Vic Govt agencies failing to patch, monitor access controls

Victorian agencies are handing over privileged system access to too many staff and are failing to patch critical systems, in some cases for years, according to the state's Auditor-General.

Nearly every agency in the state has earned at least one black mark against its name in the past 12 months of investigations, Auditor John Doyle's end of year tally has revealed.

In his office’s first ever whole-of-government survey of Victorian IT controls, Doyle found:

• Some agencies haven’t patched major applications since July 2010
• Agencies are handing out privileged access to system users who don’t need it
• IT provider agency CenITex still hasn’t taken action to shore up its absent disaster recovery plans

The report, tabled to parliament today, said the scale of the problems highlighted “the need for public sector chief information officers (CIO) to focus additional effort on ICT security processes and controls”.

The good news for the state government, which faces a general election next month, is that most of the issues are very easily fixed, and have been able to slip through the gaps because of poor oversight and monitoring.

Patch management ranked as the least mature IT control across the audited agencies, with 56 percent of entities experiencing problems keeping on top of their software updates.

One unnamed agency hadn’t patched one of its major systems since July 2010, missing 21 vendor recommended updates including three classified as critical – the oldest of which was made available in 2008.

“The maturity of patch management practices is variable across government. It can range from patches being omitted as a result of accidental oversight in better managed organisations, to organisations where patching is not actively managed and systems go unpatched for years.”

- Information and Communications Technology Controls Report 2013–14

Lax user access controls accounted for the largest slice of high-risk security concerns.

In one typical case, an unidentified agency had given 113 users, including five staff with super-user privileges, accounts where the passwords had no fixed expiry. As a result, the lifespan of the passwords ranged from 98 to 742 days.

Doyle also repeated his demand for the state's IT shared services agency CenITex to address the absence of a disaster recovery plan for the services it controls.

While the latest report does not name CenITex directly, it did so back when the Auditor-General originally raised the issue in November 2013, and has now complained that nothing appears to have happened in 12 months since.

“Although the service provider had advised the departments and agencies in its annual attestations that it does not having an ICT disaster recovery plan to address significant failures, there had been no action by the service provider to address the risk.”

The Victorian audit office has already flagged its intention to step up scrutiny of the state’s notorious IT operations over the next three years.

The government has also promised to issue its first sector-wide IT security strategy, which is currently still in development.