ON the day that Australian governments and industry were targeted in a major cyber attack, the ACT auditor-general presented a report stating that ACT government agencies are vulnerable to cyber attacks.
ACT government agencies are not well placed to respond to a data breach or loss of critical business systems, according to the report on data security, presented by Michael Harris today (June 19).
Mr Harris presented the report to the speaker for tabling in the ACT Legislative Assembly, saying: “ACT Government agencies have not clearly understood the risks and requirements of securing sensitive data.”
“Shared services have established a comprehensive ICT Security Policy, which all agencies must comply with under the ACT Protective Security Policy Framework. However, agencies currently do not need to demonstrate their compliance with this policy,” he says.
The audit found that agency compliance with key mandatory requirements of the ACT government’s ICT Security Policy were lacking. The audit also found:
- 89 per cent of critical ICT systems did not have a current system security risk management plan that demonstrated and documented data security risks and controls.
- there are significant delays in completing security plans. On average it took Shared Services over three months to commence a critical ICT system security assessment and it would then take Shared Services and ACT government agencies on average almost eight months to complete a critical ICT system security risk management plan.
- agencies have not notified Shared Services of the security classification of 65 per cent of ACT government agency ICT systems. This makes it difficult to prioritise security protection activities.
- it is not known for most critical ICT systems if there is a recovery plan in place.
- there is widespread use of high-risk cloud services by agency users. This can expose sensitive or personal data to unauthorised external parties often with little recourse available.
- there is a low level of data security awareness among staff in most agencies examined in the audit. This increases the likelihood of a data breach and its potential impact.
Providing secure means of handling data, both in transit and at rest, is a necessary requirement for providing online services to the community, the report said in its conclusion.
“Government agencies are held to a high standard of accountability for securing sensitive data on behalf of the community. Within the territory, there is a data security accountability framework set in place by legislation, policies and oversight functions to monitor compliance. ACT Government agencies need to securely manage the receipt, storage, transmission and destruction of data within this framework,” it said.
Who can be trusted?
In a world of spin and confusion, there’s never been a more important time to support independent journalism in Canberra.
If you trust our work online and want to enforce the power of independent voices, I invite you to make a small contribution.
Every dollar of support is invested back into our journalism to help keep citynews.com.au strong and free.
Thank you,
Ian Meikle, editor
Leave a Reply