Victorian agencies under IT, infosec scrutiny

The Victorian audit office has its sights set squarely on the public sector's technology capabilities and will undertake eight separate audits of central government agencies' IT, data, and security chops over the next three years.

The state auditor today laid out the laundry list of reviews it will undertake from now until 2020 as part of its annual 2017-18 plan.

It reveals a targeted focus on technology capability, policy, and delivery within the state's central government agencies, as well as a handful of data sharing and protection - as well as systems and information security - audits within several specified agencies.

In the auditor's most immediate sights is the security and privacy of surveillance technologies in public places, as well as the effectiveness of the state government's digital dashboard.

For the first, the audit office's goal is to determine whether the government is adequately securing the data collected from public video surveillance, and properly protecting individuals privacy, given the increased use of CCTV and drone devices.

It will specifically target the Transport, Justice, Health, and Police agencies, alongside VicRoads, Public Transport Victoria, and selected local councils.

"Use of public surveillance technologies by government agencies is widespread and growing. While this practice may have benefits for public safety, security and privacy concerns have continued to follow government’s use of these technologies," the audit office wrote.

Also on the audit list for the coming year is the Department of Premier and Cabinet's new digital dashboard, which went live last July. It publishes the current status of all government IT projects worth more than $1 million.

The audit office said in 2015 that determining the status and outcomes of public sector IT initiatives would not be an easy task, and it now wants to know whether the dashboard has improved transparency at all in government IT investments.

Services, cloud, and security

The digital dashboard will also come under scrutiny again in 2018-19, this time to ascertain whether agencies have made the best use of the information in the dashboard to improve their IT project management and procurement processes.

That year will also see audits performed on the effectiveness and efficiency of IT shared services arrangements, specifically state shared services provider CenITex.

The agency has had a chequered past, narrowly escaping being sold off to the private sector in 2015, and more recently being restructured to focus on cloud computing and resourcing late last year. It provides services to six of seven Victorian government portfolios and several other government organisations.

Now the auditor wants to know whether CenITex is delivering "cost-effective solutions and high-quality service that meets agencies’ expectations".

The resilience of agencies against cyber security attacks will also be reviewed, given multiple previous adverse findings against the state government's cyber security posture.

"Our previous audit reports have found that Victorian government agencies may be exposed to cyber attacks, primarily because of inadequate ICT security controls and immature operational processes," the audit office wrote.

"Agencies had a low level of awareness of how their ICT systems would likely perform if subjected to a cyber attack.''

The audit office wants to find out whether agencies have upped their game and are now properly adhering to the Australian Signals Directorate's top four strategies to mitigate cyber intrusion. It will also audit how effective the protective data security framework and protective data security and standards released by the state privacy commissioner last year have been.

The final IT focus for 2018-19 will be on data sharing within government around family violence information. 

Across 2019-2020, the audit office will turn its focus to digital service delivery as well as cloud computing.

An audit will be undertaken into whether the government has managed to reduce transaction costs, improve customer experience, and protect digital information received during online transactions as part of its digital delivery mandate.

Its whole-of-government IT strategy released last year identified a need to move to digital channels for simple, high-volume government transactions, and $81 million was put aside in the 2016-17 state budget for this effort.

"Customer experience is key in realising the intended benefits of digital service delivery. In addition, cyber security contributes significantly to citizen’s confidence in the digital delivery of government services," the audit office said.

The 2016-2020 IT strategy also highlighted plans to develop standards and procurement models that would make it easier for agencies to access cloud services.

The audit office now wants to find out how well the public sector is actually using cloud services in terms of business value, as well as how well it is managing risks.

"The use of cloud computing is increasing across government— it has the potential to deliver major benefits and opportunities, including reducing costs and increasing agencies’ agility and flexibility when they establish and scale their systems and services to meet changing demands," the audit office wrote.

"[But] unless agencies identify and manage risks, cloud computing could have adverse impacts that may significantly diminish the benefits. Key issues includes procurement, contract management and risk management, which could lead to breaches of the law, unforeseen costs, compromised services to Victorians, and reputational damage to government."

The audit office will also look at whether agencies are adopting cloud solutions for new and refreshed ICT systems, in line with the government’s IT strategy.