Victorian public-service executives ignoring warnings on IT security processes, end-of-life software: auditor

The IT-security attitudes of Victorian public-service agencies and departments are again being questioned after a report from the Victorian Auditor-General's Office (VAGO) concluded that departmental executives' ongoing failure to improve identity and access management (IAM) and other processes have put most Victorian state government agencies at a significant security risk.

Fully 68 percent of the audit's findings related to IT-security issues, representing an increase of 1 percent over last year's inaugural ICT Controls Report 2013-14 and a 2013 audit that identified 58 major IT-security issues in the state's security defences.

Poor user access management was the single biggest problem identified in this year's audit, accounting for nearly 30 percent of issues identified in VAGO's audit of 45 state agencies running 65 financial IT applications.

Maturity assessments of each agency's identity and access management (IAM) and software licensing practices showed significant deficiencies, with the worst-case scenario identified as an “extreme-risk audit finding relating to authentication and password controls”.

Password controls had generally not been updated to reflect specific guidance introduced through mandatory new Victorian government policies in late 2013, with VAGO noting “a large number of issues related to password controls....This is disappointing given that the Victorian Government IT security standards have been in effect for the full financial year, and agencies have had time to develop an implementation plan.”

Indeed, 462 new and previously identified audit deficiencies were identified in this year's review – including 285 unique findings, 133 findings across shared IT environments, and 44 identified from IT service assurance reports.

Three root causes of IAM deficiencies were identified, including a poor understanding or documentation of what access has been provided to users; human oversights including a lack of notification when users change roles; and inadequate periodic reviews of security controls.

“More often than not, periodic reviews are conducted by management but are not sufficiently effective to eliminate instances of excessive access provided,” the report found. “In some instances, periodic reviews only focused on certain elements of the IT infrastructure, resulting in control limitations.”

Some 53 percent of agencies were running IT systems that were nearing or past their end of life, the majority of which related to “key financial systems” and desktop operating systems like Windows XP and Server 2003 (for which Victorian IT provider CenITex recently paid $4.4m to obtain extended support from Microsoft).

Repeated warnings about IT security over several years have failed to produce concrete change, VAGO found – in particular noting “limited progress” in upgrading end-of-life systems. VAGO blamed agency managers that, the auditors concluded, need to “review these assurance reports with greater rigour and to acquit and take ownership over the weaknesses” identified in them.

In last year's audit, many managers wrongly believed that outsourcing elements of their IT transferred IT-security risk to the outsourcer and – despite some progress – this year's results “worryingly” showed “pockets of limited awareness and acceptance, including high-risk entities, of the risks and responsibilities associated with outsourced arrangements”.

Statutory limitations were limiting the jurisdiction of VAGO – which had been prevented from auditing some cloud infrastructure by a private-sector service provider, preventing it from reviewing the controls around prevention and management of payroll errors.

The analysis noted three “clear emerging themes” when it came to government security protections: that management and oversight of IT controls by external service providers requires improvement; that audited entities are continuing to use aging geing systems that will soon be unsupported by their vendors; and that weaknesses in IT security controls comprise “a large number” of the IT audit findings.

VAGO offered several recommendations to address these issues, including training and education on the evolving Victorian Protective Data Security Standards when they are finalised; that the Department of Premier & Cabinet monitor use of near end-of-life IT platforms; and that agencies' governing bodies improve governance and monitoring mechanisms including ensuring the continuity of vendor support for systems approaching their end of life.