NSW BDM register has poor security controls
NSW’s Audit Office has uncovered “significant gaps” in the security controls protecting the state’s Births, Deaths and Marriages Register.
A new audit found that the controls in place within the state’s Department of Customer Service to prevent and detect unauthorised access to the register have deficiencies that must be addressed to ensure the integrity of information in the register.
Another significant shortcoming is the fact that the registry office has no direct oversight of the database environment which houses the register as it is provided by a third-party vendor.
The registry relies on this vendor to provide assurances over database security, the audit found.
While the vendor uses security controls that comply with international standards, neither the registry nor the Department of Communities and Justice (DCJ) have undertaken independent assurance of the effectiveness of these controls.
The audit did find that the registry has detailed procedures to ensure that information entered into the register is accurate and amendments are validated, including requiring a second staff member to approve a new registration.
The department also authorises access to the register and regularly reviews these access permissions.
But the department does not routinely actively monitor user activity in the register to identify unusual activity or fraud, including activity by Service NSW staff who have read-only access to the register.
There were also insufficient restrictions placed on the ability of staff to export and distribute information from the state’s LifeLink search facility, although the report notes that the registry has since commenced routine audits to address the risk of unauthorised access to, and misuse of, LifeLink data.
Finally, neither the registry nor DCJ was found to be regularly reviewing users who have access to the databases and related registry servers, nor were they monitoring user activity in these databases and servers, and there were deficiencies found in the passwords individuals use to access these servers.
NSW’s Auditor General has made nine recommendations aimed at strengthening these controls, including increased monitoring of individuals who have access to the register and strengthening security controls in place for the databases that contain the information in the register.
Specific recommendations include the introduction of regular fraud detection audits, regular monitoring of privileged and other user activity in the register, and reviews of users of the databases and related servers.
The Department of Customer Service (DCS) has also been urged to work with DCJ to ensure that passwords for users authorised to access the databases and servers comply with state government policies on password settings.
DCS has also been called on to undertake a risk-based analysis of the impact of gaps in the controls to prevent unauthorised user activity on the integrity of data within the register.
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...