NSW auditor-general calls for improvements to government IT security

Report reveals old operating software, low encryption used in NSW agencies

New South Wales government departments have been given a clean bill of IT security health by the auditor-general, but several recommendations for future preventative care have been issued.

In his report, NSW Auditor-General, Peter Achterstraat, said [[xref: http://www.audit.nsw.gov.au/publications/reports/financial/2011/Vol01/pdfs/electronic_information_security_volume_1_2011.pdf| that while testing performed by experts found no major security flaws, several opportunities to improve electronic information security existed|new]].

This includes the government database access not being secured in Web applications, potentially leaving databases open to SQL injection attacks and consequently, data theft.

In addition, the failure to terminate remote access sessions, transmission of data between systems and remote applications in easily read and modifiable form, weak encryption methods, login credentials stored by the user’s Web browser, and out of date operating system software with known vulnerabilities were also identified as areas where IT security could be improved.

The recommendations are a result of an Electronic Information Security audit released on 20 October 2010, which slammed the NSW government’s security practices.

“The criterion for that audit was that the government should be able to show that those systems, which hold personal information, are certified to comply with the international Information Security Management Systems standard - ISO27001,” said Achterstraat in the report.

Experts were employed to conduct penetration testing and high-level scanning of email content on two agencies that are currently certified to the ISO27001 standard.

Checks were also done to ensure that personal information held on selected databases was adequately protected from unauthorised access, and unencrypted sensitive personal information was rarely emailed outside the selected agencies.

The testing revealed no major security flaws in either agency.

“This positive outcome suggests that the international standard is a good basis for building strong electronic information security,” said Achterstraat.

“I also concluded that penetration testing and email scanning are worthwhile tools to identify security issues and obtain assurance of robust defences against unauthorised access to data.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CSO newsletter!

Error: Please check your email address.

Tags securityNSW auditor-generalIT SecurityAuditor-General Peter Achterstraat

More about ISOO2

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place