ACT Shared Services works to block shadow IT

The ACT government’s shared services agency says a project is underway that will help block the use of unauthorised cloud systems by the territory’s directorates.

Scrutiny by the ACT’s auditor-general revealed that while a tool intended to identify unregistered cloud systems by the territory’s agencies has been rolled out, as of 30 June 2018 the reporting application had yet to be employed.

The ACT Audit Office late last month released the results of its 2017-18 examination of controls implemented by agencies over IT systems that contribute to their financial reporting.

Overall the audit concluded that although key controls over the relevant systems were “satisfactory,” there were a range of weaknesses that could increase the risk of errors, fraud and data breaches.

Those weakness related to patch management and application whitelisting, as well as user access management and managing risks associated with the use of cloud services.

The Audit Office said that it had informed the ACT Shared Services agency of three cloud systems classified as ‘government critical’ and six classified as ‘business critical’ that had not been formally assessed for security risks.

Shared Services ICT policy requires the development of a security plan if a system is categorised as government critical, business critical or essential infrastructure; handles sensitive government information; or is a public ACT government website.

The audit report also revealed that a mechanism allowing agencies to “block extreme-risk shadow IT systems (i.e. unregistered IT systems and cloud services) and warn employees” was yet to be implemented.

“These weaknesses increase the risk of agency data held in cloud based systems not being adequately protected from unauthorised and fraudulent access,” the report said.

“While the responsibility to complete risk assessments and System Security Plans (SSP) remains with the directorates, Shared Services will provide business owners with assistance to complete these risk assessments and SSP’s for ‘Government Critical’ or ‘Business Critical’ cloud systems,” Shared Services said in its response to the findings.

“Shared Services will commence using the Cloud Access Security Broker (CASB) tool to detect unregistered cloud systems from July 2019 with the completion of the ‘Better Government - Boosting Digital Security’ project.”

The project will allow the agency to “alert directorates to the use of extreme/high risk shadow IT systems” and enable the services to be blocked.