An audit of information technology security management in eight Commonwealth agencies has found a general failure to comply with government policy. In a report issued late last year, the Australian National Audit Office concluded that the audited agencies had identified government policies, practices and procedures for the protection of information, and their IT staff were aware of relevant legislation and compliance requirements.
However, the ANAO found that:
Most agencies had not implemented structured processes to ensure the effective alignment of IT security objectives with risk-management processes and Australian government policy, practices, and standards.
Only two agencies demonstrated suitable processes to assess system compliance with their IT security policy or government requirements.
Most agencies did not maintain key IT operational procedures and configuration documentation, particularly agencies that outsourced their IT services.
All audited agencies accepted the findings of the report, which made five recommendations, including that agencies should establish performance measures for IT security and periodically report against these measures.
A spokesman for the Special Minister for State, Eric Abetz, said that IT security was an internal management issue for agencies and not the responsibility of the Australian Government Information Management Office.
"Responsibility for IT security rests primarily with agency CEOs, acting on advice from the Defence Signals Directorate," the spokesman said. "AGIMO has no directive power - it can encourage and cajole but, ultimately, it must rely on agency CEOs to implement the arrangements."
All agencies of the Australian Government are required to comply with the Australian Government Information and Communications Technology Security Manual, maintained by DSD, and the Protective Security Manual issued by the Attorney-General's Department.
Abetz's spokesman said the ANAO had noted that some agency shortcomings had resulted from a strengthening of minimum standards in the Protective Security Manual. "The rules had been adjusted to make the system tighter and agencies had yet to catch up to these new arrangements," he said. "We consider that the general tightening-up in terms of what the Government's expectations are, is a good thing. The heads of agencies need to consider the security implications of their IT systems and devise policy and plans to ensure the systems are appropriately protected."
The Opposition's acting spokesman on communications and IT, Wayne Swan, said the ANAO report called into question the competence of the Minister for Information Technology, Communication and the Arts, Helen Coonan.
"It's of great concern that the Audit Office [has] rung alarm bells about the security of IT in the Howard Government," Swan said. "The security of the Common-wealth's information technology is central to the workings of government and cannot be neglected."
The attention drawn to IT security by the ANAO will strengthen growth in that sector of the market, said Kim James, a Canberra director of Intermedium, a consultancy that monitors the public sector IT market. "Intermedium believes that the ANAO report is likely to provide a boost to the IT security consulting market," she said.
Agencies published identifiable IT security consulting contracts worth about $2.3million in both 2003-04 and 2004-05, but these were mainly responses to specific issues and were a "tiny" proportion of agencies' IT security outlays.
www.anao.gov.au
Email a friend
Favourites
Del.icio.us
Facebook
Digg
StumbleUpon
MySpace
Reddit
Newsvine
LinkedIn
Kwoff
Twitter