Expect many a raised eyebrow when people catch up with the Australian National Audit Office’s assessment of government departments and their continuing dodgy implementation of information security rules.

There are still departments that have not got their act together to ensure they implement all of their cyber security measures at a time when governments and their agencies are encouraging the average person to do the same with their data.

How embarrassing is it that a government wiggling its fingers quite justifiably at the private sector when it comes to hacks that result in leaks of millions of records being leaked to be publicly but professionally being told they still have not got their own act in order?

The substantive criticism from the ANAO relates to the lack of proper termination of access for those who no longer work in a department. Failure to lock the door after somebody has left means that government departments have data that could still be at risk depending on the authorisation level the departed public servant had while employed.

“The ANAO assessed termination controls in place at 144 relevant government entities and found that 53 entities do not have a policy encompassing user access removal or that define the timeframe access should be removed from systems following a user’s departure from the entity,” the report says.

“A lack of policies related to user access removal increases the risk that access will not be removed in a timely manner and may be inappropriately used to access information.”

The report cites key public service references on this issue, such as the Information Security Manual and the Protective Security Policy Framework, just to make sure there can be no misunderstanding of precisely what the ANAO is pointing its finger at.

There were 35 entities found to have made life difficult for themselves because the folks in human resources were not able to do things.

“Of the entities reviewed, 35 entities do not allow for the HR systems to enter terminations after cessation,” the report says.

“This was either due to system restrictions, or an assessment by the entity that it does not require backdated cessations as all users are identified and actioned on their last working day.”

The failure to allow backdated terminations means that an entity cannot monitor unauthorised access to its systems, and it can also result in inaccurate records.

One might hope the problems should end there but they don’t, according to the ANAO.

“The majority of entities assessed, 119 entities of 144 relevant entities, do not have an effective control to monitor access or activity in entities systems after user cessation,” the report says.

“Of these 144 entities, 14 entities currently have an open finding relating to terminations including seven which have been assessed as a moderate risk.”