Report 23

Information Systems Audit Report – Database Security

Agency responses

Curtin University

Curtin acknowledges fully the requirement to ensure the security of its sensitive information stored in its financial, human resources, and student management systems in accordance with the University’s extant risk, legislative, and regulatory environments. To this end, we are taking proactive steps to address the OAG’s findings related to Database Security in a pragmatic, risk-informed, and operationally-sensitive manner.

Department of the Attorney General

The Department of the Attorney General has valued the opportunity for external review of its performance. It is pleasing to note that the Auditor General has found that the ICMS database security controls, in several areas of focus, were found to be effective.

The Department has already implemented many months ago several of the recommendations made by the Auditor General and a departmental risk assessment will be undertaken to determine whether any further risk mitigation strategies are required.

Department of Health

The Department of Health welcomes the opportunity to work with the OAG to review internal controls around information contained in WA Health databases

The Department accepts the recommendations and notes the overall rating of moderate with respect to database security contained within the 2014/15 Information Systems Audit.

The Department proposes establishing a working group to address the recommendations. Whilst some of the recommendations can be addressed and implemented in the short term, others may require additional resources to be acquired. These more complex implementations will be considered within WA Health’s ICT reforms, as outlined in the 2015-18 ICT Strategy. The recommendations will be assessed within defined affordability parameters against other ICT priorities that are focused on stabilising existing systems and infrastructure.

Department of Local Government and Communities

The Department of Local Government and Communities accepts the Auditor General’s Summary of Findings in relation to database security.

At the time of the performance audit, the department was not administering the databases. Upon assuming responsibility for the databases, the department has addressed the findings identified during the performance audit, specifically:

  • User access is restricted to a needs basis, reviewed on a regular basis, and complies with contemporary account management practices. Generic or group access accounts are not permitted.
  • Security and software updates are tested and applied as soon as practicable.
  • All database configuration settings are deliberately assessed and configured to ensure appropriate security.
  • The same security protocols are maintained across test and production environments. Test systems are deleted when no longer required.
  • All data servers are maintained behind appropriate firewalls.
  • All database backups are encrypted.
  • The department is contracting for vulnerability and penetration assessments to test and improve its database security.

The Department of Local Government and Communities is committed to protecting the privacy its data and the security of its databases.

Legal Aid Commission

The Legal Aid Commission accepts the findings of the audit and would like to express its thanks to the Office of the Auditor General for its efforts and advice. Legal Aid is acting on the recommendations and conducting an ongoing review of database security to ensure that sensitive and confidential client information is adequately protected.

Mental Health Commissioner

The Mental Health Commission acknowledges the findings of the performance audit, relating to SIMS2 database security, and accepts all of the review’s recommendations. The audit process has highlighted a number of issues and activities are ongoing to resolve those highlighted in the review.

Earlier this year, a project was initiated to upgrade the infrastructure and database management system upon which SIMS2 has been developed. The installation and testing of these new technologies is underway with implementation due to be completed in early 2016.

A number of other items identified in the audit have already been addressed and the remainder will be finalised, as per the review’s recommendations, by June 2016.

Murdoch University

Murdoch engaged the services of an independent technical consultant to review the OAG findings and recommendations. A report from this review was produced early this year detailing the technical actions to be taken. Some of the actions have been completed, including the acquisition of a comprehensive password management system.

Many of the remaining actions require specialist technical skills which are being sought. Some of the OAG recommendations required referral to the individual system vendors as the recommendations involved changes to their proprietary software. Murdoch have received the vendor responses and have considered these responses as part of the remediation actions.

Back to Top