WA's GCIO 'doesn’t have the resources' to monitor agency infosec

Western Australia’s new Office of the Government Chief Information Officer has complained to the state’s performance watchdog that it doesn’t have the resources to properly check whether or not agencies are securing their networks.

Auditor general Colin Murphy has urged the OGCIO to release its forthcoming whole-of-government security standards, after discovering persistent malware on the networks of a number of state agencies.

But the OGCIO has cautioned that the official standards will only go so far to fix the WA government’s porous information defences, which have attracted the auditor’s wrath on a number of occasions.

It has written to Murphy warning that “publishing a security policy only sets a standard".

“There must be ongoing audits to measure compliance. That cannot be undertaken by the Office of the Government Chief Information Officer as we do not have the resources," it said.

It’s not the first time the funding of the state’s much-touted top IT agency has been criticised.

In September a parliamentary committee reviewing the state’s IT approach questioned whether the young agency could reasonably achieve the “sweeping” technology reforms on its plate with just 15 full-time equivalent staff.

“The committee questions whether the WAGCIO in its current form will have the required capacity to discharge its many responsibilities in an effective manner going forward,” the report stated.

The OGCIO also complained that WA infosec is further hamstrung by a “significant skills gap in the public sector” when it comes to IT security.

After auditing the malware controls at six different large WA agencies, Murphy and his team raised concerns that some are relying on just one dedicated security staffer to implement and manage sprawling network defences.

“Some were fortunate to have more than one” employee, the report acknowledged - but most were risking their systems to “a single point of failure if these staff are absent, or leave the organisation".

“In some agencies, the workload is simply too great for a single role.”

It said all six agencies it checked out had downloaded malware in some form during the 12 days the WA audit office monitored their networks.

Two agencies showed signs of persistent infections, and one had an infection that lasted undetected for the full 12-day audit.

The audit office said its findings were conservative because of limitations of its monitoring capacity.

“It is therefore possible that there were more infections than we found in this audit,” the report warned.