This is the tenth annual Information Systems Audit Report by my Office. The report summarises the results of the 2017 annual cycle of audits, plus an examination of passwords and application reviews completed by our Information Systems audit group since last year’s report.
The report is important because it reveals the common information system weaknesses we identified that can seriously affect the operations of government and potentially compromise sensitive information held by agencies. It also contains recommendations that address these common weaknesses and as such, has a use broader than just the agencies we audited.
Common weaknesses across all our information systems audits indicate agencies are not taking risks to information systems seriously enough. Most of the issues raised can be easily addressed and it appears that risks are simply not properly understood. They are certainly not being effectively managed.
The first section in my report shows that agency systems are vulnerable as a result of weak passwords. We have demonstrated to agencies on many occasions how weak passwords are used to access information systems without detection. A pressing issue that must be acknowledged and addressed across the sector is for agencies’ executive management to engage with information security, instead of regarding it as a matter for their IT departments. The days of senior leaders not understanding information security and capability as a key business risk to be closely monitored and appropriately managed are over. The consequences to state service delivery, trust in the sector and institutional reputations are too great.
Our applications reviews show that agencies also need to take the initiative and perform their own reviews to identify critical controls, inefficiencies and problems and potential solutions. An analysis of people, process, technology and data relevant to key IT applications would help management identify and manage risks.
In the third section of this report, I have identified 2 agencies that have consistently demonstrated good system management controls. Our results show improvements were made in 2017 across most areas. However, information security and business continuity remain a concern with only half or less of agencies performing to the expected level.