Information Systems Audit reports are an important product of my Office because they identify a range of issues that can seriously affect the operations of government if not addressed.
Unfortunately, we too often see the same or similar types of basic control weaknesses reported each year. Therefore, we have this year prepared some guidance on database security that I encourage all agencies to consider. The guidance is included as an Appendix to this report and will be available as a stand-alone document on our website.
This report contains two items:
- Database Security
- Application Reviews.
The first item of the report shows how seven agencies are managing the security of their databases. Western Australian government agencies collect and store a significant amount of sensitive and confidential information about organisations and individual members of the public. We audited the security of 13 databases that were critical to agency functions and hold personal and sensitive information. They included human resource, finance and operational systems.
We conducted technical analysis of the databases, with the assessment broken into seven key categories. None of the sampled agencies adequately prevented unauthorised access to and data loss from their databases. All agencies had weaknesses across the seven categories. Most concerning was that we continue to find weak controls in some basic, easy to fix areas such as passwords, patching and setting of user privileges.
The second item of the report contains the results of our audit of key business applications at four agencies. We found that all four applications were performing well and addressing business needs.
However, we found some weaknesses around data validation and manual process supporting these applications. As well, issues pertaining to information security were found at every agency. Particular areas of concern were around data access and logging, software patching and updates, and general security practices in agency IT environments.
These weaknesses increase the risk to the confidentiality, integrity and availability of sensitive information that is entrusted to agencies.
All the agencies we audit understand the criticality of their IT systems to their operations and yet, too many underestimate the risks that exist to those systems. I trust that the guidance provided in the appendix to this report will make it easier for agencies to review their practices and improve the security of information they hold.