Friday 2 April 2010

And these are some of the bureaucrats that the Australian Health Minister expects to have access to a national personal health infomation data base


Fifty-two per cent of the agencies
we assessed using capability models had not established
effective controls to manage IT risks, information security
and business continuity. Thirty-one per cent of agencies had
not established effective change controls and 33 per cent
had not established effective controls for management of
physical security [Information Systems Audit Report, March 2010]

On 26 March 2010 Computer World reported on Part Two of a West Australia Government Information Systems Audit Report covering 56 government agencies including the WA Health Department:

Ineffective security measures in Western Australian government agencies are failing to protect sensitive staff and taxpayer information, according to an official security audit....

The audit report found that Royal Perth Hospital and the Department of Commerce do not keep accurate records of laptops. It claimed that Perth hospital "could not provide any assurance on the number of its laptops, where they are or who had them" and possessed two conflicting record lists with a disparity of 277 devices....

"All seven agencies lacked comprehensive management, technical and physical controls over their laptops and portable storage devices to minimise the risk of them being lost or stolen and of sensitive information being accessed," the report states.

Six of the seven agencies failed auditor expectations by not enforcing access controls for laptops or portable devices that would help prevent sensitive data leaving the organisation. The WA Police received praise for encrypting all outgoing sensitive information.

The auditor found critical software vulnerablilities across each of the seven agencies due to a lack of patching. WorkCover was the only agency to enable laptop firewalls to protect computers from introducing potential infections from insecure networks into the corporate environment.

The second part of the report, tabled by acting auditor general Glen Clarke, blasted the agencies for poor application and general computer controls.

Out of the 52 agencies investigated, two had stored unsecured credit card data — one via a network "accessible by any user" and the other within an application — in direct violation of the Payment Card Industry (PCI) Data Security Standard.

Auditors were able to access sensitive information through "highly privileged" accounts that were accessed by simple password guessing. One agency allowed users to access accounts with a single character password that did not expire.

Thousands of sensitive records were cracked with the same basic password guessing in "several agencies".

Auditors were able to manipulate staff and contractor paychecks stored on freely accessible folders before they were processed.

Another unnamed agency sent out names and addresses of clients to external contractors, and many were found to lack basic account access controls that stop users from accessing inappropriate sensitive data, or even creating administration accounts without approval.

Boot passwords were scarcely employed by the agencies, leaving laptop hard disks vulnerable to hacking. Contractor service level agreements were found to be not enforced by another agency.

Weak access controls were found in 41 per cent of agencies, followed by poor network security in 23 per cent, polices and procedures, password control, and physical security.

No comments: