Australian agencies fail to meet security expectations

Even though the Australian government may have an effective IT security framework, a recent report shows that certain government agencies are not living up to it, highlighting a great concern.

The Australian National Audit Office (ANAO) IT security management audit report assessed eight government agencies, including the Department of Immigration and Multicultural and Indigenous Affairs, Bureau of Meteorology, ComSuper, and the Department of Environment and Heritage.

The report found that overall, the agencies had not implemented effective policies, practices and processes to ensure their IT security policy met with government standards.

Only two agencies could demonstrate suitable processes to assess system compliance with their IT security policy and government requirements as well as processes for managing exceptions and variations.

The ANAO report also found that most agencies did not maintain key IT operational procedures and configuration documentation. This was particularly evident of agencies that had contracted to third-party service providers for the provision of IT and/or IT security services.

Australian Computer Society Vice President and KPMG global chief operating officer, information risk management, Kumar Parakala, said the audit findings are of concern.

"I have found the commonwealth government is leading the Asia Pacific in terms of its policy framework for IT and information security, but it is important that all the agencies are executing the policies consistently to the benchmark that is set by the government," he said.

"Deficiencies would have a direct impact on the service delivery of the government."

Parakala believes that the solution lies in integrating IT security governance in the corporate governance responsibilities of an organization, ultimately reporting to the CEO.

"If someone is willfully damaging government property it is a very serious matter and the police get involved. Those sorts of security responsibilities have been very clearly defined, dealt out and managed. But IT security is not taken equally as seriously," he said.

"IT security breaches can in fact have greater set-backs to organizations than physical security breaches."

Frost & Sullivan security analyst James Turner has a slightly different take.

"IT security and information security should not be in such a hurry to become a boardroom issue, because the business will have its own challenges that need attention," he said.

Instead, his suggestion is for managers and executives dealing with risk, compliance, governance and information security is to make a noise about this issue in order to "loosen up the purse strings".

"Once Australian organizations (big, small, public and private) have accepted that they need to commit money to the protection of their viability as an operating entity, then the awareness phase of information security is achieved," he said.

"Ideally, information security should be a part of our working lives, just like locking the front door when we leave the house in the morning. We should not be afraid, we should be aware of the consequences of our actions and inactions."

Vectra director of information security, Jo Stewart-Rattray also said it is a concern that the government agencies have not implemented top-level IT security policies.

"The commonwealth government is certainly trying to do the right thing. However, as is often the case, it is the individual agencies that are responsible for implementing such policy. Sometimes this is where the issues occur and sometimes those issues are budget related or in some cases skills related. There are very few organizations (in the private or public sector) that have all the ducks in a row."

Stewart-Rattray said that awareness of information security is generally higher in government than it is in the private sector.

"For example, the South Australian government has rolled out to its agencies its own Information Security Management Framework (ISMF) which is an information security governance framework based on risk management standard AS/NZ 7799," she said.

"There is a general understanding of the need for information security, both in Public and Private sectors, but there is less of an understanding as to what actually constitutes information security governance or indeed IT governance and how both of these should cascade from the overall governance framework of the organization."

The audit identified a number of opportunities for further improvement in agencies' policies and procedures relating to IT security management practices.

These included improving the content and processes for developing and maintaining IT security policy alignment with organizational risk management processes; ensuring a regular process exists within the IT security control framework to identify gaps between an agency IT environment and Australian government expectations; ensuring policies clearly identify the physical and environmental security controls and standards for managing IT equipment; ensuring performance reporting of network security practice is designed to make sure that security controls are adequately addressing IT security risks; and ensuring standards exist and are applied for the use of audit trails.

Most agencies agreed to the recommendations and are putting strategies in place to implement them.