WA government agencies have been urged to bolster their information security and business continuity practices once again after more than 40 percent of agencies failed to meet minimum benchmarks.
In the state’s twelfth annual information systems audit, auditor-general Caroline Spencer said the two cyber security controls remained areas of concern for agencies, despite minor improvements over the last 12 months.
“Information security and business continuity showed little improvement, with many entities failing to meet the benchmark for minimum practice,” she said.
“This is of significant concern given the value of personal and corporate information entities hold.”
The report [pdf], released on Monday, assessed 50 agencies against six controls: infosec, business continuity, IT risk management, IT operations, change control and physical security.
It revealed a slight reduction in general computer control issues between 2018 and 2019, from 547 to 522, after an increase the year before.
The greatest improvement was physical security, which saw a 13 point jump to 89 percent of agencies, followed by infosec, which improved by 10 points to 57 percent of agencies.
It represents the first time that the majority of agencies have met the auditor’s benchmark for information security since the audit reports began in 2008.
But, despite this improvement, the report said there was still room for improvement, particularly around infosec and business continuity which “continue to be areas of concern”.
“Poor controls in these areas leave systems and information vulnerable to misuse and may impact critical services provided to the public,” the report states.
Infosec weaknesses include “inadequate or out-of-date” infosec policies, poor processes to identity and patch security vulnerabilities and weak password controls.
In one instance, the audit office was able to use vulnerabilities in an agency’s finance system, which recently migrated to the cloud, to “obtain privileged access to all functions”. The system was also without appropriate audit trails.
“When combined, these weaknesses could result in a person inappropriately entering and approving an invoice for payment, modifying payee details to their own bank account and processing fictitious journals,” the audit states.
Robust controls around business continuity and disaster recovery were also highlighted as particularly important to address risk of large scale disruption brought about by pandemics or natural disasters.
Spencer said while agencies had shown improvement, many were not addressing audit finding quickly enough, resulting in persistent weakness “across all sectors and entities”
“It is my view that entities need to be as vigilant in protecting their personal and corporate information, by implementing the same level of controls including monitoring and protection, as for other valuable assets, such as cash, bank account access and other physical assets,” she said.
Spencer also said agencies should improve “governance of outsourced IT arrangements” to ensure that outsourced systems meet security requirements.
“Entities were not consistently ensuring that the systems implemented by vendors meet expectations around security standards, architecture and functionality,” she said.
“With a global trend to outsource IT services, entities have an increasingly important responsibility for ensuring that external service providers follow better practices.”
The number of agencies that met all general computer controls increased from 13 to 15 between 2018 and 2019.
However, only four have consistently demonstrated good practice across all six controls: Landgate, the Department of the Premier and Cabinet, Curtin University and Racing and Wagering WA.