Report 12: 2017

Information Systems Audit Report

Image and Infringement Processing System (IIPS) – Western Australian Police

Introduction

WA Police uses IIPS to manage traffic infringements caught by cameras and those issued by officers. The system stores confidential infringement data containing names, addresses and offence information.

Audit conclusion

WA Police can rely on this system to manage its traffic infringement processes effectively. However, there are some areas of weakness associated with the system.

A heavy reliance on manual paper-based processes associated with on-the-spot infringements has compromised the efficiency and integrity of the system. Police officers also spend considerable time managing and correcting data errors.

Information sharing arrangements with third parties is not secure, potentially increasing the risk of unauthorised access to confidential information. Poor management of user access rights and a significant number of software vulnerabilities further increase the risk of exposure of sensitive information or a cyber incident.

WA Police also needs to improve disaster recovery processes for IIPS. Not ensuring that its plans are adequate and up to date risks downtime and potential data loss.

Background

The Traffic Services Branch of WA Police has an important role to play in safeguarding and improving road safety in Western Australia. The branch manages the fleet of mobile speed cameras and fixed red light and speed cameras.

Within Traffic Services, the Infringement Management and Operations office is responsible for processing traffic infringements and overseeing camera operations.

In 2015, WA Police used IIPS to record and manage approximately 747,000 speeding infringements, 18,000 red light and 135,000 on the spot infringements. The Operations office, in conjunction with a third party vendor, developed IIPS in-house to suit its requirements.

Traffic incidents recorded by cameras (both mobile and fixed) are loaded into IIPS for processing. IIPS automatically converts these incidents into infringements, which different teams within WA Police verify prior to the system sending them onto traffic offenders.

Police officers also issue on-the-spot fines to offenders, and manually enter them into IIPS for processing.

Audit findings

Sensitive data is exposed and better protective measures should be applied

WA Police shares infringement data, containing names, addresses and offence information, electronically with a third party vendor in an insecure manner. This vendor prints and mails infringement notices to offenders using information provided to them over the internet in plain-text via a simple file transfer method. This increases the risk of a hacker intercepting sensitive information. WA Police is in the process of evaluating secure file transfers to see if it could use this solution to improve information security.

Sensitive and personal information from IIPS and other WA Police systems that is stored on backup tapes is also not appropriately secure. A third party collects and manages the tapes in off-site storage. If a tape was lost or stolen, an unauthorised party could read the information stored on the tape. WA Police needs to address this risk, for example by encrypting information to ensure that only people with appropriate authorisation can read it.

We tested a sample of 75 IIPS accounts, which showed that accounts for 3 former employees were still open and 2 other accounts did not appear on the access register.

Without appropriate controls covering user access, there is an increased risk of unauthorised or inappropriate access to sensitive information.

Considerable time is spent managing paper based infringements

On average, police officers issue about 11,500 ‘on the spot’ infringements to motorists each month. This type of infringement requires manual recording of the details of the driver, vehicle, and infringement, handwritten on paper tickets. Officers around the state must send hard copy tickets to the Operations office team for processing. The hard copies are scanned into IIPS for safekeeping and a team of dedicated data entry officers then enter the details of the tickets into IIPS.

These infringements may need to be cancelled or withdrawn if they contain:

  • incorrect offence codes
  • incorrect address information
  • incorrect penalty amounts and/or demerits.

We checked a sample of 50 cancelled on the spot infringements, and found that half of these were withdrawn due to incorrect details. Although the infringements are usually reissued with the correct details, officers spend considerable time processing the cancellation and fixing the errors.

Opportunity exists for WA Police to automate on the spot fines to reduce its reliance on handwritten tickets. This automation could reduce the risk of errors, and free up police resources for other duties.

Security vulnerabilities may go undetected due to inadequate processes

We found software updates released by vendors to fix known security issues were not applied to the system, including 162 ‘critical’ and ‘high’ severity updates. We also identified a number of serious vulnerabilities in software installed on the IIPS servers. Given the nature of the WA Police network, this is a serious concern.

WA Police relies on its contractor to identify vulnerabilities. However, the tools used for the assessment are not configured correctly to be fully effective, meaning that vulnerabilities may go unpatched. Currently, there are dozens of ways for hackers to exploit the vulnerabilities and compromise the system. An effective vulnerability management process is essential in order to mitigate against these cyber threats.

Disaster recovery plans have not been tested and may be unreliable

WA Police does not have adequate procedures and plans to recover IIPS in a disaster situation. Although plans and backup equipment are in place, there has been no testing of the disaster recovery process. Without this testing, WA Police cannot be sure that its plans are effective. IIPS is a critical system and an outage would result in delays to infringement management operations. Regular testing of recovery procedures is important to highlight gaps and to better prepare WA Police for a disaster situation.

Recommendations

  1. By December 2017, WA Police should:

a. review the information security policy to ensure appropriate controls are in place to protect sensitive information

b. review the process for managing security vulnerabilities, software updates and patches

c. review its manual processes for on the spot infringements and consider automated solutions

d. develop access management policies and controls for the system

e. develop and test disaster recovery procedures to ensure the timely recovery of systems following an incident or outage.

Response from WA Police

WA Police fully accepts all of the Office of the Auditor General’s recommendations and provide the following comments.

Recommendation (a) ensure appropriate controls in place to protect sensitive information

Police are in the process of implementing secure file transfer protocols with the print provider which is scheduled for completion in August 2017.

Recommendation (b) review practices for managing security vulnerabilities, software updates and patches

Police are currently upgrading to supported hardware and software components that will allow IIPS to be aligned with broader systems patch and vulnerability management.

Recommendation (c) consider automated solution to replace handwritten infringements

Police support the move to automated infringement solutions for frontline officers and intend to investigate potential solutions including linkage to a mobility platform.

Recommendation (d) develop access management policies and controls

Access management practices have been reviewed and hardened until additional automated controls become available.

Recommendation (e) test DR procedures to ensure timely recovery

Disaster recovery documentation is currently being updated and will include the required test plans.

 

 

Back to Top