Victorian government unprepared for ICT security breaches: audit

Major Victorian government agencies have failed to apply policy, standards and protection mechanisms to ensure the ICT system security and couldn’t even detect if their public systems were compromised, according to a damning Victorian Auditor-General’s report that identified 58 major information-security problems in the state’s security defences.

The findings of the audit are a damning indictment of the state’s information-security controls which, Victorian Auditor-General John Doyle reports, are suffering from nine critical and 49 medium-level risks related to information systems.

Furthermore, Doyle found, the lack of follow-up actions in the wake of a cyber-security alert means there would be “no coordinated understanding of the threat or its impact across the state’s public sector ICT systems….Central agencies do not conduct follow-up actions after a cyber alert is disseminated.”

The Victorian Auditor-General’s Office (VAGO), which examined the whole of Victorian government (WoVG) Information Security Management Framework, examined cyber-security policies and systems of 11 state WoVG agencies – seven of the state’s 20 ‘inner WoVG agencies’ and four ‘outer WoVG’ agencies.

Inner-WoVG agencies are required to comply with existing information-security policy and frameworks, such as the Australian Signals Directorate’s (ASD’s) Top 4 Strategies to Mitigate Targeted Cyber Intrusions, which are said to be able to prevent at least 85 percent of cyber-attacks.

All four strategies, however, were “poorly implemented” within both inner-WoVG and outer-WoVG agencies.

“All agencies had undertaken penetration testing of their ICT systems but there was little evidence that they tested all of their systems and there were multiple instances of testing being too narrowly scoped,” the report noted. “Most commonly, agencies did not maintain software patches adequately and continued to operate unsupported and therefore vulnerable systems.”

Outer-WoVG agencies have no obligation to follow existing information-security policy and frameworks. The audit found that only one of the four outer-WoVG agencies had considered existing government policy and standards; however, all four had used the ISO 27000 series of standards when developing their own informaiton-security policies.

VAGO’s inquiry included conducting penetrating testing of many of the systems, which identified “well over 100 breaches and lapses in information security practice.” Although some agencies had previously conducted penetration testing on their systems, VAGO found that “there were multiple instances where previously identified problems were not being remediated.”

“Overall,” Doyle writes, “the audit found there was a low level of awareness of how each agency’s ICT systems would likely perform if subjected to a cyber attack.”

The lack of a central body to provide “appropriate and timely information about the status of cyber-threats” was noted as a weakness of the state government’s ICT security response, with agencies typically reporting serious cyber-security breaches to the Australian Signals Directorate – but not to the Department of State Development, Business and Innovation (DSDBI) or the Department of Premier and Cabinet (DPC).

Doyle noted some progress, in the form of the 31 October passage of the Emergency Management Bill 2013 – which establishes a State Crisis and Resilience Council that mobilises leadership roles within DSDBI and DPC.

Doyle also singled out the recent announcement by the state government that it will develop a new cyber-security strategy to clarify lines of accountability and governance structures within the state’s public sector.

Such structures were conspicuously absent in the audit, but on the back of direct correspondence from Doyle many government agencies have already responded with “practical time frames for addressing the remainder”. In the future, Doyle indicated, he would follow up on agencies’ progress addressing the issues in the report.

VAGO’s recommendations:

The Department of State Development, Business and Innovation should:

1. Send the information security management policy to government for formal consideration.

2. Amend information security policy and standards to include those outer WoVG agencies operating information and communications technology systems that have an aggregate high transaction value critical to state revenue, systems critical to public safety, or systems holding sensitive personal data with potential value to third parties.

3. Require WoVG agencies to report any variations between the information security standards and their agency information security management frameworks, that have been approved by their agency head, as part of the annual information security management framework self assessment reporting process.

4. Require that each agency information security management framework self-assessment report includes a statement of compliance addressing all self-assessment report deficiencies.

5. Develop processes for outer WoVG agencies to be included in relevant briefings and information security forums, and to be provided with advice and assistance outside of the WoVG Chief Information Officers Council.

6. Improve the current information security management framework self assessment report template to ensure a more comprehensive outcome.

Departments and agencies included in this audit should:

7. Take a more rigorous approach to completing their annual information security management framework self assessment report.

8. Make sure their annual self-assessment reports reflect the true status and risk to agency business from any third party service provider they may use.

The Department of Premier and Cabinet, and the Department of State Development, Business and Innovation should:

9. Confirm their respective roles and responsibilities for information security once the Emergency Management Bill 2013 is enacted.

10. Confirm that briefings on cyber threats will be made to the State Crisis and Resilience Council by the Department of State Development, Business and Innovation as the agency with primary responsibility for WoVG information and communications technology, and that the State Crisis and Resilience Council will in turn recommend briefings for ministers as appropriate.

The Department of State Development, Business and Innovation should:

11. Arrange for a cyber alert subscription service to be available to every government agency from a suitable provider.

12. Develop and implement a process for maintaining a register of all IP addresses in use by public sector departments and agencies.

Departments and agencies included in this audit should:

13. Implement appropriate action to maintain the accuracy of their IP address information with the Asia Pacific National Internet Centre.

All public sector agencies in Victoria should:

14. Review the Australian Signals Directorate Top 4 Strategies to Mitigate Targeted Cyber Intrusions, and implement these practices as a matter of urgency.

15. Retain responsibility for managing and allocating passwords if third party service providers are used.

16. Review the patching guidelines published on the Australian Signals Directorate’s website and develop, implement or review their patching strategy.