Half of NSW councils lack IT security policy

Nearly half of NSW local councils lack an adequate information security policy and around one in four do not have an IT strategy or operational plan, a new audit has found.

The Audit Office of NSW’s latest report on local government for 2017, published on Friday, found that 66 of the state’s 140 councils do not have an adequate IT security policy.

User access controls at 38 councils are insufficient, staff at 35 councils have access to systems beyond what their job requires and 30 councils have weak password parameters for financial reporting systems, the audit found.

In a related finding, the audit found examples of inappropriate privileged access. IT, finance and senior management staff at 22 councils had inappropriate access to privileged council data, 56 councils had no review of access and usage for users with highly privileged systems access and 11 had highly privileged generic user accounts shared between staff and third-party contractors.

In addition, the audit identified nine councils where third parties had unrestricted and unmonitored access to council systems and data.

The report also identified issues with insecure or poorly controlled user-developed applications. It found that 22 councils are using spreadsheets for business operations, decision-making or financial reporting that are not adequately secured.

In terms of IT governance, 31 councils do not have an IT strategy or operational plan, and a further 16 have the latter but not the former.

This means that 24 councils have no formal IT policies and procedures covering IT security, change management, disaster recovery and/or business continuity.

Meanwhile, the report identified nine high-risk IT control deficiencies across seven councils related to the lack of user and privileged access controls or the use of user-developed applications. A further 201 moderate-risk issues and 42 low-risk issues were highlighted.

Finally, the audit found that 17 councils do not have a documented disaster recovery plan, while 15 do not periodically test their ability to restore backups of financial data.

Local Government NSW President Linda Scott welcomed the findings of the report.

“The report confirms what Local Government NSW and councils have been arguing for some time — the financial constraints under which many local councils operate mean they simply do not have the revenue to meet community needs, and especially to resolve infrastructure backlogs,” she said.

“LGNSW looks forward to continuing to work with the Auditor-General, the Office of Local Government and all our NSW councils to address the Auditor-General’s recommendations.”

Image credit: ©iStockphoto.com/Erik Khalitov

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.