Introduction

The Corruption and Crime Commission (CCC) uses CMIS to manage serious misconduct allegations and investigations. The system stores sensitive information about serious public sector misconduct allegations and investigations including case notes, logs, actions taken, and details of evidence. In 2015-16, the CCC used CMIS to log 2,244 notifications of serious misconduct, resulting in 4,024 allegations requiring assessment. Seventy-nine notifications resulted in an investigation by CCC.

Audit conclusion

CMIS supports the management and investigation of serious misconduct allegations for CCC. However, a number of weakness affect the security, reliability and efficiency of the system.

Poor risk management, missing security updates, poor IT processes and a lack of disaster recovery and continuity planning compromise the security of data and ongoing availability of information.

The rigid design of the system requires inefficient manual work-arounds and does not allow for interactive reporting, limiting its usefulness to CCC.

Background

CCC deals with allegations of serious misconduct by public officers in Western Australia. These include police, prison officers, teachers, public servants, local government and members of Parliament.

Serious misconduct can include fraud, stealing, tax evasion, excessive use of force, trafficking of drugs and deliberately releasing confidential information.

CCC is notified of serious misconduct, which can then lead to formal allegations. Allegations require thorough investigation by either CCC or the associated government agency.

CCC uses CMIS to manage the notifications and allegations they receive. If it decides to undertake an investigation in-house, staff will use CMIS to store case notes, logs, actions taken, and details of evidence. It also manages any investigations into organised crime using the same system.

CMIS is also used as an intelligence tool to connect people to properties, weapons, vehicles, images, phone numbers and other individuals. This helps CCC to find relationships and patterns which assist with its investigations. CMIS is also the primary source of information for CCC’s reporting, including both internal and public reporting.

Originally developed by the Australian Federal Police, CMIS is now on-sold and supported by a commercial provider.

Audit findings

Poor risk management could compromise the security and reliability of data

We found some gaps in CCC’s risk management processes, which could compromise the security and reliability of CMIS data, as well as its availability to those that need it.

Good risk management ensures that CCC can identify, assess and treat risks in a structured fashion. It also ensures decisions around risk are considered and actioned by suitable levels of management.

We noted that:

A risk assessment had not been conducted for CMIS. Without a formal risk assessment, senior management are less likely to understand and plan for risks directly related to CMIS. Given the importance of this system, it is essential that management is aware of the risks to the system, how well it is being protected, and where any vulnerabilities might exist.

CCC had not updated its IT risk register for over 6 years. This means CCC is unlikely to be fully aware of the current risks to its information and the suitability of the controls that are protecting it. Risk registers need to be regularly reviewed and updated to identify new risks and ensure existing risks are properly assessed. CCC’s own policies state that risk registers must be updated at least annually.

The ‘owner’ of the CMIS application is unsuitable, meaning it might not meet the needs of the staff who use it daily. Application owners represent the system’s end-users. They should have a good understanding of the business processes supported by the system and be able to make user focused decisions. We found the CMIS owner was part of the information services team. While they will have good technical knowledge of the system, they are not likely to be in a position to advocate for the needs of end users.

Gaps in security controls leave systems and data exposed

We identified out of date, unpatched software vulnerabilities on the server that runs CMIS, as well as other core systems at CCC. An attacker could use these exposed vulnerabilities to gain unauthorised access to CCC’s internal network, allowing them to attack internal systems and access highly sensitive data.

We found 218 ‘critical’ and ‘highly’ rated vulnerabilities that were unpatched for a number of key servers supporting CMIS. These vulnerabilities had more than 100 publicly available exploits.

These patches were missing because of flaws in the process used by CCC to identify vulnerabilities and deploy patches. CCC uses an automated patching system. However it was not set up to patch all the software installed on its computers. An effective patching process that keeps software up-to-date is vital protection against cyber threats and data loss.

We also noted that CCC does not perform vulnerability scans across its IT systems. These scans help agencies find and patch software that is vulnerable or out of date. They are especially useful in finding software vulnerabilities not managed by an automated patching system.

To strengthen security controls, the CCC has implemented ‘application whitelisting’, which the Australian Signals Directorate regards as the number one control to prevent targeted cyber intrusions. This is a list of software applications authorised for use. However, layered security controls, such as patching, restricting administrative privileges and incident and intrusion detection should also be used to make it as difficult as possible for attackers to succeed.

CMIS reporting is limited, requiring manual workarounds

The way the system is designed makes it hard to produce meaningful and dynamic reports for senior management. Staff producing reports use manual workarounds, which put the accuracy of the data at risk and are time consuming.

The reporting features in CMIS are limited, and the system design prevents CCC from directly accessing the CMIS database to query the data.

The system does have a search function that allows data extraction in basic formats. Staff manipulate these CMIS extracts in separate spreadsheets and databases to get the desired output. This takes time and does not provide the flexible or interactive reporting offered by modern data analysis tools.

Lack of disaster preparedness could lead to delays to operations

CCC has identified CMIS as critical for day-to-day operations. An outage of the CMIS application could result in serious delays to operations and CCC would need to go back to a manual, paper-based approach.

We found weaknesses in the following areas that may delay CCC’s ability to recover operations following an incident:

CCC has not yet developed an adequate IT disaster recovery plan for CMIS and other key systems. CCC has recently established a new computer room in a separate location that duplicates data for recovery purposes. However, it does not yet have plans to recover its key systems and it has not done formal testing of the recovery capability.

Backup tapes required to recover CMIS in the event of a disaster have not been tested. This conflicts with CCC’s policy, which requires annual recovery tests. Untested backups may be unreliable or unsuitable.

CCC does not have a continuity agreement in place with its CMIS service provider. If the CMIS service provider is unable to support the system, CCC may not get full access to the system and its data. The CCC should establish continuity agreements to ensure the systems code and other proprietary information is available if the service provider can no longer support the system.

Important processes are not properly supported by policies and procedures

CCC relies on experienced staff members to make sure activities are performed in CMIS correctly and consistently, but lacks sufficient, written procedures to guide their work. Good documented policies and related procedures give clear requirements, roles and responsibilities for the management of IT systems.

We noted gaps in the following areas:

Information security policies were limited. While CCC has implemented many technical controls, it has not properly supported these with policies and procedures. This increases the chance of gaps in its identification and management of security risks.

There is no access control policy and supporting procedures for CMIS. The policies and procedures should guide how new CMIS users are approved and created and how the various user roles are applied in the system. They should also set the requirement for scheduled reviews to confirm that existing CMIS user roles are suitable. Without these, CCC risks providing users with unsuitable access.

There is no formal guidance to ensure data quality. CCC performs some checks to identify data quality issues within CMIS. However, it has not documented responsibilities, frequency of checks, or follow-up activities required. Some issues we noted included misconduct notifications without associated allegations, duplicate entries and assessment decisions incorrectly marked.

Changes to CMIS were not properly managed. We found limited status tracking and reporting of IT changes, change policies that were more than 12 months overdue for review, and CMIS changes that were not logged in the centralised change register. Inadequate change management can lead to unplanned system downtime or misconfiguration resulting in security breaches. However, good ‘change management’ ensures changes to IT systems are communicated, authorised, tested and implemented in a controlled manner.

Recommendations

1. By August 2017, CCC should:

a. review and update its information services risk register and conduct an assessment of CMIS to identify risks associated with the information handled and related business processes. This should inform the corporate risk register for senior management to consider

b. review and improve its process to identify and apply software updates to all information systems in a timely manner

c. develop and test disaster recovery plans to ensure the ongoing operations of key applications and IT services. It should also explore continuity agreements with software providers

d. review and update its existing policies and develop new ones to ensure all relevant areas of information security are appropriately addressed

e. review its business needs and assess whether a more suitable application exists for replacing CMIS.

Response from the Corruption and Crime Commission The Commission appreciates the importance that adequate controls are in place for corporate applications in the course of operational activities. As such we take the findings seriously and accept that there are some controls that need to be improved. The Commission fully accepts: Recommendation (a): By August 2017, the Commission will have completed an IT risk assessment including an updated IT risk register. Recommendation (d): The Commission recently completed the review and update of its corporate policy framework. All information security-related policies are anticipated to be endorsed by July 2017. Recommendation (e): The Commission’s 2016 Information Management strategic plan already outlined the requirement to review and implement a new fully integrated Case Management solution. The CMIS replacement project has progressed well with implementation of a new CMIS system anticipated in 2018. The Commission accepts in part: Recommendation (b): To enhance our existing layered security controls that mitigate risk of cyber-intrusion and unauthorised access, the Commission has recently upgraded its configuration management tool, implemented external vulnerability assessment and a security incident event management tool. Recommendation (c): A revised Commission Business Continuity Plan will be completed by August 2017. The Commission has completed a successful IT disaster recovery failover and resolution has been achieved for the continuity agreement with the CMIS provider.