Even though the Australian government may have an effective IT
security framework, a recent report shows that certain government
agencies are not living up to it, highlighting a great concern.
The Australian National Audit Office (ANAO) IT security management
audit report assessed eight government agencies, including the
Department of Immigration and Multicultural and Indigenous Affairs,
Bureau of Meteorology, ComSuper, and the Department of Environment
and Heritage.
The report found that overall, the agencies had not implemented
effective policies, practices and processes to ensure their IT
security policy met with government standards.
Only two agencies could demonstrate suitable processes to assess
system compliance with their IT security policy and government
requirements as well as processes for managing exceptions and
variations.
The ANAO report also found that most agencies did not maintain key
IT operational procedures and configuration documentation. This was
particularly evident of agencies that had contracted to third-party
service providers for the provision of IT and/or IT security
services.
Australian Computer Society Vice President and KPMG global chief
operating officer, information risk management, Kumar Parakala,
said the audit findings are of concern.
"I have found the commonwealth government is leading the Asia
Pacific in terms of its policy framework for IT and information
security, but it is important that all the agencies are executing
the policies consistently to the benchmark that is set by the
government," he said.
"Deficiencies would have a direct impact on the service delivery of
the government."
Parakala believes that the solution lies in integrating IT security
governance in the corporate governance responsibilities of an
organization, ultimately reporting to the CEO.
"If someone is willfully damaging government property it is a very
serious matter and the police get involved. Those sorts of security
responsibilities have been very clearly defined, dealt out and
managed. But IT security is not taken equally as seriously," he
said.
"IT security breaches can in fact have greater set-backs to
organizations than physical security breaches."
Frost & Sullivan security analyst James Turner has a slightly
different take.
"IT security and information security should not be in such a hurry
to become a boardroom issue, because the business will have its own
challenges that need attention," he said.
Instead, his suggestion is for managers and executives dealing with
risk, compliance, governance and information security is to make a
noise about this issue in order to "loosen up the purse strings".
"Once Australian organizations (big, small, public and private)
have accepted that they need to commit money to the protection of
their viability as an operating entity, then the awareness phase of
information security is achieved," he said.
"Ideally, information security should be a part of our working
lives, just like locking the front door when we leave the house in
the morning. We should not be afraid, we should be aware of the
consequences of our actions and inactions."
Vectra director of information security, Jo Stewart-Rattray also
said it is a concern that the government agencies have not
implemented top-level IT security policies.
"The commonwealth government is certainly trying to do the right
thing. However, as is often the case, it is the individual agencies
that are responsible for implementing such policy. Sometimes this
is where the issues occur and sometimes those issues are budget
related or in some cases skills related. There are very few
organizations (in the private or public sector) that have all the
ducks in a row."
Stewart-Rattray said that awareness of information security is
generally higher in government than it is in the private sector.
"For example, the South Australian government has rolled out to its
agencies its own Information Security Management Framework (ISMF)
which is an information security governance framework based on risk
management standard AS/NZ 7799," she said.
"There is a general understanding of the need for information
security, both in Public and Private sectors, but there is less of
an understanding as to what actually constitutes information
security governance or indeed IT governance and how both of these
should cascade from the overall governance framework of the
organization."
The audit identified a number of opportunities for further
improvement in agencies' policies and procedures relating to IT
security management practices.
These included improving the content and processes for developing
and maintaining IT security policy alignment with organizational
risk management processes; ensuring a regular process exists within
the IT security control framework to identify gaps between an
agency IT environment and Australian government expectations;
ensuring policies clearly identify the physical and environmental
security controls and standards for managing IT equipment; ensuring
performance reporting of network security practice is designed to
make sure that security controls are adequately addressing IT
security risks; and ensuring standards exist and are applied for
the use of audit trails.
Most agencies agreed to the recommendations and are putting
strategies in place to implement them.
|
icon.
