NSW auditor-general calls for improvements to government IT security

Report reveals old operating software, low encryption used in NSW agencies

New South Wales government departments have been given a clean bill of IT security health by the auditor-general, but several recommendations for future preventative care have been issued.

In his report, NSW Auditor-General, Peter Achterstraat, said [[xref: http://www.audit.nsw.gov.au/publications/reports/financial/2011/Vol01/pdfs/electronic_information_security_volume_1_2011.pdf| that while testing performed by experts found no major security flaws, several opportunities to improve electronic information security existed|new]].

This includes the government database access not being secured in Web applications, potentially leaving databases open to SQL injection attacks and consequently, data theft.

In addition, the failure to terminate remote access sessions, transmission of data between systems and remote applications in easily read and modifiable form, weak encryption methods, login credentials stored by the user’s Web browser, and out of date operating system software with known vulnerabilities were also identified as areas where IT security could be improved.

The recommendations are a result of an Electronic Information Security audit released on 20 October 2010, which slammed the NSW government’s security practices.

“The criterion for that audit was that the government should be able to show that those systems, which hold personal information, are certified to comply with the international Information Security Management Systems standard - ISO27001,” said Achterstraat in the report.

Experts were employed to conduct penetration testing and high-level scanning of email content on two agencies that are currently certified to the ISO27001 standard.

Checks were also done to ensure that personal information held on selected databases was adequately protected from unauthorised access, and unencrypted sensitive personal information was rarely emailed outside the selected agencies.

The testing revealed no major security flaws in either agency.

“This positive outcome suggests that the international standard is a good basis for building strong electronic information security,” said Achterstraat.

“I also concluded that penetration testing and email scanning are worthwhile tools to identify security issues and obtain assurance of robust defences against unauthorised access to data.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags IT SecurityNSW auditor-generalAuditor-General Peter Achterstraat

More about ISOO2

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Hamish Barwick

Latest Videos

More videos

Blog Posts