report

Information Systems Audit Report 2018

Audit findings

Our capability maturity model assessments show that agencies need to establish better controls to manage information security, business continuity, IT risks and IT operations. Figure 1 summarises the results of the capability assessments across all categories for the 40 agencies assessed. We expect agencies to rate a level 3 (Defined) or better across all the categories.

Figure 1 - Table 2 - Capability maturity model

The results for information security and business continuity show improvement, however, it is still of concern that only half or less of agencies were adequately controlled in these areas.

Of the agencies we review every year there are only 2 that have consistently demonstrated good management practices across all areas assessed:

  • Department of the Premier and Cabinet (5 years at level 3 or higher)
  • Racing and Wagering Western Australia (4 years at level 3 or higher).

Information security

Only 50% of agencies met our benchmark for effectively managing information security in 2017. This result was last achieved in 2011 with results declining up to 2016. It is clear from the basic security weaknesses we identified that many agencies are lacking some important and fundamental security controls needed to protect systems and information. The trend across the last 10 years shows little change on average and we expect agencies to improve controls regarding information security.

We assessed whether agency controls were administered and configured to appropriately restrict access to programs, data, and other information resources.

Figure 2 - Information security

Weaknesses we found included:

  • information security policies did not exist, were out of date or not approved
  • easy to guess passwords for networks, applications and databases, e.g. Password, Password1, guest or no password at all
  • applications and operating systems without critical updates applied
  • lack of processes to identify security vulnerabilities within IT infrastructure
  • no review of highly privileged application, database and network user accounts.

Information security is critical to maintaining data integrity and reliability of key financial and operational systems from accidental or deliberate threats and vulnerabilities.

Specific examples where security weaknesses compromised agency information

Many agencies remain vulnerable to attacks from the internet and are at risk of being compromised. In 2017-18 we performed vulnerability assessments and reported thousands of security vulnerabilities on a small sample of key systems at agencies. Security issues ranged from weak passwords to software updates not being applied, malware infections, unauthorised access and disclosure of sensitive and confidential information.

We also performed tests that demonstrated agencies failed to detect the loss of information through the internet and were unaware of the risks. The following case studies demonstrate the risks to agency information when information is not securely managed.

Figure 5 - Default credentials could enable administrator level access

Business continuity

To ensure business continuity, agencies should have in place a business continuity plan (BCP), a disaster recovery plan (DRP) and an incident response plan (IRP). The BCP defines and prioritises business critical operations and therefore determines the resourcing and focus areas of the DRP. The IRP needs to consider potential incidents and detail the immediate steps to ensure timely, appropriate and effective response.

These plans should be tested on a periodic basis. Such planning and testing is vital for all agencies as it provides for the rapid recovery of computer systems in the event of an unplanned disruption affecting business operations and services. Senior executives should be monitoring that plans are developed and tested in accordance with the risk profile and appetite of the agency.

We examined whether plans have been developed and tested. Although we found a 10% improvement from last year, 63% of the agencies do not have adequate business continuity and disaster recovery arrangements in place. The trend over the last 10 years has shown agencies are not affording sufficient priority to disaster recovery and continuity.

Figure 6 - Business continuity

Weaknesses we found included:

  • no business continuity or DRPs
  • no incident management procedures
  • tolerable outages for critical systems not defined
  • old and redundant DRPs with some not reflecting current ICT infrastructure
  • DRPs never tested and agencies do not know if they can recover systems
  • backups never tested and not stored securely
  • uninterrupted power supplies not tested or not functional.

Without appropriate continuity planning there is an increased risk that key business functions and processes will fail and not be restored in a timely manner after a disruption. Disaster recovery planning will help enable the effective and timely restoration of systems supporting agency operations and business functions.

Management of IT risks

Seventy-two percent of agencies met our expectations for managing IT risks, a 36% improvement since the first assessment in 2008, with agencies showing improved management controls over IT risks.

Figure 7 - Management of IT risks

Weaknesses we found included:

  • no risk registers
  • risk management policies in draft or not developed
  • inadequate processes for identifying, assessing and treating IT and related risks
  • risk registers not maintained, for ongoing monitoring and mitigation of identified risks.

All agencies are required to have risk management policies and practices that identify, assess and treat risks that affect key business objectives. IT is one of the key risk areas that should be addressed. We therefore expect agencies to have IT specific risk management policies and practices such as risk assessments, registers and treatment plans.

Without appropriate IT risk policies and practices, threats may not be identified and treated within reasonable timeframes, thereby increasing the likelihood that agency objectives will not be met.

IT operations

The rating for performance in IT practices and the service level performance provided to meet their agency’s business decreased by 1% in 2017 to 75% compared to the previous year. However, there has been a steady improvement since 2011 when we first added this area to the CMM.

Effective management of IT operations is a key element for maintaining data integrity and ensuring that IT infrastructure can resist and recover from errors and failures.

We assessed whether agencies have adequately defined their requirements for IT service levels and allocated resources according to these requirements. We also tested whether service and support levels within agencies are adequate and meet good practice. Other tests included whether:

  • policies and plans are implemented and working effectively
  • repeatable functions are formally defined, standardised, documented and communicated
  • effective preventative and monitoring controls and processes have been implemented to ensure data integrity and segregation of duties.

Figure 8 - IT operations

Weaknesses we found included:

  • information and communication technology strategies not in place
  • lack of segregation of duties across finance, payroll and network systems
  • no logging of user access and activity and no reviews of security logs for critical systems including remote access and changes to databases with confidential information
  • ·         former staff with access to agency networks and applications after termination
  • ·         unauthorised devices can connect to networks, such as USBs and portable hard drives
  • ·         lack of policies and procedures and weak governance over ICT operations
  • ·         several agencies are running unsupported operating systems
  • ·         asset registers not maintained and ICT equipment unable to be located.

These types of findings can mean that service levels from computer environments may not meet business requirements or expectations. Without appropriate ICT strategies and supporting procedures, ICT operations may not be able to respond to business needs and recover from errors or failures.

Change control

We examined whether system changes are appropriately authorised, implemented, recorded and tested. We reviewed any new applications acquired or developed to evaluate consistency with management’s intentions. We also tested whether existing data converted to new systems was complete and accurate. 

Change control practices have slowly been improving since 2008, with 34 out of the 40 agencies achieving a level 3 or higher rating.

Figure 9 - Change control

Weaknesses we observed included:

  • no formal system change management policies in place
  • changes to critical systems not logged or approved
  • no documentation regarding changes made to systems and critical devices
  • risk assessments for major changes to infrastructure not performed.

An overarching change control framework is essential to maintaining a uniform standard change control process and to achieving better performance, reduced time and staff impact and increased reliability of changes. When examining change control, we expect defined procedures are used consistently for changes to IT systems. The objective of change control is to facilitate appropriate handling of all changes.

There is a risk that without adequate change control procedures, systems will not process information as intended and agencies’ operations and services will be disrupted. There is also a greater chance that information will be lost and access given to unauthorised persons.

Physical security

We examined whether computer systems were protected against environmental hazards and related damage. We also determined whether physical access restrictions are implemented and administered to ensure that only authorised individuals have the ability to access or use computer systems.

Thirty-six of the 40 agencies met our expectations for the management of physical security. This continues to be a generally well controlled area.

Figure 10 - Physical security

Weaknesses we observed included:

  • no restricted access to computer rooms for staff, contactors and maintenance
  • power generators in the event of power failure not tested
  • no fire suppression system installed in the server room.

Inadequate protection of IT systems against various physical and environmental threats increases the potential risk of unauthorised access to systems and information and system failure.

The majority of our findings require prompt action

Figure 11 provides a summary of the distribution of significance of our findings. It shows that the majority of our findings at agencies are rated as moderate. This means that the finding is of sufficient concern to warrant action being taken by the entity as soon as possible. However, it should be noted that combinations of issues can leave agencies with more serious exposure to risk.

Figure 11 - Distribution of ratings for the gcc findings

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Back to Top