Report 28

Malware in the WA State Government

Agency responses

Department of the Attorney General

The Department of the Attorney General values the opportunity to work with the OAG in assessing its current risks and protections. The Department found the report and recommendations in the “Malware in the WA State Government” very useful and having regard to this Report will undertake a review of its current ICT security architecture and Security Management practices.

The Department welcomes the recommendations of the audit and is working to address comments directed specifically to the agency. The Department is optimising the use of its existing ICT budget to carry out changes to systems and controls on the basis of risk. Given these constraints some risks identified in this report may not be fully addressed.

We support the recommendations of assistance from the Office of the Government Chief Information Officer in the rollout of information security capability within the public sector.

Department of Mines and Petroleum

The Department of Mines and Petroleum has valued the opportunity for an independent external review of its malware protection performance by the Office of the Auditor General. The favourable findings from the review validate the ongoing commitment of the Department towards effective and strong information security practices.

Department of Transport

The Department of Transport (DoT) accepts the findings with the report providing insight into current vulnerabilities. Although the data capture was limited to only two-thirds of traffic, the department takes comfort that our perimeter defences prevented any significant findings or significant breach of security. DoT has already started to address all recommendations. The recommendations provide further support to ensure DoT’s ICT Governance and Security frameworks are fully implemented and adhered to.

Main Roads Western Australia

Main Roads will undertake a risk assessment of malware threats and make appropriate improvements to controls as required. Additionally, Main Roads look forward to working collaboratively with the Office of the Government Chief Information Officer and other agencies to improve overall information security for WA Government

Office of the Government Chief Information Officer

The recommendations are supported.

Cyber Security will continue to be a growing issue as these types of security threats are continuously evolving, sometimes on a daily basis. Some countries have dedicated teams breaking through virtual security barriers in order to gain commercial advantage or simply cause anarchy. As the WA Government, not unlike other governments around the world, moves into more on line access for its staff and the community, the threat of loss of data or viruses remains a high risk, high impact consideration for government.

It should be noted that, publishing a security policy only sets a standard. There must be ongoing audits to measure compliance. That cannot be undertaken by the Office of the Government Chief Information Officer as we do not have the resources.

There also is a significant skills gap in the public sector to ensure that appropriate security measures are in place, that CEO’s and CIO’s instil the right disciplines and ensure that their government agency proactively mitigates its security risk from outside threats. It is imperative that government works in a collaborative manner to achieve this outcome, the OGCIO is attempting to lead this outcome. It is suggested that Government CEO’s must have cyber security as a standing agenda item on their corporate executive Risk Register and reviewed frequently throughout the year.

Page last updated: December 7, 2016

Back to Top