The report found that the limited information that is available indicates that two-thirds of NSW agencies have not complied with the government’s information security policy.
In 2007, the NSW government directed all agencies to comply with international information security management standard ISO/IEC 27001. However, three years later, this standard has not been adopted by most agencies.
“Agencies were told to get certified to the international standard, but there was no deadline, no effective monitoring, and no consequences if they didn’t”, said Auditor-General Peter Achterstraat.
The auditor-general noted that the NSW government has been issuing information security edicts to agencies for a decade, with little to show for the effort. For example, in 2001, agencies were directed to develop and implement information security polices and have their IT systems certified to the security standard. But by 2004, the government noted that not all agencies had complied with the 2001 directive.
The auditor’s report charged that. There has been an absence of direction and leadership on the part of the government to ensure that citizens’ private information is held securely by agencies. “People often have no choice but to entrust their sensitive personal data to government. Government needs to ensure this information is secure, otherwise it could be stolen, records changed, privacy breached”, Achterstraat warned.
According to the report, a “fundamental re-think about electronic information security is needed….IT security is going to get harder not easier. Technological change is speeding up. The level and sophistication of external threats is increasing. And to improve services efficiently, public sector agencies will need to make more use of the personal data they have and share more data with others.”
The report recommended that the NSW government implement a number of measures to improve information security among agencies:
First, the state’s Department of Premier and Cabinet should publish a new information and communication technology (ICT) strategy and establish new information security governance arrangements by June 2011.
Second, the NSW government should ensure that minimum information security standards, policies, and rules are established and agencies comply with them; that information security is built into public sector ICT systems; that a common and secure ICT infrastructure is used across the public sector; that the processes used by agencies are standardized; and that there is one central mechanism for establishing information security priorities and for sharing risk information and best practices across agencies.
Third, the government should strengthen accountability by ensuring that managers’ performance reviews reflect actions taken to improve information security; that mandatory training is provided to employees with access to sensitive personal information; that failure to apply information security protections could lead to disciplinary action; and that professional certification is required for staff or contractors working with sensitive information.
Fourth, the government should require that agencies publish information security performance in their annual reports to Parliament; that there is an independent monitoring process for compliance through audits and technical testing; and that agencies report breaches or near misses to an independent organization responsible for capturing incidents and ensuring investigations are conducted and lessons are learned.
The auditor-general’s report concluded that the NSW government “is not able to provide assurance that it is safeguarding its holdings of sensitive personal information because its policy has not been properly implemented. This is likely to remain the case until there are clear, mandatory, minimum standards that agencies sign up to, and scrutiny of performance against these standards is strengthened.”
In its response, the Department of Premier and Cabinet said the government “has in place a range of mechanisms directed toward the identification and management of information security risks. This includes legislation governing privacy, corruption and financial and records management, as well as NSW Treasury requirements in relation to audit, risk and asset management, procurement, financial management and annual reporting.”
The response stressed that the auditor-general’s report did not identify “any systemic information security problems” in the government, but admitted that “there is nevertheless the need to properly manage information security risks and consider future risks and possible problems.”
The Department of Premier and Cabinet weakly concluded that “it many be preferable to require agencies to implement security management systems consistent with international industry standards.”