I am pleased to present our annual Information Systems Audit Report. The report summarises the results of the 2019 annual cycle of information systems audits for State government entities and tertiary institutes in the Western Australian public sector.
This report presents the results of our general computer control audits and capability assessments. The capability and maturity of entities’ general computer controls is such an important organisational imperative that it deserves the prominence of a dedicated report. Case studies are presented to share lessons from across the sector, including my Office. In future years, we may expand this report to provide more detailed information about common weaknesses found and approaches to addressing shortcomings.
The report contains a number of important findings and recommendations. All public sector entities should consider the recommendations and case studies in the report to see how they can be applied to their operations.
It is pleasing to see the number of entities assessed as having mature general computer controls across all categories of our assessment increased from 13 to 15, with many capability areas improving. However, information security and business continuity showed little improvement, with many entities failing to meet the benchmark for minimum practice. This is of significant concern given the value of personal and corporate information entities hold. It is my view that entities need to be as vigilant in protecting their personal and corporate information, by implementing the same level of controls including monitoring and protection, as for other valuable assets, such as cash, bank account access and other physical assets. Maturity across all sectors and entities has a way to go in this regard.
We use a rating scale to assess the maturity of entity controls across 6 categories. While the model has worked well over the last 12 years, my Office is looking at modernising and enhancing the model in future years. We hope this will help entities continue to develop and maintain robust controls that will sustain improved levels of maturity in general computer control environments.
The Office of Digital Government’s support to entities in addressing weaknesses and improving their capability is an important central agency function, required for a modern public service where connectivity and security of State systems is a focus. During the last 12 months, following a request from the Office of Digital Government, I provided them with copies of entity management letters for our general computer controls audits, where entities consented for us to do so, in order to inform their work program.
Unfortunately, it can be difficult for entities to perfectly implement controls, and sometimes staff will ignore or circumvent them – either deliberately or inadvertently. That is why having mechanisms to detect problems, including monitoring controls, ongoing training and rotation of staff is vital. It is also critical to promote an organisational culture where staff understand the principles of information security and are encouraged to report shortcomings in the knowledge they will be addressed.
My Office is not ring-fenced from reality, or immune in this regard. In 2019 we discovered an instance where access controls for a business system were not effective. Consequently, human resource and other non-audit information was inappropriately accessed internally by staff who did not need to access it. Information on this matter is included in a case study in Appendix 1, which is provided to share the lessons learnt by our Office, including the value of various control mechanisms, as it was ultimately those controls that brought the breach to our attention.
In all entities, system controls are particularly important at times where entities are going through significant change to consolidate and modernise information and communications technology. These changes bring new challenges, particularly where information technology (IT) arrangements are outsourced. Our sector-wide controls audits have found that governance of outsourced IT arrangements needs improvement. Entities were not consistently ensuring that the systems implemented by vendors meet expectations around security standards, architecture and functionality. With a global trend to outsource IT services, entities have an increasingly important responsibility for ensuring that external service providers follow better practices.
In the current environment, controls around remote IT access infrastructure will also need to be an area of priority as entities increasingly support staff to work in more flexible ways in response to current public health measures for the COVID-19 virus. To assist entities with this, we have included some good practice security considerations in Appendix 2 around remote access.