New South Wales government departments have been given a clean bill of IT security health by the auditor-general, but several recommendations for future preventative care have been issued.
In his report, NSW Auditor-General, Peter Achterstraat, said [[xref: http://www.audit.nsw.gov.au/publications/reports/financial/2011/Vol01/pdfs/electronic_information_security_volume_1_2011.pdf| that while testing performed by experts found no major security flaws, several opportunities to improve electronic information security existed|new]].
This includes the government database access not being secured in Web applications, potentially leaving databases open to SQL injection attacks and consequently, data theft.
In addition, the failure to terminate remote access sessions, transmission of data between systems and remote applications in easily read and modifiable form, weak encryption methods, login credentials stored by the user’s Web browser, and out of date operating system software with known vulnerabilities were also identified as areas where IT security could be improved.
The recommendations are a result of an Electronic Information Security audit released on 20 October 2010, which slammed the NSW government’s security practices.
“The criterion for that audit was that the government should be able to show that those systems, which hold personal information, are certified to comply with the international Information Security Management Systems standard - ISO27001,” said Achterstraat in the report.
Experts were employed to conduct penetration testing and high-level scanning of email content on two agencies that are currently certified to the ISO27001 standard.
Checks were also done to ensure that personal information held on selected databases was adequately protected from unauthorised access, and unencrypted sensitive personal information was rarely emailed outside the selected agencies.
The testing revealed no major security flaws in either agency.
“This positive outcome suggests that the international standard is a good basis for building strong electronic information security,” said Achterstraat.
“I also concluded that penetration testing and email scanning are worthwhile tools to identify security issues and obtain assurance of robust defences against unauthorised access to data.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU