Thursday 11 January 2018

NSW Auditor-General not impressed by government agencies cyber security risk management


“Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.” [NSW Auditor-General, Report on Internal Controls and Governance 2017, December 2017]

On 20 December 2017 the NSW Auditor-General released the Report on Internal Controls and Governance 2017.

The Sydney Morning Herald reported on 28 December 2017:

Two-thirds of NSW government agencies are failing to properly safeguard their data, increasing the risk of improper access to confidential information about members of the public and identity fraud by cyber criminals.

The finding has emerged from an audit of dozens of government agencies, including those holding highly sensitive personal information collected from millions of citizens, such as NSW Health, the department of education, NSW Police Force, Roads and Maritime Services and the justice department.

While the report by auditor-general Margaret Crawford does not name the agencies failing to properly manage privileged access to their systems, it highlights the potential consequences.

"Personal information collected by public sector agencies about members of the public is of high value to cyber criminals, as it can be used to create false identities to commit other crimes," she says in the report.

"Despite these risks, we found that one agency had 37 privileged user accounts, including 33 that were dormant. The agency had no formal process to create, modify or deactivate privileged users."

Overall, Ms Crawford's report found 68 per cent of NSW government agencies "do not adequately manage privileged access to their systems".

In addition, she said, the audit determined that 61 per cent of agencies "do not regularly monitor the account activity of privileged users".

"This places those agencies at greater risk of not detecting compromised systems, data breaches and misuse," the report said.

The audit found 31 per cent of agencies "do not limit or restrict privileged access to appropriate personnel". Of those, just one-third monitor the account activity of privileged users.

It found that almost one-third of agencies breach their own security policies on user access.

The report warns that if agencies fail to implement proper controls "they may also breach NSW laws and policies and the international standards that they reference".

Read the full article here.

List of NSW Government Agencies Examined by NSW Auditor-General
Education
Department of Education
Family and Community Services
Department of Family and Community Services
New South Wales Land and Housing Corporation
Finance, Services and Innovation
Department of Finance, Services and Innovation * Specifically identified in report
Place Management NSW
Property NSW
Service NSW
Health
NSW Health
Industry
Department of Industry
Destination NSW
Forestry Corporation of New South Wales
Office of Sport
TAFE Commission
Water NSW
Justice
Department of Justice
Fire and Rescue NSW
Legal Aid Commission of New South Wales
NSW Police Force
Office of the NSW Rural Fire Service
Planning and Environment
Department of Planning and Environment
Essential Energy
Hunter Water Corporation
Landcom
Office of Environment and Heritage
Office of Local Government
Sydney Water Corporation
Premier and Cabinet
Department of Premier and Cabinet
Transport
NSW Trains
Rail Corporation New South Wales
Roads and Maritime Services
Sydney Trains
Transport for NSW
WCX M4 PTY Limited
WCX M5 PTY Limited
Treasury
Crown Finance Entity
Insurance and Care NSW
Lifetime Care and Support Authority
NSW Treasury Corporation
NSW Self Insurance Corporation


Some deficiencies were common across agencies

The most common internal control deficiencies were poor or absent IT controls related to:

user access management
password management
privileged access management
user acceptance testing.

The most common governance deficiencies related to:

management of cyber security risks
capital project governance
management of shared service arrangements
conflicts-of-interest management
gifts-and-benefits management
risk management maturity
ethical behaviour policies and statements.

No comments: