Auditor finds data security insecure

24 June 2020

Start the conversation

A performance audit into Data Security at ACT Government Agencies has found that Agencies’ compliance with the key requirements of the Territory’s Information and Communications Technology (ICT) Security Policy was lacking.

In his report No. 3/2020, Data Security, Auditor-General Michael Harris says the ACT’s Government Agencies have not clearly understood the risks and requirements of securing sensitive data, and are not well placed to respond to a data breach or loss of critical business systems.

“Shared Services have established a comprehensive ICT Security Policy, which all Agencies must comply with under the ACT Protective Security Policy Framework,” Mr Harris said.

“However, Agencies currently do not need to demonstrate their compliance with this policy.”

He said 89 per cent of critical ICT systems did not have a current system security risk management plan that demonstrated and documented their data security risks and controls.

Mr Harris said there were significant delays in completing security plans.

“On average it took Shared Services over three months to commence a critical ICT system security assessment,” he said.

“It would then take Shared Services and ACT Government Agencies on average almost eight months to complete a critical ICT system security risk management plan.”

He said prioritising security protection activities was difficult because Shared Services had not been notified of the security classification of 65 per cent of Agencies’ ICT systems.

Mr Harris made nine recommendations including that Shared Services in the Chief Minister, Treasury and Economic Development Directorate (CMTEDD) and the Security and Emergency Management Branch of the Justice and Community Safety Directorate (JACS) develop a whole‐of‐Government data security risk assessment.

He also recommended Shared Services revise and update the ICT Security Policy; address the backlog of security risk management plan assessments; and require Agencies to report on the currency of their system’s security risk management plans.

Mr Harris made further recommendations to JACS’ Security and Emergency Management Branch and CMTEDD’s Office of the Chief Digital Officer.

The Auditor-General’s 93-page report can be accessed at this PS News link.

Tasmanian Treasurer rules out major changes to taxation or services to fix budget deficit

Government may buy Rex if a buyer can't be found; regional airports to get upgrades

McCormack warns against forcing banks to compensate every scam victim

Next-gen AI project to deliver 'mission-ready' solutions in Defence and healthcare

Canberra firms receive Defence funding to develop advanced electronic warfare technology

RSL calls on parliament to pass streamlined veterans legislation before it rises for election

Latest job vacancies in the Public Sector

Co-piloting a course to a better future

Are you talking yourself out of a better career?

Dutton likes what he sees Trump doing to the public service

The National Press Club is not for the faint-hearted, Mr Dutton - just ask the PM

Disgraceful response to questions over Federal Court expenses

Australia's cities ranked by prowess at 'anxiety-inducing' parking manoeuvre

The Toyota Tundra rocks up late to the US pick-up party - but in another way, it's a million miles ahead

Is Emilia Perez the worst Best Picture nominee of all time?

Upcoming Public Sector events

Upcoming Public Sector events

Upcoming Public Sector events

Let this colourful home spirit you away to Sunshine Bay and a life of little pleasures

Stately Tullimbar home hits market for first time

Home insurance premiums to continue to rise in face of global natural disasters

Leadership Strategies Series

Auditor finds data security insecure

Start the conversation

Leadership Strategies Series

Auditor finds data security insecure

Start the conversation

What's Trending

Related Stories

Be among the first to get all the Public Sector and Defence news and views that matter.