Oz Blog News Commentary

NSW Auditor-General not impressed by government agencies cyber security risk management

January 11, 2018 - 00:15 -- Admin

“Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.” [NSW Auditor-General, Report on Internal Controls and Governance 2017, December 2017]On 20 December 2017 the NSW Auditor-General released the Report on Internal Controls and Governance 2017.The Sydney Morning Herald reported on 28 December 2017:Two-thirds of NSW government agencies are failing to properly safeguard their data, increasing the risk of improper access to confidential information about members of the public and identity fraud by cyber criminals.The finding has emerged from an audit of dozens of government agencies, including those holding highly sensitive personal information collected from millions of citizens, such as NSW Health, the department of education, NSW Police Force, Roads and Maritime Services and the justice department.While the report by auditor-general Margaret Crawford does not name the agencies failing to properly manage privileged access to their systems, it highlights the potential consequences."Personal information collected by public sector agencies about members of the public is of high value to cyber criminals, as it can be used to create false identities to commit other crimes," she says in the report."Despite these risks, we found that one agency had 37 privileged user accounts, including 33 that were dormant. The agency had no formal process to create, modify or deactivate privileged users."Overall, Ms Crawford's report found 68 per cent of NSW government agencies "do not adequately manage privileged access to their systems".In addition, she said, the audit determined that 61 per cent of agencies "do not regularly monitor the account activity of privileged users"."This places those agencies at greater risk of not detecting compromised systems, data breaches and misuse," the report said.The audit found 31 per cent of agencies "do not limit or restrict privileged access to appropriate personnel". Of those, just one-third monitor the account activity of privileged users.It found that almost one-third of agencies breach their own security policies on user access.The report warns that if agencies fail to implement proper controls "they may also breach NSW laws and policies and the international standards that they reference".Read the full article here.List of NSW Government Agencies Examined by NSW Auditor-GeneralEducation Department of Education Family and Community Services Department of Family and Community Services New South Wales Land and Housing Corporation Finance, Services and Innovation Department of Finance, Services and Innovation * Specifically identified in reportPlace Management NSW Property NSW Service NSW Health NSW Health Industry Department of Industry Destination NSW Forestry Corporation of New South Wales Office of Sport TAFE Commission Water NSW Justice Department of Justice Fire and Rescue NSW Legal Aid Commission of New South Wales NSW Police Force Office of the NSW Rural Fire Service Planning and Environment Department of Planning and Environment Essential Energy Hunter Water Corporation Landcom Office of Environment and Heritage Office of Local Government Sydney Water CorporationPremier and Cabinet Department of Premier and Cabinet Transport NSW Trains Rail Corporation New South Wales Roads and Maritime Services Sydney Trains Transport for NSW WCX M4 PTY Limited WCX M5 PTY Limited Treasury Crown Finance Entity Insurance and Care NSW Lifetime Care and Support Authority NSW Treasury Corporation NSW Self Insurance CorporationExcerpt from Report on Internal Controls and Governance 2017:Some deficiencies were common across agenciesThe most common internal control deficiencies were poor or absent IT controls related to:user access managementpassword managementprivileged access managementuser acceptance testing.The most common governance deficiencies related to:management of cyber security riskscapital project governancemanagement of shared service arrangementsconflicts-of-interest managementgifts-and-benefits managementrisk management maturityethical behaviour policies and statements.