Victorian public-service executives ignoring warnings on IT security processes, end-of-life software: auditor

The IT-security attitudes of Victorian public-service agencies and departments are again being questioned after a report from the Victorian Auditor-General's Office (VAGO) concluded that departmental executives' ongoing failure to improve identity and access management (IAM) and other processes have put most Victorian state government agencies at a significant security risk.

Fully 68 percent of the audit's findings related to IT-security issues, representing an increase of 1 percent over last year's inaugural ICT Controls Report 2013-14 and a 2013 audit that identified 58 major IT-security issues in the state's security defences.

Poor user access management was the single biggest problem identified in this year's audit, accounting for nearly 30 percent of issues identified in VAGO's audit of 45 state agencies running 65 financial IT applications.

Maturity assessments of each agency's identity and access management (IAM) and software licensing practices showed significant deficiencies, with the worst-case scenario identified as an “extreme-risk audit finding relating to authentication and password controls”.

Password controls had generally not been updated to reflect specific guidance introduced through mandatory new Victorian government policies in late 2013, with VAGO noting “a large number of issues related to password controls....This is disappointing given that the Victorian Government IT security standards have been in effect for the full financial year, and agencies have had time to develop an implementation plan.”

Indeed, 462 new and previously identified audit deficiencies were identified in this year's review – including 285 unique findings, 133 findings across shared IT environments, and 44 identified from IT service assurance reports.

Three root causes of IAM deficiencies were identified, including a poor understanding or documentation of what access has been provided to users; human oversights including a lack of notification when users change roles; and inadequate periodic reviews of security controls.

“More often than not, periodic reviews are conducted by management but are not sufficiently effective to eliminate instances of excessive access provided,” the report found. “In some instances, periodic reviews only focused on certain elements of the IT infrastructure, resulting in control limitations.”

Some 53 percent of agencies were running IT systems that were nearing or past their end of life, the majority of which related to “key financial systems” and desktop operating systems like Windows XP and Server 2003 (for which Victorian IT provider CenITex recently paid $4.4m to obtain extended support from Microsoft).

Repeated warnings about IT security over several years have failed to produce concrete change, VAGO found – in particular noting “limited progress” in upgrading end-of-life systems. VAGO blamed agency managers that, the auditors concluded, need to “review these assurance reports with greater rigour and to acquit and take ownership over the weaknesses” identified in them.

In last year's audit, many managers wrongly believed that outsourcing elements of their IT transferred IT-security risk to the outsourcer and – despite some progress – this year's results “worryingly” showed “pockets of limited awareness and acceptance, including high-risk entities, of the risks and responsibilities associated with outsourced arrangements”.

Statutory limitations were limiting the jurisdiction of VAGO – which had been prevented from auditing some cloud infrastructure by a private-sector service provider, preventing it from reviewing the controls around prevention and management of payroll errors.

The analysis noted three “clear emerging themes” when it came to government security protections: that management and oversight of IT controls by external service providers requires improvement; that audited entities are continuing to use aging geing systems that will soon be unsupported by their vendors; and that weaknesses in IT security controls comprise “a large number” of the IT audit findings.

VAGO offered several recommendations to address these issues, including training and education on the evolving Victorian Protective Data Security Standards when they are finalised; that the Department of Premier & Cabinet monitor use of near end-of-life IT platforms; and that agencies' governing bodies improve governance and monitoring mechanisms including ensuring the continuity of vendor support for systems approaching their end of life.

Join the CSO newsletter!

Error: Please check your email address.

Tags VAGOIdentity And Access Management (IAM)IT applicationsIT systemsIT security processesVictorian Auditor-General's Office (VAGO)CSO Australia

More about CenITexGovernment ITMicrosoftVictorian Government

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts