Problems with agency IT security are again under the spotlight, with reports from both Australia and the US highlighting widespread problems with compliance. The recent Australian National Audit Office (ANAO) report exposing serious inadequacies in the security of key government agencies gels nicely with a new federal information security analysis from the US highlighting the vulnerability of civilian government agencies there.
Special Minister of State Gary Nairn has expressed disappointment at the findings of the ANAO report, which found key government agencies faced risks to the confidentiality, integrity and availability of government information, data and systems.
The report criticized six key agencies for their failure to comply with the Protective Security Manual (PSM) and ACSI 33 and urged agencies to document how they balanced risks against potential benefits when introducing new technologies like wireless and voice technologies. And it noted that agencies needed to lift their game in areas like e-mail filtering. All agencies audited could improve performance in one or more aspects of managing Internet security, such as the development of system security plans, it found.
The ANAO also found that while several of the six agencies had initiated development of business continuity and disaster recovery plans for their Internet services, only one had sound plans in place. Two other agencies were largely reliant on the knowledge of key staff and had few documented procedures; some agencies produced documents only in draft form and some plans had not been regularly reviewed.
"Lack of appropriate business continuity and disaster recovery planning can increase the time taken to recover information after interruptions to an agency's computer system, and lead to agencies being unable to recover critical Internet services quickly, contributing to a failure to deliver services to the community," the report says.
Included amongst compliance failings was the fact that agencies lacked "systematic and coordinated program for the ongoing management of ICT security-related risk assessments." And the ANAO found agencies had made no link between security policies and system security plans and their ICT risk assessments.
Failure to adhere to the requirements of the PSM and ACSI 33 heightened the risk of for agency information to be compromised, affecting the agencies' ability to provide services, the reported noted.
The agencies were Customs, Australian Federal Police, Australian Radiation Protection and Nuclear Safety Agency, Department of Employment and Workplace relations, Department of Industry, Tourism and Resources, and Medicare.
Meanwhile a report from government business consultants INPUT finds US CIOs and CISOs in civilian federal government agencies are not, on the whole, failing to adhere to policies and standards due to a lack of availability. Rather, it faults the decentralization of IT departments within federal agencies. INPUT says decentralization dilutes a CIO's ability to effectively manage and oversee configuration management across the department.
"CIO/CISOs face many challenges in developing, implementing, and enforcing standard device configurations across a federal department. They have generally lacked department-wide management and implementation authority for IT and information security programs because they lack input and decision making ability at the executive program level. Some of these challenges must be addressed at the executive level of the federal government and involve the overall architecture and ownership of federal government networks," INPUT says.
The report also found a failure to standardize configurations for all network devices has left US Federal civilian agencies at a high level of risk for security breaches. INPUT predicts agency moves to develop consistent and unified security configurations will create numerous opportunities for technology vendors with strong configuration and patch management capabilities and offerings.
"A sound configuration management process requires enforcement of policies along with the development and implementation of new business processes and technologies," Bruce Brody, vice president, information security at INPUT says. "The steps for developing and maintaining a configuration management plan are configuration and policy development, configuration migration, and patch management."