SA govt mainframe security standards unchecked since 2008

South Australia's mainframe provider, HP, hasn't provided mandatory security compliance reports to the government since 2008, and no-one appears to have noticed, according to the state's auditor.

HP is contractually obliged to report on its compliance with international security standards every year under the terms of the multi-million dollar deal.

It has been the primary mainframe provider in the SA public sector since December 2006, under a rolled-over deal that will continue until 2018. The contract is worth an estimated $119 million.

As part of his latest SA government performance review (pdf), auditor-general Andrew Richardson and his team dug into the administration of the mainframe deal.

While they found billing and access conditions were generally being met, they pointed out that HP was supposed to undertake “continuous improvement reviews” of its compliance with security standards ISO/IEC 27001 and ISO/IEC 27002 as part of the deal.

“We found that there was a failure of the state and the service provider to satisfy the contractual obligations against this particular reporting requirement as no reporting on this particular aspect had occurred since 2008,” the audit revealed.

Despite this, Richardson said mainframe use “encompasses a relatively low proportion of overall ICT spending” in the state government.

That proportion will drop further as the SA Housing Trust is forced to move off of its core mainframe supported systems by 2017 at the latest.

Last year Tibco Software, which supports 34 of the Trust’s 38 mainframe-hosted systems, informed the housing stock manager it would only continue to provide extended support for the products until December 2017 at the latest.

As a result the SA Housing Trust is urgently working to push through a business case for its system transformation program, the cost of which “is expected to be significant”, according to the auditor.

But the agency faces the prospect of being left in the lurch like its counterparts at SA Health, who are battling one of their software providers in court after it refused to issue any more licences for the agency's legacy patient management software.

The three-year implementation timeframe for the Housing Trust mainframe replacement will take it beyond the end date for Tibco extended support, potentially leaving the entity vulnerable to unpatched software flaws and external attacks.