Friday, March 25, 2011

Security of Electronic Information Held by Australian Government Agencies

The Australian National Audit Office (ANAO) released a report on "The Protection and Security of Electronic Information Held by Australian Government Agencies" on 23 March 2011. Agencies audited were: the Australian Office of Financial Management (AOFM), ComSuper, Medicare Australia and The Department of the Prime Minister and Cabinet (DPMC). The audit found measures were generally good, but suggested better administrator passwords and that public web-based email services, such as Gmail and Hotmail (and presumably Facebook) be blocked, to stop sensitive material being easily sent from agencies. The agencies agreed with the audit findings and undertook to implement the recommendations.
Overall, the audit concluded that the measures examined in the audited agencies to protect and secure electronic information were generally operating in accordance with Government protective security requirements. The agencies had established information security frameworks; had implemented controls to safeguard information, to protect network infrastructure and prevent and detect unauthorised access to information; and had controls in place to reduce loss, damage or compromise to ICT assets.

18. However, the audit did identify scope for the audited agencies to enhance their security measures in the following key areas:

  • information security policies and procedures need to be complete and
    up-to-date. Some agency policies and procedures were out-of-date, and each agency needed to compile or update their Standard Operating Procedures (SOPs) for ICT security officers. These policies and procedures assist in the consistent implementation of key ICT security measures, controls and practices;
  • third-party software applications should be regularly assessed for the availability of patches, and patches applied accordingly, to better protect their security, especially given their known vulnerability to attack. This was an issue identified in two of the four audited agencies;
  • administrator accounts and service accounts, which allow a high level of access across ICT systems, should use suitably complex password configurations to reduce the potential for inappropriate access. A password test applied by the ANAO had mixed results, showing weaknesses in passwords for administrator and service accounts in several agencies; and
  • emails using public web-based email services[18] should be blocked on agency ICT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure. Webmail accounts were accessible in one of the audited agencies, and logs showed that some staff were using these accounts on a regular basis.
From: The Protection and Security of Electronic Information Held by Australian Government Agencies, Australian National Audit Office, 23 March 2011.

1 comment:

Tom Worthington said...

In the case of staff using private e-mail accounts at work, there would seem to be a simple solution: allow this via an agency provided (or endorsed) web interface. In other words private email could be used, provided the agency could read the messages.

It happens that I wrote the first draft of the guidelines for "Use Of The Internet By Defence Personnel" at the Australian Department of Defence in 1996.