1. As a matter of priority, agencies should address risks to security and continuity of business systems. In particular:
a. Information security
Executive managers should consider the ease with which systems could be compromised by referring to the case studies and should ensure good security practices are implemented, up‑to-date and regularly tested and enforced for key computer systems. Agencies should conduct ongoing reviews of user access to systems to ensure they are appropriate at all times.
b. Business continuity
Agencies should have a business continuity plan, a disaster recovery plan and an incident response plan. These plans should be tested on a periodic basis.
c. Management of IT risks
Agencies need to ensure that IT risks are identified, assessed and treated within appropriate timeframes and that these practices become a core part of business activities and executive oversight.
b. IT operations
Agencies should ensure that they have appropriate policies and procedures in place for key areas such as IT risk management, information security, business continuity and change control. IT strategic plans and objectives support the business strategies and objectives. The OAG recommends the use of standards and frameworks as references to assist agencies with implementing good practices.
c. Change control
Change control processes should be well developed and consistently followed for changes to computer systems. All changes should be subject to thorough planning and impact assessment to minimise the likelihood of problems. Change control documentation should be current, and approved changes formally tracked.
d. Physical security
Agencies should develop and implement physical and environmental control mechanisms to prevent unauthorised access or accidental damage to computing infrastructure and systems.