Even though the Australian government may have an effective ITsecurity framework, a recent report shows that certain governmentagencies are not living up to it, highlighting a great concern.
The Australian National Audit Office (ANAO) IT security managementaudit report assessed eight government agencies, including theDepartment of Immigration and Multicultural and Indigenous Affairs,Bureau of Meteorology, ComSuper, and the Department of Environmentand Heritage.
The report found that overall, the agencies had not implementedeffective policies, practices and processes to ensure their ITsecurity policy met with government standards.
Only two agencies could demonstrate suitable processes to assesssystem compliance with their IT security policy and governmentrequirements as well as processes for managing exceptions andvariations.
The ANAO report also found that most agencies did not maintain keyIT operational procedures and configuration documentation. This wasparticularly evident of agencies that had contracted to third-partyservice providers for the provision of IT and/or IT securityservices.
Australian Computer Society Vice President and KPMG global chiefoperating officer, information risk management, Kumar Parakala,said the audit findings are of concern.
“I have found the commonwealth government is leading the AsiaPacific in terms of its policy framework for IT and informationsecurity, but it is important that all the agencies are executingthe policies consistently to the benchmark that is set by thegovernment,” he said.
“Deficiencies would have a direct impact on the service delivery ofthe government.”
Parakala believes that the solution lies in integrating IT securitygovernance in the corporate governance responsibilities of anorganization, ultimately reporting to the CEO.
“If someone is willfully damaging government property it is a veryserious matter and the police get involved. Those sorts of securityresponsibilities have been very clearly defined, dealt out andmanaged. But IT security is not taken equally as seriously,” hesaid.
“IT security breaches can in fact have greater set-backs toorganizations than physical security breaches.”
Frost & Sullivan security analyst James Turner has a slightlydifferent take.
“IT security and information security should not be in such a hurryto become a boardroom issue, because the business will have its ownchallenges that need attention,” he said.
Instead, his suggestion is for managers and executives dealing withrisk, compliance, governance and information security is to make anoise about this issue in order to “loosen up the purse strings”.
“Once Australian organizations (big, small, public and private)have accepted that they need to commit money to the protection oftheir viability as an operating entity, then the awareness phase ofinformation security is achieved,” he said.
“Ideally, information security should be a part of our workinglives, just like locking the front door when we leave the house inthe morning. We should not be afraid, we should be aware of theconsequences of our actions and inactions.”
Vectra director of information security, Jo Stewart-Rattray alsosaid it is a concern that the government agencies have notimplemented top-level IT security policies.
“The commonwealth government is certainly trying to do the rightthing. However, as is often the case, it is the individual agenciesthat are responsible for implementing such policy. Sometimes thisis where the issues occur and sometimes those issues are budgetrelated or in some cases skills related. There are very feworganizations (in the private or public sector) that have all theducks in a row.”
Stewart-Rattray said that awareness of information security isgenerally higher in government than it is in the private sector.
“For example, the South Australian government has rolled out to itsagencies its own Information Security Management Framework (ISMF)which is an information security governance framework based on riskmanagement standard AS/NZ 7799,” she said.
“There is a general understanding of the need for informationsecurity, both in Public and Private sectors, but there is less ofan understanding as to what actually constitutes informationsecurity governance or indeed IT governance and how both of theseshould cascade from the overall governance framework of theorganization.”
The audit identified a number of opportunities for furtherimprovement in agencies’ policies and procedures relating to ITsecurity management practices.
These included improving the content and processes for developingand maintaining IT security policy alignment with organizationalrisk management processes; ensuring a regular process exists withinthe IT security control framework to identify gaps between anagency IT environment and Australian government expectations;ensuring policies clearly identify the physical and environmentalsecurity controls and standards for managing IT equipment; ensuringperformance reporting of network security practice is designed tomake sure that security controls are adequately addressing ITsecurity risks; and ensuring standards exist and are applied forthe use of audit trails.
Most agencies agreed to the recommendations and are puttingstrategies in place to implement them.