The Department of the Attorney General’s (DotAG) role is to provide justice, legal, registry, guardianship and trustee services to meet the needs of the community and the Western Australian Government. Its responsibilities include management of the Integrated Court Management System (ICMS) which is used in all criminal and civil jurisdictions for the Supreme, Children’s and Magistrates Courts and the states Administrative Tribunal in Western Australia. ICMS supports the management of court cases, tribunals and debtors payments and integrates with systems across the entire Justice network.
ICMS holds personal and sensitive information regarding WA Court proceedings and outcomes. External agencies such as Western Australia Police, the Department of Corrective Services, the Office of the Director of Public Prosecutions and several other parties also access and use the system. This broader access requires appropriate layers of security in ICMS and its related systems to protect sensitive information. Building security into various layers of access to and within a system is known as ‘defence in depth’.
The idea behind the defence in depth approach is to defend a system against any particular attack using several independent methods. Defence in depth measures should help prevent security breaches, and also assist an agency to detect and respond to an attack, thereby reducing and mitigating the consequences of a breach.
Overall, ICMS is an effective application for managing Court matters and processes. However, DotAG does not follow the good practice principle of defence in depth to protect the ICMS system and information. As a result, we noted a number of control weaknesses in key layers of security across the organisation. While the Department had also identified a few of these risks, most were not previously known. Combined, these increase the risk of unauthorised access and disclosure of sensitive or personal data, such as fines issued to individuals, and their name, drivers licence number, date of birth and address details. They may also impact the integrity and availability of ICMS information.
Sensitive information at risk
Our security assessment of the three main ICMS databases, system servers and supporting components identified a range of vulnerabilities and weaknesses across the system. These issues significantly increase the risk to the confidentiality, integrity and availability of sensitive information. This sensitive information includes personal details of individuals involved in ongoing and upcoming court cases.
Some of the weaknesses we noted were:
- Software updates – We found that software updates released by the vendor to fix known security vulnerabilities had not been applied and that DotAG were not aware of this weakness. It is far easier for attackers to exploit systems that don’t have the latest software patches applied. This may allow attackers to gain unauthorised access to the system and/or information. An effective patching process that keeps software up to date is vital to help protect against cyber and other threats.
- Weak passwords – We also found that a number of database level accounts had simple, well-known or easy to guess passwords. If the passwords are obtained or guessed, they can be used to access the system and information. Some of these accounts permitted access to DotAG’s data warehouse, as well as access to core ICMS information. The data warehouse stores a wide range of sensitive information from ICMS and various other DotAG systems.
- Database auditing – DotAG has not established database level auditing to track direct access and changes to ICMS information. This means it is not possible to identify any inappropriate database level access or modifications to ICMS information. A number of users including external contractors and staff of other agencies have access to the database. This increases the risk and the need for appropriate database level auditing to be implemented.
- Application level firewall – ICMS is not protected by an appropriate application level firewall. Given the current control weaknesses and the number of other agencies that can access DotAG’s network, deploying an application level firewall would provide an extra layer of security. This would help reduce the risk of unauthorised system access. We also established that information was not being encrypted which means that anyone who accesses this information can read it.
Human resource security procedures
DotAG has inconsistent human resource security procedures. Applying appropriate and standardised human resource procedures helps reduce the insider risk of inappropriate access to and disclosure of sensitive information.
Some of the variances and weaknesses in procedures we identified were:
- Police clearance requirements – DotAG policy only requires staff who started after 1 January 2014 to obtain a Police clearance every five years. The employment contract for staff who commenced employment prior to 1 January 2014 does not require them to provide regular police clearances. However, if staff who commenced prior to this date change roles such as through a promotion and this requires a new employment contract, then the new contract will oblige them to obtain a police clearance every five years. Police checks enable employers to assess whether an employee’s criminal history is a risk to their operations.
- Clearance requirements for IT contractors – DotAG also requires certain staff to obtain a Government Security Vetting which is a higher level of clearance. However, this is not required for the IT system administrators who are DotAG contractors. Inadequate background checks of these individuals poses a significant security risk given that these individuals have full access to DotAG’s systems and information.
- Termination of access – The Australia New Zealand Policing Advisory Agency recommends that all relevant individuals sign to acknowledge they understand their obligations when they leave an entity’s employment. By signing this statement, the individual acknowledges that they may no longer access the entity’s systems and may not use any information they became aware of during their employment or engagement for other purposes. DotAG does not require exiting staff or contractors to sign this sort of statement.
Controls to ensure ongoing operations
DotAG has not developed an IT disaster recovery plan (DRP), despite ICMS being an important application for DotAG and a number of other organisations. A DRP is a key document that provides details of the procedures to be followed to recover the system in the event of an incident or disruption. With the weaknesses we identified, there is a greater risk of an unplanned event that could affect the availability of the system and impact DotAG’s business operations and the other organisations that use it.
In addition to the findings we made during the audit, we noted that the Department had also identified some risks associated with the ICMS:
- DotAG had not implemented controls to ensure that confirmations of criminal outcomes were entered into ICMS within one business day of the respective Court hearing. Up to date information on criminal outcomes is critical to WA Police, Department of Corrective Services, Public Prosecution and DotAG’s Fines Enforcement Registry. ICMS also does not have automated notifications for transaction processing errors. This may impact the integrity of information within dependant systems.
- The ICMS Portal provides DotAG and external parties such as WA Police with the ability to view ICMS records via the Internet. The process to remove access to the ICMS Portal for external users is not within DotAG’s full control and relies on the external agency’s processes. This may result in external user accounts remaining active and allow unauthorised access to ICMS information.
- The ICMS system administrator provides role-based user access for ICMS based on their interpretation of an access request. This is because DotAG has not documented what access a user requires to perform their functions. In addition, there is no process to review user access levels periodically to ensure they are appropriate. This increases the risk that users have excessive or inappropriate ICMS access.
DotAG advised that it has addressed these other findings since the audit.
- To reduce the risk of unauthorised access and loss or changes to information, the Department of the Attorney General should by the end of 2015:
a) undertake a security risk assessment and use this to apply a defence-in-depth strategy which considers application level firewalls and encryption of data
b) conduct regular vulnerability scanning as defined in its internal policy and implement an appropriate and effective patching process.
c) apply password management controls to ensure that all account passwords follow good practice for access management and comply with internal policy requirements
d) audit and track direct database access to system information.
2. To ensure ongoing operations and reduce the risk of inappropriate insider access, by the end of 2015, DotAG should also:
a) develop a disaster recovery plan for its key applications and services to ensure the timely recovery of systems following an incident or outage
b) consistently screen staff and contractors. Current exit procedures should also be enhanced to ensure that staff and contractors are appropriately informed of their IT and information obligations once their engagement ceases
c) DotAG should refer to the Australian Signals Directorate for good practice security guidelines.
The Department of the Attorney General has valued the opportunity for external review of its performance regarding the management of application controls of the Integrated Court Management System. It is pleasing to note that the Auditor General has found that ICMS application controls, in several areas of focus, were found to be effective.
Several of the findings reported by the Auditor General were previously reported by the Departments Internal Audit and were addressed prior to the completion of this audit.
The Department notes the Auditor General’s key findings regarding access controls and monitoring of activity and will consider the recommendation to the Department following a risk assessment.
 Making your company technology crime resistant, 2014.