Report 11

Information Systems – Security Gap Analysis

Auditor General’s Overview

The Information Systems Audit Report is tabled each year by my Office. This report summarises the results of the 2012 annual cycle of audits, plus other audit work completed by our Information Systems group since last year’s report of June 2012. This year the report contains three items:

In the first item we benchmarked 21 agencies against the International Standard for Information Security – ISO 27002. The standard sets out controls for ensuring computer systems are designed, configured and managed to preserve the confidentiality, integrity and availability of information. Most of these controls are recognised as good practice and require minimal effort to implement. Our information systems audits consistently highlight a need for agencies to pay greater attention to the security of their information systems. Therefore it was not surprising to find the majority of agencies we looked at had significant gaps when assessed against these standards. The standards provide useful guidance to agencies on how to take a systematic approach to identifying and addressing these gaps. While the international standards for information security are not mandatory in Western Australia, I urge agencies to seriously consider them.

The second item reports on the audit of five key business applications at four agencies. Most of the applications we reviewed were working effectively. However, we identified a number of serious weaknesses with the Firearms Management System managed by Western Australia Police (WAP). Because of these weaknesses WAP lacks reliable information to effectively manage licensing and regulation of firearms in Western Australia. The final item presents the results of our general computer controls and capability assessments of agencies. Only three of the 36 agencies we assessed were rated as having mature general computer control environments across all six categories of our assessment. Half the agencies failed to meet our expectations for three or more of these categories.

Please note that this report has been presented on this website in three parts:

 
Page last updated: June 27, 2013

Back to Top