An audit of Internet security within Federal Government agencies has found risk managed by IT staff in-house has proven more effective than those handled by external service providers.
The Australian National Audit Office (ANAO) report found: "Agencies managing Internet security in-house demonstrated a more holistic and comprehensive approach to documenting plans and security strategies. Agencies outsourcing delivery of some elements of their Internet presence demonstrated a more fragmented, and often incomplete, set of planning documentation."
While all 10 of the agencies involved in the audit had an IT security policy, the report found larger agencies "particularly those that managed their Internet presence using in-house resources" had comprehensive security and disaster recovery plans.
"Where Commonwealth Web sites were hosted and managed using in-house resources, the level of coordination and communication between relevant groups was substantially better than when site management was contracted to an external service provider," the report said.
It also found outsourcing contracts contained nothing, or very little, for agency staff to audit the security provisions of their service providers.
Testing was undertaken as part of the audit in conjunction with the Defence Signals Directorate (DSD) and revealed policy and procedures for the review of audit logs "very poor". A full list of ANAO recommendations and a copy of the report is available at www.anao.gov.au