Information Systems Audit Report 2022 – State Government Entities

Auditor General’s overview

This report summarises the results of the 2020-21 annual cycle of information systems audits for State government entities and tertiary institutions in the Western Australian public sector. These audits were performed between February 2021 and February 2022.  

Global trends show more organisations are experiencing information and cybersecurity attacks. Compromise of supply chains, ransomware, and exploitation of vulnerabilities remain high. Government entities are not immune to these attacks as they deliver key services and hold valuable citizen data. As internal and external threats continue to evolve it is important that entities constantly improve the key controls that protect their information systems and IT environments from information and cybersecurity risks.

This year’s audits show many entities are still not addressing audit findings quickly, with nearly half of all findings previously reported remaining unresolved by the following year’s audit. It is also disappointing that many entities continue to have poor controls over information security. Only 50% of entities met our benchmark in this area, with no noticeable improvement from the previous year. These results contributed to the highest number of qualified opinions on financial statements, controls or key performance indicators ever reported by my Office in 2020-21¹. Effective general computer controls support entities to achieve their objectives and defend against information systems’ compromise and data breaches.

It is promising to see more entities this year met our benchmark consistently in all 6 general computer control categories, building on a positive trend. Nine entities compared to 5 last year. To further help entities, we have modernised our capability maturity model for use in our 2022 audits. The new model builds upon the previous model and provides increased guidance on information and cybersecurity controls (Appendix 1).         

I encourage entities to take note of the recommendations in this report as they work to improve their general computer controls, ensuring information security remains a heightened area of focus. This is an area that without constant effort, entities will go backwards in their security environment, exposing their systems, their operations and citizen data to harm.

Introduction

This is our 14^th report on the audits of State government entities’ general computer controls (GCC). The objective of our GCC audits is to determine whether entities’ computer controls effectively support the confidentiality, integrity and availability of information systems. These controls are important to protect information systems and IT environments from information and cybersecurity risks.

For 2020-21, we reported GCC findings to 54 State government entities (Table 1). We provided 36 of the 54 entities with capability maturity self-assessments. These assessments look at how well-developed and capable entities’ established IT controls are. We then compared their self-assessments with results from our GCC audits.

36 entities issued GCC findings and capability assessments
Central Regional TAFE	Curtin University	Department of Biodiversity, Conservation and Attractions	Department of Communities
Department of Education	Department of Finance	Department of Jobs, Tourism, Science and Innovation	Department of Justice
Department of Local Government, Sport and Cultural Industries	Department of Planning, Lands and Heritage	Department of the Premier and Cabinet	Department of Primary Industries and Regional Development
Department of Training and Workforce Development	Department of Transport	Department of Treasury	Department of Water and Environmental Regulation
Disability Services Commission	East Metropolitan Health Service	Edith Cowan University	Health Support Services
Housing Authority	Western Australian Land Information Authority (trading as Landgate)	Lotteries Commission (trading as Lotterywest)	Commissioner of Main Roads
Murdoch University	North Metropolitan TAFE	North Regional TAFE	Racing and Wagering Western Australia
Rottnest Island Authority	South Metropolitan Health Service	South Metropolitan TAFE	South Regional TAFE
The University of Western Australia	WA Country Health Service	Police Service	Western Australian Tourism Commission
18 entities issued GCC findings only
Animal Resources Authority	Botanic Gardens and Parks Authority	Department of Fire and Emergency Services	Department of Health
Electricity Generation and Retail Corporation (trading as Synergy)	Electricity Networks Corporation (trading as Western Power)	Kimberley Ports Authority	Mental Health Commission
North Metropolitan Health Service	Office of the Information Commissioner	PathWest Laboratory Medicine WA	Pilbara Ports Authority
Public Transport Authority of Western Australia	Water Corporation	Western Australian Land Authority	Western Australian Sports Centre Trust (trading as VenuesWest)
Western Australian Treasury Corporation	Zoological Parks Authority

Source: OAG
Table 1: State government entities issued GCC findings

The model we have developed for our audits is based on accepted industry better practice and considers various factors including the:

• business objectives of the entity
• level of entity dependence on IT
• technological sophistication of entity computer systems
• value of information managed by the entity.

We focused on the following 6 categories:

Conclusion

We reported 526 GCC findings to 54 audited entities this year, compared to 553 findings at 59 entities last year. These findings continue to represent a considerable risk to the confidentiality, integrity and availability of entities’ information systems.

It is disappointing that 49% of this year’s audit findings were weaknesses unresolved from the previous year, compared to 42% unresolved last year. As internal and external threats continue to evolve it is important entities promptly address audit findings to protect their information systems and IT environments.

The 36 entities that had capability assessments improved their controls in 4 of the 6 categories. A similar finding to last year, building a positive trend. However, information security is still our biggest area of concern with no noticeable improvement from the previous year, and similar to prior years. Half of the entities failed to meet our benchmark in this area and implement effective controls to protect their information systems. At 6 entities² control weaknesses were so pervasive and significant that their financial audit controls opinions were qualified.

What we found: General computer controls

In 2020-21, we reported 526 findings to 54 State government entities. Findings in the information security area accounted for 47% of the findings. These weaknesses leave entities’ information systems, data and IT environments exposed to vulnerabilities which may affect confidentiality, integrity and availability of systems and information.

Most identified weaknesses are rated as moderate (Figure 2) because they are of sufficient concern to warrant action being taken by the entity as soon as possible. However, combinations of moderate findings can expose entities to more serious risks.

What we found: Capability assessments

We conducted capability assessments at 36 State government entities.

We use a 0-5 rating scale³ (Figure 3) to evaluate each entities’ capability maturity level in each of the 6 GCC categories. We expect entities to achieve a level 3 (Defined) rating or better in each category.

Figure 4 shows the results of our capability assessments across the 6 control categories⁴.   

The percentage of entities rated level 3 or above for individual categories was as follows:

Entities improved their controls in 4 categories and remained constant in 2. Information security continues to be our biggest area of concern where, similar to last year, half of the entities failed to meet the benchmark.

Nine of the entities we perform a capability assessment at every year have consistently demonstrated good practices across all 6 control categories:

• Department of the Premier and Cabinet (9 years at level 3 or higher)
• Racing and Wagering Western Australia (8 years at level 3 or higher)
• Western Australian Land Information Authority (6 years at level 3 or higher)
• Curtin University (6 years at level 3 or higher)
• Edith Cowan University (5 years at level 3 or higher)
• Department of Training and Workforce Development (5 years at level 3 or higher)
• Lotteries Commission (4 years at level 3 or higher)
• South Metropolitan TAFE (4 years at level 4 or higher)
• Department of Finance (4 years at level 4 or higher).

Information security

We assessed whether entity controls were administered and configured to protect information systems and IT environments from internal and external threats. We examined entities’ operations, information systems and security policies. Our audits also included an assessment against better practice controls for information and cyber security. These controls may include:

The number of entities that met our benchmark for information security remained the same as last year at 50% (Figure 6). Over the last 14 years there has been little improvement in this area with only 11% increase in the number of entities since 2008. Significant information security weaknesses contributed to the highest number of qualified opinions on financial statements, controls or key performance indicators ever reported by this Office in 2020-21.

• Inadequate information security policies – policies were out of date or did not sufficiently cover key areas of information and cyber security.
• Endpoints missing essential controls – blocking of untrusted code and application whitelisting⁵ was not in place to reduce the risk of compromise through malware, and anti-malware software was not appropriately maintained.
• Emails not protected – entities did not have controls to ensure the integrity and authenticity of emails and reduce the likelihood of successful phishing attacks. Controls such as domain-based message authentication (DMARC), sender policy framework (SPF) and domain keys identified mail (DKIM) were not implemented to prevent email impersonation.
• Multifactor authentication not used – a number of public facing systems did not require multifactor authentication to strengthen access to systems.
• Administrator privileges not managed well – administrators did not have separate unprivileged accounts for normal day to day tasks. Limiting privileges and separating administrative accounts are important mitigations against network and system compromise.
• Vulnerability management tools not appropriately used – the tools were not correctly configured or appropriately used to detect vulnerabilities in systems, networks and endpoints, which increases the risk of compromise.
• Network segregation not appropriate – networks were not segregated to limit the impact of a compromise. Partitioning the network into smaller zones and limiting the communication between these zones is an important control.
• Unauthorised device connectivity – a lack of controls to detect or prevent unauthorised devices from connecting to entity internal networks. These devices can serve as an attack point and spread malware or listen in on network traffic.
• Lack of data loss prevention controls – no processes to detect or block unauthorised transfers of sensitive data outside of the entities.
• Weak database security controls – weak database passwords, excessive permissions granted by default and a lack of data encryption increased the risk of compromise. These controls are also important to deter insider threats.
• Cloud security controls – inadequate controls to secure cloud resources and prevent unauthorised network traffic from untrusted networks.

These common weaknesses, and their importance to information and cybersecurity, are further illustrated in the following case studies.

Business continuity

We continue to see improvement in this area with 65% of entities meeting the benchmark, compared to 62% last year and 54% in 2018-19 (Figure 7). This improvement may, in part, be attributable to the need for entities to continue to respond to the COVID-19 pandemic.  However, many entities still did not have an up-to-date business continuity plan and disaster recovery plans, which was a surprise in the current environment.

Business continuity, disaster recovery and incident response plans help entities recover critical information systems in the event of an unplanned disruption to their operations and services. Without these plans IT teams may struggle to restore key business functions and processes after a disruption. This could lead to extended outages and disruption to the delivery of important services to the public.

Critical operations are identified and prioritised in the business continuity plan and inform the resourcing and focus areas of the disaster recovery plans. Potential incidents and the immediate steps to ensure a timely, appropriate and effective response are considered in incident response plans.

Entities should test these plans on a periodic basis to assess and improve their processes to recover in the event of an unplanned disruption. Senior executives should monitor that plans are developed and tested in accordance with the risk profile and appetite of the entity.

Common weaknesses we found included:

• IT disaster recovery plans were outdated and did not consider changes in the IT environment – in an event of disruption there could be delays in recovering key systems and key services.
• Lack of business continuity planning – no business continuity plans, or they were out-of-date. An up-to-date business continuity plan is crucial to an entity’s restoration of key functions in the event of a disruption. The scope of a business continuity plan should cover all business-critical areas, including IT.
• Lack of disaster recovery plan testing – without appropriate testing of disaster recovery plans, entities cannot be certain the plan will work when needed.
• No backup testing procedures – no formal procedures to verify that systems and data can be recovered from a backup.

The following case study illustrates common weaknesses in disaster recovery plans.

Management of IT risks

The percentage of entities that met our benchmark for this category in 2020-21 was 86% (Figure 8). This is the highest since we started benchmarking 14 years ago.

Entities should be aware of information and cybersecurity risks associated with IT including operational, strategic and project risks. All entities should have risk management policies and practices to assess, prioritise, address and monitor these risks affecting key business objectives. 

Common weaknesses we found included:

• Lack of policies and processes to identify, assess and treat IT risks – without appropriate policies and processes, entities cannot effectively manage their IT risks.
• Lack of IT risk register – risk registers were not maintained for ongoing monitoring and mitigation of identified risks.
• IT risks not reported to senior management – key IT risks may not be addressed if senior management is not aware of them.

Without appropriate IT risk policies and practices, entities may not identify, mitigate, and manage threats within reasonable timeframes, and may not meet their business objectives.

IT operations

Entities continued to improve with 94% reaching our benchmark (Figure 9). This is the highest since we started auditing this category in 2011. It is also the category that showed the largest improvement since last year.

Effective management and visibility of IT operations is key to maintaining data integrity and ensuring IT infrastructure can withstand and recover from errors and failures. We assessed if entities had adequately defined their requirements for IT service levels and allocated sufficient resources to meet these requirements. We also tested whether service and support levels were adequate and met better practice. Other tests included if:

• policies and plans were implemented and working effectively
• repeatable functions were formally defined, standardised, documented and communicated
• effective prevention and monitoring controls and processes had been implemented to ensure data integrity.

Common weaknesses we found included:

• Supplier performance not monitored –supplier performance was not reviewed to identify and manage instances of non-compliance with agreed service levels and ensure value for money.
• Inadequate staff termination processes – failure to consistently apply the pre-exit checklist procedures to staff terminations resulted in an increased risk of unauthorised access and loss of confidential information.
• Inadequate monitoring of events – entities did not have effective policies and procedures to monitor event logs. System logs provide an opportunity to detect suspicious or malicious behaviour in key business applications.

Without appropriate IT strategies and supporting procedures, IT operations may not meet business requirements and may not be able to recover from errors or failures.

The following case studies illustrate common weaknesses in IT operations.

Change control

Entities’ change control practices were consistent with last year with 85% of entities meeting our benchmark in 2020-21 (Figure 10).

We examine if system changes are controlled to minise the risks and impact to stakeholders. An overarching change control framework is essential to ensuring changes are made consistently, reliably and efficiently. All changes should be appropriately authorised, tested, implemented and recorded. Implementation and rollback plans should be part of change control to recover from any adverse impacts.

Common weaknesses we found included:

• Change management processes not documented – without documented processes and procedures, changes made to IT infrastructure can adversely affect entities’ operations leading to unplanned or excessive system down time.
• Change processes not followed – changes to critical systems may be applied inconsistently if formal change processes are not followed. This can result in unplanned system downtime and interrupt entities’ delivery of critical services to the public.

Without adequate change control procedures, systems may not process information as intended and entities’ operations and services may be disrupted. There is also a greater chance of information loss, and access being given to unauthorised persons.

The following case study illustrates common weaknesses in entity change controls.

Physical security

Ninety-four percent of entities met our expectations for the management of physical security (Figure 11). This is a 27% improvement since our first assessment in 2008.

We examined if entities’ IT systems were protected against environmental hazards and related damage. We also reviewed if entities had implemented and monitored physical access restrictions to ensure that only authorised individuals could access or use computer systems.

Common weaknesses we found included:

• Lack of fire suppression systems –without an appropriate fire suppression system, systems are likely to be damaged in the event of a fire.
• Access to server rooms was not managed well – processes to review and limit access to server rooms reduce the risk of system outages and compromise from unauthorised access.
• Untidy cabling and non-essential equipment in server rooms – the risk of outages is higher if server rooms are not appropriately maintained.

Recommendations

1. Information security
   Executive managers should:

1. implement better practice security measures in the following areas:
   1. patching and vulnerability management
   2. application hardening and control
   3. implement technical controls to prevent impersonation and detect/prevent phishing emails
   4. strong passphrases/passwords and multi-factor authentication
   5. limit and control administrator privileges
   6. segregate network and prevent unauthorised devices
   7. secure cloud infrastructure, databases, email and storage, and know clearly ‘who’ they are handing entity and citizen data to through their use of cloud services
   8. cyber security monitoring, intrusion detection and protection from malware
2. conduct ongoing reviews and monitor user access to information to ensure access is appropriate at all times
3. develop and implement mechanisms to continually raise awareness of information and cyber security practices among all staff. 

2. Business continuity
   Entities should have up-to-date business continuity, disaster recovery, and incident response plans and periodically test them.

3. Management of IT risks
   Entities should:

1. understand their information assets and apply controls based on their value
2. ensure IT risks are identified, assessed and treated within appropriate timeframes and embed practices as core business activities and executive oversight.

4. IT operations
   Entities should implement policies and procedures that reference better practice standards and frameworks in key areas such as IT risk management, information security, business continuity and change control. IT strategic plans and objectives should support overall business strategies and objectives.

5. Change control
   Entities should consistently apply approved change control processes when making changes to their IT systems. To minimise the occurrence of problems, these processes should include the requirement for thorough planning and impact assessments. Change control documentation should be current, and approved changes formally tracked.

6. Physical security
   Entities should develop and implement physical and environmental control mechanisms to prevent unauthorised access or accidental damage to computing infrastructure and systems.

Appendix 1: Control categories in our updated capability maturity model (for 2022 audits)

1. Manage IT risk
2. Information security framework
3. Human resource security
4. Manage access
5. Endpoint security
6. Network security
7. Physical security
8. Manage change
9. Manage IT operations
10. Manage continuity

---

¹ Western Australian Auditor General’s Report, Audit Results Report – Annual 2020-21 Financial Audits of State Government Entities, Report 10: 2020-21

² Western Australian Auditor General’s Report, Audit Results Report – Annual 2020-21 Financial Audits of State Government Entities, Report 10: 2020-21,  p. 12 – 18

³ The information within this maturity model assessment is derived from the criteria defined within COBIT 4.1, released in 2007 by ISACA.

⁴ We assessed 34 entities across all 6 categories. At 2 entities we only assessed 1 category (management of IT risks) as their IT services were delivered by other state government entities.

⁵ Application whitelisting ensures that only allowed programs run on the computers or the network.