WA state entities still lack security controls

Western Australia’s Auditor General has issued another scathing report highlighting weak and inadequate information security controls across the state’s government entities.

According to the agency’s latest Information Systems Audit Report into state government entities, there remain significant shortcomings in these entities’ general computer controls.

Among the 50 state entities audited — 37 of which completed a self-assessment of their maturity capability level — only 15 were assessed as having mature general computer controls across all categories. But this was a slight improvement on 13 from the previous year’s audit.

But the report states that information security and business continuity showed little improvement from the previous audit, with many entities failing to meet the benchmark for minimum practice.

The audit found 522 general computer control (GCC) weaknesses across the 50 entities, a slight reduction from the 547 issues reported at 47 entities during 2018.

“However, entities are not addressing audit findings quickly, with 45% of the findings reported in 2019 relating to previously reported audit findings,” the report states.

In addition, 43% of entities lack controls to adequately manage information security and 46% still don’t have appropriate business continuity strategies.

The audit did find an increase in the percentage of entities ranked at level three or above on the five-level maturity scale improved across all categories apart from IT operations.

The proportion of entities assessing their information security controls to be at this stage grew from 47% to 57%, while the percentage for management of IT risks grew from 69% to 78%.

“The trend across the last 12 years shows slight improvement, but this is not enough to adequately address the risks associated with information security,” the audit states.

Weaknesses found included inadequate or out-of-date information security policies, a lack of training or information security awareness programs to staff, weak password controls without multifactor authentication and a lack of processes to identify and patch security vulnerabilities within IT infrastructure.

In one notable case, a cloud-based finance system was sitting on the cloud with weak default passwords and provided over 190 users — including 11 former employees and 16 vendor staff — access to sensitive information including bank account details.

In another case, the auditors found plain-text payment files used for processing EFT payroll payments to employees that could be accessed and modified by an excessive number of users.

Auditor General Caroline Spencer said the ongoing weaknesses in information security and business continuity are “of significant concern given the value of personal and corporate information entities hold”.

Image credit: ©stock.adobe.com/au/eyegelb