The four agencies singled out for poor information security practices were the Australian Office of Financial Management, ComSuper (which administers the government pension scheme), Medicare Australia, and the Department of the Prime Minister and the Cabinet.
The audit found that the agencies had “out-of-date” information security policies, third-party software applications were not regularly assessed for required patches, administrator and service accounts did not use complex passwords for network access, and some agencies used public web-based email services.
Regarding the last security laps, the ANAO said that web-based email services “can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure. Webmail accounts were accessible in one of the audited agencies, and logs showed that some staff were using these accounts on a regular basis.”
The report offered four recommendations to improve information security at these agencies. First, each agency should compile or update their standard operating procedures for information security officers. Second, software applications should be assessed regularly for the availability of patches and then patched when necessary. Third, agencies should implement “suitably complex password configurations to reduce the potential for inappropriate access.” Fourth, public web-based email services should be blocked on agency networks.
The four agencies concurred with the ANAO’s recommendations. In particular, the Department of the Prime Minister and the Cabinet commented: “the protection and security of electronic information by Australian Government agencies is of increasing importance. Recent events surrounding the unauthorized release of classified US information, as well as the increasing incidents of cyber attacks are a stark reminder of the damage that poor information security can do to Australia’s national interests.”