​Eight years of issues as Western Australia's IT security systems come under scrutiny

“After doing this audit for eight years I am disappointed to see little or no improvement in controls year on year."
Colin Murphy - Auditor General, Western Australia

Colin Murphy - Auditor General, Western Australia

The Western Australia Auditor General has again identified weaknesses in the way many agencies manage IT systems across the state, claiming that over half are failing to meet standards.

Revealed during an annual Information Systems Audit Report, the two-part report tabled in parliament looked at general computer controls across 45 government agencies and the controls around five key business applications.

“After doing this audit for eight years I am disappointed to see little or no improvement in controls year on year and agencies not treating this matter with the seriousness it deserves,” Auditor General, Colin Murphy, said.

“Information security and business continuity have not improved, scores fluctuate year to year, but the trend remains flat.”

The general computer controls audit assessed 45 agency IT systems against six control categories: IT operations, management of IT risks, information security, business continuity, change control and physical security.

As outlined in the report, these controls are recognised as good practice and ensure computer systems are designed, configured and managed to preserve the confidentiality, integrity and availability of information.

The audit found more than half of the 45 agencies were not meeting our benchmark in three or more of the control categories.

“Given these categories relate to the security of information and the availability of services, I am very concerned about the lack of progress,” Murphy added.

“Many of the weaknesses I consistently report are easy to remedy such as poor password management and ensuring data recovery processes are in place and updated in the event of an incident.

“I may have to look at ways to make agencies more accountable for IT weaknesses and it may include naming agencies not addressing or taking action to rectify concerns.”

Murphy said the audit of five key applications found that although the applications were working effectively all had weaknesses, with the most common poor policies, procedures and security.

“These weaknesses could affect service delivery and compromise the security of the thousands of sensitive records held in the applications,” Murphy explained.

Some of the weaknesses included easy to guess passwords, software updates not applied, failure to remove accounts belonging to former staff and manual data entry, processing and manipulation.

Murphy said there are lessons in this report for all agencies, not just for those audited, about the management of IT systems and if taken on board the results of next year’s audit should be an improvement.

“Agencies are urged to take note of the findings and act on the recommendations to ensure the confidentiality and integrity of information,” he added.

“Many of the issues raised in the report are simple and inexpensive to correct and agencies should address those identified as soon as possible.”