This is the eleventh annual Information Systems Audit Report by my Office. The report summarises the results of the 2018 annual cycle of information systems audits, and application reviews completed by my Office since last year’s report.
The report contains important findings and recommendations to address common system weaknesses that can seriously affect the operations of government and potentially compromise sensitive information held by entities. All public sector entities should consider the relevance of the recommendations to their unique operations. The newly funded Office of Digital Government has an important role in supporting entities to address these weaknesses and improve their capability and cyber resilience.
The first section of the report contains the results of our audit of key business applications at 4 public sector entities. All 4 had weaknesses, the most common of which related to poor contract management, policies, procedures and information security.
When government outsources any ICT function, or buys cloud hosted applications, it remains responsible for identifying risks and ensuring appropriate functionality, security and availability controls are in place. Proper due diligence processes must be undertaken, when designing the contract and throughout the term of the contract, to ensure government gets the service it needs and the community expects. The potential effect of any weaknesses includes the compromise of sensitive information. Our Software as a Service (SaaS) better practice principles at Appendix 1 can assist entities in assessing whether to move to the cloud, choosing a provider and with ongoing contract management.
The second section presents the results of our general computer controls and capability assessments and I have identified 4 entities that have consistently demonstrated good practices over at least the past 3 years. I was pleased to find that 3 more entities were assessed this year as having mature general computer control environments across the 6 control categories of our assessment. However, the 2 categories of information security and business continuity, continue to show little improvement in the last 11 years. Despite a slight increase in the number of entities assessed as having mature business continuity controls, half of the entities we reviewed still do not manage this area well.
Ensuring good security practices are implemented, enforced and regularly tested should be a focus and key responsibility for all entities’ executive teams. Continually raising staff awareness, at all levels, about information and cyber security issues is another proven way to embed good practice and security hygiene into everyday operations.