Gold Corporation (the Corporation) was created by the Gold Corporation Act 1987 to take over the operations of the Perth Mint. The Corporation operates Australia’s largest precious metals refinery. Most of the gold mined in Australia and some from neighbouring countries is refined at its Western Australian facility.
Activities of the Corporation and its subsidiaries include refining precious metals, the manufacture of coins and bars, the supply of precious metal blanks and storage and safekeeping services for precious metals. It also designs and markets Australia’s official bullion coin program.
The Corporation uses an in-house developed application, Treasury System (TS) to manage precious metal transfers, trades, metal swaps, shipments and consignments and over 1,000 clients from Australia and overseas. Clients are mainly mining companies and bullion banks. On average, over 200,000 ounces of gold with an approximate value of $344 million and over 400,000 ounces of silver valued at $9.2 million are traded via TS on a weekly basis.
Overall TS is a well-functioning application that assists the Corporation to manage its precious metal trading effectively. The system also provides useful information and reports.
However, improvements can be made to the documentation of information and communications technology risks, security over back-up tapes, software updates and disaster recovery testing.
Information risk management
Gold Corporation has extensive prudential management policies that incorporate financial and treasury risks.
However, the extent to which information and security risks are integrated into the policies is unclear as the risk assessment processes are not documented – though staff advised that they were considered.
Good documentation is an important means of ensuring that the Board and senior management have visibility and a good understanding of the information and security risks affecting the Corporation. Good documentation also helps facilitate risk reviews and to ensure that risk treatment remains appropriate.
Security of sensitive data could be improved
The TS stores financial and personal information of customers, both Australian and international, business and individual. The Corporation is not adequately managing some of the risks associated with information and software updates for key systems:
- Backups not encrypted – backups are stored on tapes for collection and management by a third party contractor. This creates a risk of unauthorised access and inappropriate disclosure of information if stored tapes are misplaced or stolen. If encrypted, then the data would be inaccessible to anyone that did not possess the decryption keys. Encryption of backup media where confidentiality is important is in accordance with the international standard for information security (ISO27002/2013).
- Basic security updates not applied – software updates released by vendors to fix known security vulnerabilities were not applied to all key servers. Without these updates, attackers could exploit known vulnerabilities and may gain access to systems and information. An effective ‘patching’ process that keeps software up-to-date is vital to protect against cyber threats and data loss.
- Vulnerability assessments are not conducted – the Corporation does not perform vulnerability assessments across their IT systems and therefore cannot give assurance that its software updates are applied correctly and are not vulnerable to threats. Ideally vulnerability scans should be performed every month. Regular scanning ensures new vulnerabilities are detected in a timely manner.
- Unsupported operating systems – servers run operating systems that the vendor no longer supports or provides security updates, thereby increasing the risk of the IT systems and information being compromised.
Controls to ensure ongoing operations
The Corporation has concluded that disruptions to the TS of more than two hours can impact its day-to-day operations and may result in financial loss or reputational damage.
The Corporation has developed an IT disaster recovery plan to restore services in the event of an outage. Although it tested the plan in 2011, the testing was limited and therefore not reliable. Good testing involves various scenarios to help ensure it is well designed and reliable.
The Corporation recognised this issue in 2014 and is now developing a testing program and planning a controlled failover test of key systems in 2016. A controlled failover test assesses whether systems can be completely restored.
Access control policy and procedures
We found that the Corporation did not have a documented access control policy and relevant supporting procedures for TS. We also identified that a high privilege administrator account for TS has been configured with no password expiry. During the audit, the Corporation drafted a new account management policy to address these issues, which includes access to TS.
Without appropriate policy and procedures over user access to systems and networks, there is an increased risk of unauthorised or inappropriate access.
The Corporation’s settlement team performs manual reconciliations for cash settled transactions processed by the TS. Most transactions are either metal swaps or settled by crediting the Corporation’s London Credit Account. For the period we tested, an average of 26 transactions per day were cash settled. After transactions are entered into TS, the settlement team document these transactions manually in a spreadsheet that reconciles the cash transactions with the banking information.
Although manual data processing is generally less accurate and efficient than automated processes, the Corporation advised that these processes have proven effective. The Corporation also advised that current system limitations mean that these controls cannot be automated.
1. By August 2016 the Gold Corporation should:
a. integrate its information risk management process with that of the business, in line with better practice
b. ensure that appropriate controls are in place to protect information at all times including data stored on backups
c. identify and apply updates within a timely manner to IT infrastructure. The Corporation should also conduct regular internal vulnerability scans
d. improve the disaster recovery environment to minimise the risk of system outages and conduct adequate disaster recovery testing on a regular basis.
2. When it next updates or reviews its systems, the Corporation should consider automating the reconciliation of cash settled transactions.
 These values were at May 2016.
Response from the Gold Corporation
Integrate its information risk management process with that of the business, in line with better practice
The Corporation accepts this finding and has included the risks outlined in the IT risk register for on-going pro-active monitoring and management.
Ensure that appropriate controls are in place to protect information at all times included data stored on backups
The Corporation accepts that it is important to have in place appropriate controls to protect information at all times, including data stored on backups and takes the security of sensitive information seriously. The Corporation has completed a further comprehensive risk assessment to satisfy itself as to the appropriateness of the controls surrounding such data. This included an assessment of the physical security controls implemented at the vaulted storage facility and an assessment of the operational processes and procedures embedded within the facility and transportation methods. The controls were found to be appropriately designed to mitigate risk and are operating effectively. The Corporation has satisfied itself on the design and operating effectiveness of the current control structure, however the Corporation accepts that this issue needs to be actively monitored and managed and also accepts that its current procedure may need to change based on future assessments.
Identify and apply updates within a timely manner to IT infrastructure. The Corporation should also conduct regular internal vulnerability scans
The Corporation accepts the need to apply security updates to its applications and systems within an appropriate and timely manner. The Corporation also accepts that regular testing for security vulnerabilities is an effective way to identify and mitigate against potential threats. Monthly security updates are now applied to all servers across the organisation in line with current policy and vulnerability scans are planned to commence later in the year.
Improve the Disaster Recovery environment to minimize the risk of system outages and conduct adequate DR testing on a regular basis
The Corporation accepts the need to regularly test the disaster recovery environment. A successful failover of all key systems including those referred to in the Summary of Findings has been completed with no issues identified. As part of the failover from the production environment to the disaster recovery environment the Corporation successfully ran all its production systems from the disaster recovery environment for 7 days without issue to business continuity. The Corporation plans to ensure regular testing occurs using a variety of possible failure scenarios.