Key ACT govt systems rely on unsupported OSes

A number of key IT systems used by ACT government agencies rely on operating systems that are no longer supported by their vendors.

The territory’s auditor-general, Dr Maxine Cooper, today released a report that scrutinised the IT systems employed by agencies to prepare their 2016-17 financial statements.

The audit found that of the 106 servers assessed, around 9 per cent were running unsupported operating systems.

Although that represents a decrease from 2015-16 figures, when almost a third of servers ran unsupported OSes, “the continued use of unsupported operating systems on servers is a risk to the security and performance of the ACT Government network including the applications on the network,” the report states.

The audit found reliance on outdated operating systems at five government directorates: Chief Minister, Treasury and Economic Development Directorate; the Community Services Directorate; the Environment, Planning and Sustainable Development Directorate; the Health Directorate; and the Transport Canberra and City Services (TCCS) Directorate.

In their responses to the audit, the directorates indicated the systems involved had either been decommissioned or plans for their decommissioning were under way.

The exception was the TransIS system employed by Roads ACT. TransIS is owned and operated by the NSW government and provides traffic data sharing services.

TCCS said it “continues to monitor system performance and work with the NSW Government in the future of the system”.

“However, there are currently no plans by the NSW Government to upgrade or replace the current system,” it said in a statement.

“This system remains stable and reliable with no significant downtime being recorded. TCCS has assessed the risk of system failure as ‘low to medium’ and continues to monitor.”

Other systems relying on unsupported operating systems included a storage and backup system within the Chief Minister, Treasury and Economic Development Directorate, the ACT land titles business system, a biomedical engineering equipment maintenance system, an endoscopy reporting system and a medical transcription system.

ACT Shared Services said that it had a program to progressively decommission the use of unsupported operating systems on servers where possible.

“In addition, Shared Services has identified that all servers on the ACT Government network either use supported operating systems, or have an ICT Security approved vulnerability mitigation solution in place,” the agency said.

“Shared Services undertook a program to deploy Trend Deep Security agent to all servers with unsupported operating systems in mid-2016 to protect the servers against any threats.”

The rollout of Trend Deep Security began in late 2016 and is ongoing.

The audit found a number of other deficiencies, including 15 generic user accounts in use across government that had not had password changes since 1999.

The full report (PDF) is available online.