report

Information Systems Audit Report 2019

General computer controls and capability assessments

Introduction

The objective of our general computer controls (GCC) audits is to determine whether computer controls effectively support the confidentiality, integrity, and availability of information systems. General computer controls include controls over the information technology (IT) environment, computer operations, access to programs and data, program development and program changes. In 2018 we focused on the following 6 control categories:

  • information security
  • business continuity
  • management of IT risks
  • IT operations
  • change control
  • physical security.

Conclusion

We reported 547 general computer controls issues to the 47 state government entities audited in 2018 compared with 539 issues at 47 entities in 2017.

There was a small increase in the number of entities that met our expectations across all 6 control categories. Thirteen entities met our expectations, compared with only 10 in 2018. 

While system change controls and physical security are managed effectively by most entities, less entities met our expectations in these categories in 2018. The 2 categories of information security and business continuity continue to show little improvement in the last 11 years. We saw an increase in the number of entities with defined business continuity controls, but half of the entities we reviewed still do not manage this area well. The majority of issues we identified can be easily addressed with better information security management and keeping processes to recover data and operations in the event of an incident up to date.

By not prioritising the security and continuity of information systems, entities risk disruption to the delivery of vital services to the community and compromise the confidentiality and integrity of the information they hold. Embedding a security culture across all levels of an organisation is essential to building a cyber and information security aware workforce.

Background

We use the results of our GCC work to inform our capability assessments of entities. Capability maturity models are a way to assess how well developed and capable the established IT controls are. The model provides a benchmark for entity performance and means for comparing results from year to year.

The model we have developed uses accepted industry good practice as the basis for assessment. Our assessment of GCC maturity is influenced by various factors. These include: the business objectives of the entity; the level of dependence on IT; the technological sophistication of their computer systems; and the value of information managed by the entity.

Audit focus and scope

We conducted GCC audits at 47 state government entities. This is the eleventh year we have assessed entities against globally recognised good practice.

We provided 39 of the 47 entities with capability assessments and asked them to complete and return the forms at the end of the audit. We then met with each of the entities to compare their assessment and ours, which was based on the results of our GCC audits. Five entities, whose GCC audits were outsourced, were not included in the capability assessment. Three other entities are also not included as detailed work was not performed at these entities as a result of Machinery of Government changes.

We use a 0-5 rating scale[1] to evaluate each entities’ capability maturity level in each of the GCC control categories. The model provides a baseline for comparing entity results from year to year. We have included specific case studies where information security weaknesses potentially compromise entities’ systems.

[1] The information within this maturity model assessment is based on the criteria defined within the Control Objectives for Information and related Technology (COBIT) manual.

0
Non-existent
Management processes are not applied at all. Complete lack of any recognisable processes.
1
Initial/ad hoc
Processes are ad hoc and overall approach to management is disorganised.
2
Repeatable but intuitive
Processes follow a regular pattern where similar procedures are followed by different people with no formal training or standard procedures. Responsibility is left to the individual and errors are highly likely.
3
Defined
Processes are documented and communicated. Procedures are standardised, documented and communicated through training. Processes are mandated, however it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices.
4
Managed and measurable
Management monitors and measures compliance with procedures and takes action where appropriate. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5
Optimised
Good practices are followed and automated. Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modelling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the entity quick to adapt.

Source: OAG
Table 1: Rating scale and criteria 

Audit findings

Our capability maturity model assessments show that entities need to establish better controls to manage information security, business continuity and IT risks. Figure 1 summarises the results of the capability assessments across all 6 control categories for the 39 entities we assessed. We expect entities to achieve a level 3 (Defined) rating or better across all the categories.

The percentage of entities rated level 3 or above for individual categories was as follows:

The 2018 results show a decline in 4 of the 6 categories. Business continuity continued to show improvement, however, it is still of concern that only half of the entities were adequately controlled in this area.

Of the entities we review every year there are only 4 that have consistently demonstrated good practices across all control categories assessed:

  • Department of the Premier and Cabinet (6 years at level 3 or higher)
  • Racing and Wagering Western Australia (5 years at level 3 or higher)
  • Western Australian Land Information Authority (3 years at level 3 or higher)
  • Curtin University (3 years at level 3 or higher).

Information security

Only 47% of entities met our benchmark for effectively managing information security in 2018. This represents a 3% decline from 2017. It is clear from the basic security weaknesses we identified that many entities lack some important security controls needed to protect systems and information. The trend across the last 11 years shows little improvement in entities’ controls to manage information security.

We assessed whether entity controls were administered and configured to appropriately restrict access to programs, data, and other information resources.

Note: Green represents the percentage of entities that met the benchmark and red represents the entities that did not meet the benchmark.

Weaknesses we found included:

  • information security policies did not exist, were out of date or not approved
  • intrusion detection/prevention system not configured leaving exposures
  • lack of processes to upskill staff in information security
  • no review of highly privileged application, database and network user accounts
  • lack of processes to identify and rectify security vulnerabilities within IT infrastructure
  • no information security awareness programs for staff
  • easy to guess passwords for networks, applications and databases, e.g. Password, Password1.

Information security is critical to maintaining the integrity and reliability of information held in key financial and operational systems, and protecting them from accidental or deliberate threats and vulnerabilities.

The following case studies demonstrate the risks to entity information when information is not securely managed.

Critical vulnerabilities not addressed

In 2017-18 we performed vulnerability assessments and reported thousands of security vulnerabilities on a small sample of key systems at entities.

At one entity we found that network and IT systems were vulnerable due to lack of anti-malware and intrusion detection/prevention controls, and missing security patches.  The entity had also not patched WannaCry vulnerabilities for over 5 months, and did not have a process to patch Linux environments with missing patches dating back to 2013.

Without an effective process to identify, assess and address relevant vulnerabilities in a timely manner there is an increased risk that systems will not be adequately protected against potential threats. These vulnerabilities could be exploited and result in unauthorised access to IT systems and information.

Figure 3: Vulnerabilities expose entity systems

Multifactor authentication is not implemented

Many entities access critical systems hosted in the cloud, including payroll and financial, over the internet without requiring additional controls such as multifactor authentication. Multifactor authentication adds a layer of security and is a good safeguard against unauthorised access to systems and information.

We also found some entities did not require multifactor authentication for remote access into their network and IT systems increasing the risk of unauthorised access to entity IT systems and information.    

Figure 4: Internet accessible systems lack controls

Passwords stored in plain text

At one entity we found passwords stored in plain text on the shared network drive. These included database and server account credentials for a critical system.

A malicious user could read these credentials to gain unauthorised access to entity information. As a good practice, passwords should not be stored in plain text.

Figure 5: Storing passwords in plain text allows unauthorised access to systems

Continually raising staff awareness at all levels, about information and cyber security issues is a proven way to embed good practice and security hygiene into everyday operations.  

Business continuity

To ensure business continuity, entities should have in place an up to date business continuity plan (BCP), disaster recovery plan (DRP) and incident response plan (IRP). The BCP defines and prioritises business critical operations and therefore determines the resourcing and focus areas of the DRP. The IRP needs to consider potential incidents and detail the immediate steps to ensure timely, appropriate and effective response.

These plans should be tested on a periodic basis. Such planning and testing provides important rapid recovery of computer systems in the event of an unplanned disruption to business operations and services. Senior executives should monitor that plans are developed and tested in accordance with the risk profile and appetite of the entity.

We examined whether plans had been developed and tested. We found a 13% improvement from last year, however, 50% of the entities still did not have adequate business continuity and disaster recovery arrangements in place. The trend over the last 11 years has shown entities are not affording sufficient priority to disaster recovery and continuity.

         

Weaknesses we found included:

  • no BCPs or DRPs
  • tolerable outages for critical systems not defined
  • old and redundant DRPs with some not reflecting current ICT infrastructure
  • DRPs never tested and entities not knowing if they can recover systems
  • backups never tested and not stored securely
  • uninterrupted power supplies not tested or not functional.

Without appropriate continuity planning there is an increased risk that key business functions and processes will fail and not be restored in a timely manner after a disruption. Disaster recovery planning is essential to the effective and timely restoration of systems supporting entity operations and business functions.

Management of IT risks

Sixty-nine percent of entities met our expectations for managing IT risks, a 33% improvement since our first assessment in 2008. Entities showed improved management controls over IT risks. 

Weaknesses we found included:

  • risk management policies in draft or not developed
  • inadequate processes for identifying, assessing and treating IT and related risks
  • risk registers not maintained, for ongoing monitoring and mitigation of identified risks.

All entities are required to have risk management policies and practices that identify, assess and treat risks that affect key business objectives. IT is one of the key risk areas that should be addressed. We therefore expect entities to have IT specific risk management policies and practices such as risk assessments, registers and treatment plans.

Without appropriate IT risk policies and practices, threats may not be identified and treated within reasonable timeframes. This increases the likelihood that entity objectives will not be met.

IT operations

Entities’ IT practices and service level performance to meet their business needs increased 7% compared to the previous year. There has been a steady improvement since 2011 when we first added this area to the CMM.

Effective management of IT operations is key to maintaining data integrity and ensuring that IT infrastructure can resist and recover from errors and failures.

We assessed whether entities had adequately defined their requirements for IT service levels and allocated resources according to these requirements. We also tested whether service and support levels within entities were adequate and meet good practice. Other tests included whether:

  • policies and plans were implemented and working effectively
  • repeatable functions were formally defined, standardised, documented and communicated
  • effective preventative and monitoring controls and processes had been implemented to ensure data integrity and segregation of duties.

Weaknesses we found included:

  • information and communication technology strategies not in place
  • lack of segregation of duties across finance, payroll and network systems
  • no logging of user access and activity and no reviews of security logs for critical systems
  • former staff with access to entity networks and applications after termination
  • lack of policies and procedures and weak governance over ICT operations
  • asset registers not maintained and ICT equipment unable to be located.

These types of findings can mean that ICT service delivery may not meet business requirements or expectations. Without appropriate ICT strategies and supporting procedures, ICT operations may not be able to respond to business needs and recover from errors or failures.

Change control

We examined whether system changes are appropriately authorised, implemented, recorded and tested. We reviewed any new applications acquired or developed to evaluate consistency with management’s intentions. We also tested whether existing data converted to new systems was complete and accurate. 

Although we saw a 9% decrease in performance in this category, change control practices have slowly been improving since 2008, with over 70% of entities achieving a level 3 or higher rating.

Weaknesses we found included:

  • no formal system change management policies in place
  • changes to critical systems not logged or approved
  • changes to systems and critical devices not documented
  • no risk assessments performed for major changes to infrastructure.

An overarching change control framework is essential to ensuring a uniform change control process and reliability of changes, and to improving performance through reduced time and staff impact. When examining change control, we expect defined procedures to be used consistently for changes to IT systems. The objective of change control is to facilitate appropriate handling of all changes.

There is a risk that without adequate change control procedures, systems will not process information as intended and entities’ operations and services will be disrupted. There is also a greater chance that information will be lost and access given to unauthorised persons.

Physical security

We examined whether computer systems were protected against environmental hazards and related damage. We also reviewed whether physical access restrictions were implemented and administered to ensure that only authorised individuals had the ability to access or use computer systems.

Seventy-six per cent of entities met our expectations for the management of physical security. However, this represents a 14% decrease from 2017 in the number of entities that met our expectations for physical security.

Weaknesses we found included:

  • no reviews of staff and contactors’ access to computer rooms
  • backup power generators not tested 
  • lack of humidity controls in server room
  • no fire suppression system installed in the server room.

Inadequate protection of IT systems against various physical and environmental threats increases the potential risk of unauthorised access to systems, and information and system failure.

The majority of our findings require prompt action

Figure 11 summarises how we rated the significance of our findings. It shows that the majority of our findings were rated as moderate. This means that the finding is of sufficient concern to warrant action being taken by the entity as soon as possible. However, combinations of issues can leave entities with more serious exposures to risk.

Recommendations

  1. Information security
    Executive managers should:
    a) ensure good security practices are implemented, up‑to-date, regularly tested, and enforced for key computer systems
    b) conduct ongoing reviews of user access to systems to ensure they are appropriate at all times
    c) develop and implement mechanisms to continually raise information and cyber security awareness and hygiene among staff at all levels.
  2. Business continuity
    Entities should have an up to date business continuity plan, disaster recovery plan and incident response plan. These plans should be tested on a periodic basis.
  3. Management of IT risks
    Entities need to ensure that IT risks are identified, assessed and treated within appropriate timeframes and that these practices become a core part of business activities and executive oversight.
  4. IT operations
    Entities should ensure that they have appropriate policies and procedures in place for key areas such as IT risk management, information security, business continuity and change control. IT strategic plans and objectives support entities’ strategies and objectives. The OAG recommends the use of standards and frameworks as references to assist entities with implementing good practices.
  5. Change control
    Change control processes should be well developed and consistently followed for changes to computer systems. All changes should be subject to thorough planning and impact assessment to minimise the occurrence of problems. Change control documentation should be current, and approved changes formally tracked.
  6. Physical security
    Entities should develop and implement physical and environmental control mechanisms to prevent unauthorised access or accidental damage to computing infrastructure and systems.

Back to Top