Report 28

Malware in the WA State Government

Audit focus and scope

The audit objective was to determine whether selected government agencies have effective controls to prevent, detect and respond to malware threats and malicious software infecting their computer systems.

We based our audit on the following lines of inquiry:

  • Have agencies implemented controls to prevent, detect and respond to malware threats?
  • Are agency controls effective at managing malware threats?

In undertaking this audit we:

  • reviewed agency policies, procedures and guidelines
  • compared agency security processes and tools against recommended good practice. This built on testing we normally do for general computer controls audits
  • captured agency network traffic for a period of 10 to 12 days at each agency
  • analysed agency network traffic for any evidence of active malware infections and attempted malware attacks
  • spoke to a representative from the Office of the Government Chief Information Officer
  • liaised with a representative from the Australian Cyber Security Centre (ACSC).

Further detail on the scope of the audit is included in Appendix 1.

We conducted this narrow scope performance audit under section 18 of the Auditor General Act 2006 and in accordance with Australian Auditing and Assurance Standards. Narrow scope performance audits have a tight focus and generally target agency compliance with legislation, public sector policies and accepted good governance. The approximate cost of tabling this report is $320,000.

Agencies we audited

We audited 6 agencies, selected because of the services they provide to the public and the sensitivity of the data they store. Most of these agencies also provide IT services to other agencies, acting as a shared service provider. We assessed the network traffic of these ‘sub-agencies’ as it passed through the main network. We expected these agencies to have secure IT environments and a mature approach to risk management.

Table 1 - Agencies included in the audit

We conducted the control testing at all agencies. We also conducted a high-level capture at 1 agency. However, there was insufficient detail to draw firm conclusions, so we changed our approach to do a more complete network capture and analysis at the other 5. Because of the risk of any weaknesses being exploited, we have not attributed any findings or recommendations to individual agencies.

 

 

 

Back to Top