Western Australian government agencies collect and store a significant amount of sensitive and confidential information on organisations and individual members of the public. They also perform a variety of financial transactions through computer systems. These agencies have an obligation to secure systems and information from unauthorised access and to prevent it from being inappropriately exploited.
Databases used by agencies to store information are highly desirable targets for cyber-attacks as they offer hackers immediate and significant benefits, such as financial details of organisations and individuals. As we have previously reported, implementing appropriate controls will reduce the risk of unauthorised access and the loss and exploitation of information managed by agencies.
This year, as part of our annual general computer control audits and application reviews, we undertook health checks on 13 databases that store critical information at a sample of seven agencies. Database health checks assess a number of areas to identify weaknesses of most concern. These weaknesses are relatively easy to identify and address.
The objective of this audit was to determine if obvious security weaknesses existed that would allow unauthorised access to the information held in selected databases.
Specifically, we examined the seven key areas set out below:
We audited 13 systems at seven agencies, which included nine Oracle and four MS SQL databases. The seven agencies were:
- Murdoch University
- Legal Aid
- Department of Health
- Curtin University
- Department of Local Government and Communities (DLGC)
- Drug and Alcohol Office – now incorporated into the Mental Health Commission
- Department of the Attorney General (DotAG).
The databases we reviewed are critical to agency functions and included human resource, finance and operational systems that hold personal and sensitive information. We analysed various settings on database servers and interviewed staff and contractors regarding their security practices and controls in place.
We provided agencies with detailed reports and recommendations of our findings so they could address them and where required, conduct further investigation. The findings of this audit provide an insight to good practice and the types of control weaknesses and exposures that can exist so that all agencies, including those not audited, can consider their own performance and improve their database security.
We calculated the severity of agency weaknesses using a risk matrix that considered consequences of the risk with the likelihood of it occurring. Weaknesses were rated according to a four point scale; low, medium, high, and extreme. A weakness rated as low is not likely to occur and the consequences will be insignificant or minor. Extreme weaknesses are likely or expected to occur and will have a catastrophic impact on the agency.
This was a narrow scope performance audit, conducted under section 18 of the Auditor General Act 2006 and in accordance with Australian Auditing and Assurance Standards. Narrow scope performance audits have a tight focus and generally target agency compliance with legislation, public sector policies and accepted good practice.