Auditor general Colin Murphy has expressed disappointment with what he claims is the failure by many state government agencies to appropriately manage their IT systems.
Auditor general Colin Murphy has expressed disappointment with what he claims is the failure by many state government agencies to appropriately manage their IT systems.
The IT systems of about 45 government agencies were assessed against six control categories, which were regarded as good practice to preserve the confidentiality, integrity and availability of information.
The audit found more than half of the agencies weren’t meeting the benchmark in three or more of the categories, which were IT operations, management of IT risks, information security, business continuity, change control, and physical security.
“After doing this audit for eight years I am disappointed to see little or no improvement in controls year on year, and agencies not treating this matter with the seriousness it deserves,” Mr Murphy said.
“Information security and business continuity have not improved, scores fluctuate year to year, but the trend remains flat.”
Given the categories related to the security of information and the availability of services, the auditor general said was concerned about the lack of progress.
“Many of the weaknesses I consistently report are easy to remedy such as poor password management and ensuring data recovery processes are in place and updated in the event of an incident,” Mr Murphy said.
“I may have to look at ways to make agencies more accountable for IT weaknesses and it may include naming agencies not addressing or taking action to rectify concerns.”
The audit also looked at the controls around five key business applications. It found that while they were working effectively, all had weaknesses, with the most common being poor policies, procedures and security.
Mr Murphy said there were lessons in the report for all agencies, not just for those audited, about the management of IT systems and if taken on board the results of next year’s audit should be an improvement.
Some of the weaknesses included easy to guess passwords, software updates not applied, failure to remove accounts belonging to former staff and manual data entry, processing and manipulation.
“Agencies are urged to take note of the findings and act on the recommendations to ensure the confidentiality and integrity of information,” Mr Murphy said.
“Many of the issues raised in the report are simple and inexpensive to correct and agencies should address those identified as soon as possible.”
