financial delegation systems,” he noted.

Information security is an area with which a number of Australian government agencies struggle.

Late last month the Commonwealth auditor found a number of large federal agencies had left themselves open to external attacks, and late last year the Victorian auditor found that the state government had no mechanism to deal with a coordinated multi-agency security breach, triggering the development of a state-wide IT security plan.