Report 27: 2019-20

Information Systems Audit Report 2020 – Local Government Entities

Download

Back to Report Overview

Give your feedback

General computer controls – What we found

Capability maturity model assessment results

None of the local government entities we reviewed met our expectations across all control categories.

Entities did not have adequate controls to effectively manage information security, change management, IT operations, physical security and continuity of business. Poor controls in these areas left systems and information vulnerable to misuse and could impact critical services provided to the public. We have included specific case studies that provide more detail where we identified weaknesses in controls that could potentially compromise entities’ systems.

Figure 5 shows the results of our capability assessments across all 6 control categories for the 10 entities we assessed.

Source: OAG
Figure 5: Capability maturity model assessment results

Information system controls

We reported information system control weaknesses identified during our GCC audits to local government entities in management letters. We identified 150 GCC control weaknesses across 10 entities, with 9% of the weaknesses rated as significant requiring prompt action, 75% as moderate which should be addressed as soon as possible, and the remaining 16% as minor. Nearly half of all issues were about information security which was also the category that had most of the significant findings.

Management letters issued to entities contained all the findings. However, we removed sensitive technical details which, if made public, could increase the risk of cyber-attacks for those entities. We reported these details separately through confidential letters to each local government entity to assist them in addressing the weaknesses. Entities generally agreed to implement the recommendations included in our management letters.

Figure 6 summarises the distribution of the significance of our findings across the 6 control categories.

While the majority of our findings are rated as moderate, a combination of these issues can leave entities with more serious exposure to risk.

Source: OAG
Figure 6: Distribution of ratings for GCC findings in each control category we reviewed 

Information security

Good information security practices are critical to protect the information held in key financial and operational systems from accidental or deliberate threats and vulnerabilities.

We found that all 10 local government entities need to improve their practices for managing information security, with no entity meeting our benchmark. We reported 72 issues, nearly half related to the security of information and systems. It is concerning that 11 were rated as significant requiring prompt attention, as they seriously exposed the entity’s systems and information to misuse.

Several entities had not clearly defined roles and responsibilities for information security. This, coupled with a lack of appropriate policies and practices, meant their approach towards security was inconsistent and ad-hoc.

A common weakness we found at most entities was a lack of processes to identify and patch security vulnerabilities in systems and ICT infrastructure. Our vulnerability scans of key entity systems identified a range of critical and high severity vulnerabilities which had not been patched. These left the systems open to compromise. Our better practice guidance at Appendix 1 provides practical information to help entities manage their vulnerabilities.

The following case studies were selected to highlight the risks to entity information from systems not regularly being patched and inadequate access controls, including remote access.

Source: OAG
Figure 7: Poor vulnerability management leaves an entity exposed to cyber attacks

Source: OAG
Figure 8: Lack of controls to manage the rates and infringement system

Source: OAG
Figure 9: Internet accessible systems lack controls

Business continuity

Good continuity planning helps ensure that key business functions and processes are restored promptly after a disruption. Business continuity and disaster recovery plans should be regularly tested. This minimises the risk of extended outages which could disrupt the delivery of important services.

We found that 7 of the 10 audited entities did not have up-to-date business continuity and disaster recovery arrangements in place. Some plans had not been updated since 2013 and may not reflect current business practices and IT infrastructure. As a result, in the event of a disruption or disaster, entities may not be able to restore and continue business processes and functions.

Weaknesses in business continuity and disaster recovery planning could have a serious impact on the critical services local government entities deliver to the public. To ensure business continuity, entities should have an up-to-date business continuity plan, disaster recovery plan and incident response plan. The business continuity plan defines and prioritises business critical operations and therefore determines the resourcing and focus areas of the disaster recovery plan. The incident response plan needs to consider potential incidents and detail the immediate steps to ensure timely, appropriate and effective response.

Management of IT risks

Six of the 10 local government entities we reviewed had good policies and procedures for managing IT risks. This was the control category where entities performed best. However, some common weakness at the other 4 included:

  • a lack of risk management policies
  • inadequate processes to review and report risks to senior management
  • no risk registers for ongoing monitoring.

All entities should have risk management policies and practices that identify, assess and treat risks affecting key business objectives. Entities should be aware of the nature of risks associated with IT and have appropriate risk management policies and practices such as risk assessments, registers and treatment plans.

Without appropriate IT risk policies and practices, threats may not be identified and treated within reasonable timeframes. When risks are not identified and treated properly, entities may not meet their business objectives.

IT operations

Only 2 of the 10 entities had adequately defined their requirements for IT service levels and allocated sufficient resources to meet these requirements. IT operations include day-to-day tasks designed to keep services running, while maintaining data integrity and the resiliency of IT infrastructure. In this area, we tested whether entities had formalised procedures and monitoring controls to ensure processes were working as intended.

Common weakness we found included:

  • a lack of asset registers to track and monitor IT equipment which may lead to assets being lost or stolen and unintentional disclosure of information
  • inadequate processes to ensure compliance with software licensing agreements. This could result in penalties for breaching licencing arrangements
  • a lack of service level agreements with IT vendors and poor contract management practices leading to inadequate oversight of vendors or paying for services not provided
  • inadequate retention and management of event logs. This means entities cannot track or identify malicious activities, nor they can investigate them
  • a lack of access reviews which could result in inappropriate access.

Without appropriate IT strategies and supporting procedures, IT operations may not be able to respond to business needs and recover from errors or failures.

The following case studies highlight the risk to entities when devices and their events are not regularly monitored, and assets are not effectively managed.

Source: OAG
Figure 10: Importance of regularly reviewing log events

Source: OAG
Figure 11: Unauthorised disclosure of entity information

Source: OAG
Figure 12: Increased risk of network compromise

Change control

We found that only 2 of 10 entities had appropriate processes to implement changes in their IT systems and infrastructure. We reviewed whether changes to systems were authorised, tested, implemented and recorded in line with management’s intentions. Weaknesses we found included:  

  • a lack of formal system change management procedures. This increases the risk that changes, including those that may be harmful to systems and information, could be implemented without assessment
  • no records of changes made to critical systems. This would make it difficult to investigate incidents that may have been caused by changes.

If changes are not controlled, they can compromise the security and availability of systems. As a result, systems will not process information as intended and entities’ operations and services may be disrupted. There is also a greater chance that information will be lost and access given to unauthorised people.

We expected entities to have formal policies and procedures to ensure changes were risk assessed, tested, sufficiently documented and authorised prior to being implemented. This helps to ensure that changes to systems are consistent and reliable.

Physical security

Over half of the entities (6 of 10) did not have appropriate controls to protect their IT systems and infrastructure against environmental hazards and unauthorised access to server rooms. This means entities are at increased risk of unauthorised access and failure of information systems.  

The following case study shows issues commonly faced by entities.

Source: OAG
Figure 13: Information systems at risk of disruption

Previous: General computer controls and capability assessment results for local government entities 
Page last updated: June 25, 2020
Next: General computer controls – Recommendations 

Back to Top