A low level of data security awareness among staff across ACT government agencies has increased the risk of data breaches in the territory, according to the ACT Audit Office.
Auditor‐general Michael Harris on Friday released a scathing report on data security — the same day the prime minister announced that a state-based cyber actor has been targeting Australian governments and critical infrastructure for several months.
Harris slammed ACT agencies for falling short in data-security management.
“ACT government agencies have not clearly understood the risks and requirements of securing sensitive data, and are not well placed to respond to a data breach or loss of critical business systems,” he said.
Agencies haven’t implemented effective governance and administrative arrangements set out by the ICT Security Policy and the ACT Protective Security Policy Framework, which has left the ACT Public Service ill-equipped to “understand what data agencies are responsible for, the risks of this data being breached, and controls to be implemented across government to manage this risk”, the audit found.
There was a low level of data security awareness among staff in most audited agencies, increasing “the likelihood of a data breach and its potential impact”, according to the report. There was also widespread use of high‐risk cloud services by agency users, which could risk exposing sensitive or personal data “often with little recourse available”.
“More education is needed that is targeted at the needs of agencies, and specific groups of users such as privileged and senior executive users,” the report stated.
The report noted 89% of critical ICT systems didn’t have a current system security risk management plan that demonstrated and documented data security risks and controls, and it was not known if there was a recovery plan in place for most critical ICT systems.
Shared Services — which sits within the Chief Minister, Treasury and Economic Development Directorate — was established in 2007 to provide a range of corporate services to all ACT government agencies, including ICT, records management, and finance.
While all agencies must comply with Shared Services’ ICT Security Policy, Harris pointed out that agencies don’t need to demonstrate their compliance.
The report noted that Shared Services did have effective tools and processes to help agencies manage data security risks.
“However, as agencies have not effectively managed the security status of their systems, and Shared Services is experiencing a significant backlog of security assessments, Shared Services and agencies are not presently well placed to address gaps in data security risk management in a timely manner,” it said.
There were “significant delays” in completing security plans. On average, it took Shared Services more than three months to commence a critical ICT system security assessment, and almost eight months to complete a critical ICT system security risk management plan with ACT agencies.
Agencies also failed to notify Shared Services of the security classification of 65% of government agency ICT systems, Harris noted.
“This makes it difficult to prioritise security protection activities,” he said.
Harris made nine recommendations, including updates to various cyber security policies and frameworks. Other suggestions included the development of:
- A whole‐of‐government (WoG) data security risk assessment,
- A WoG data security strategy and plan, which would state: the roles and duties of agencies responsible for managing and improving data security across the ACT; any related WoG plans for addressing specific data security issues; activities and resources to improve data security for the ACT government; and identify the chief digital officer (Bettina Konti) as the senior executive in charge of implementing the strategy,
- Data security training that considers the specific training needs for all users, privileged users and executives, and addresses the risk of using “unsanctioned methods” of sharing sensitive personal data.