Ineffective security measures in Western Australian government agencies are failing to protect sensitive staff and taxpayer information, according to an official security audit.
An examination of laptop security under the first half of a two-part Information Systems Audit Report, tabled in the WA Parliament, found 750 laptops had been lost by 56 government agencies at a cost of $828,030 over three years.
Of these, seven agencies that were closely examined were responsible for losing 608 of 28,150 laptops worth $641,134, excluding the possible loss of sensitive financial, medical, legal and educational records.
An average of 250 laptops were reported stolen each year by state government agencies.
By comparison, the NSW Department of Education CIO said some 30 laptops - issued to year 9 to 12 school children under the government's Digital Education Revolution Initiative - had been lost to date from more than 66,000 handed out last year. About six laptops were reported lost by the department in September last year.
The audit report found that Royal Perth Hospital and the Department of Commerce do not keep accurate records of laptops. It claimed that Perth hospital “could not provide any assurance on the number of its laptops, where they are or who had them” and possessed two conflicting record lists with a disparity of 277 devices. The Department of Commerce was found to have not kept records for 18 months.
“All seven agencies lacked comprehensive management, technical and physical controls over their laptops and portable storage devices to minimise the risk of them being lost or stolen and of sensitive information being accessed,” the report states.
Six of the seven agencies failed auditor expectations by not enforcing access controls for laptops or portable devices that would help prevent sensitive data leaving the organisation. The WA Police received praise for encrypting all outgoing sensitive information.
The auditor found critical software vulnerablilities across each of the seven agencies due to a lack of patching. WorkCover was the only agency to enable laptop firewalls to protect computers from introducing potential infections from insecure networks into the corporate environment.
The second part of the report, tabled by acting auditor general Glen Clarke, blasted the agencies for poor application and general computer controls.
Out of the 52 agencies investigated, two had stored unsecured credit card data — one via a network “accessible by any user” and the other within an application — in direct violation of the Payment Card Industry (PCI) Data Security Standard.
Auditors were able to access sensitive information through “highly privileged” accounts that were accessed by simple password guessing. One agency allowed users to access accounts with a single character password that did not expire.
Thousands of sensitive records were cracked with the same basic password guessing in “several agencies”.
Auditors were able to manipulate staff and contractor paychecks stored on freely accessible folders before they were processed.
Another unnamed agency sent out names and addresses of clients to external contractors, and many were found to lack basic account access controls that stop users from accessing inappropriate sensitive data, or even creating administration accounts without approval.
Boot passwords were scarcely employed by the agencies, leaving laptop hard disks vulnerable to hacking. Contractor service level agreements were found to be not enforced by another agency.
Weak access controls were found in 41 per cent of agencies, followed by poor network security in 23 per cent, polices and procedures, password control, and physical security.
Despite the widespread failure in security measures, Clarke was advised that the previous 2009 report was an “important benchmark for agencies”. The current report cited improvements between 10 to 15 per cent, although many were below auditor expectations.
Penetration testing firm Securus Global CEO, Drazen Drazic, said the results — with the exception of lost laptops — are not “too surprising” and are roughly consistent with the private sector.
“The issue about management and governance is key. Risk management 101 is knowing what you have and where it is,” Drazic said.
The full report can be accessed on the Office of the Auditor General for Western Australia website.