Even though the Australian government may have an effective IT security framework, a recent report shows that certain government agencies are not living up to it, highlighting a great concern.
The Australian National Audit Office (ANAO) IT security management audit report assessed eight government agencies, including the Department of Immigration and Multicultural and Indigenous Affairs, Bureau of Meteorology, ComSuper, and the Department of Environment and Heritage.
The report found that overall, the agencies had not implemented effective policies, practices and processes to ensure their IT security policy met with government standards.
Only two agencies could demonstrate suitable processes to assess system compliance with their IT security policy and government requirements as well as processes for managing exceptions and variations.
The ANAO report also found that most agencies did not maintain key IT operational procedures and configuration documentation. This was particularly evident of agencies that had contracted to third-party service providers for the provision of IT and/or IT security services.
Australian Computer Society Vice President and KPMG global chief operating officer, information risk management, Kumar Parakala, said the audit findings are of concern.
"I have found the commonwealth government is leading the Asia Pacific in terms of its policy framework for IT and information security, but it is important that all the agencies are executing the policies consistently to the benchmark that is set by the government," he said.
"Deficiencies would have a direct impact on the service delivery of the government."
Parakala believes that the solution lies in integrating IT security governance in the corporate governance responsibilities of an organization, ultimately reporting to the CEO.
"If someone is willfully damaging government property it is a very serious matter and the police get involved. Those sorts of security responsibilities have been very clearly defined, dealt out and managed. But IT security is not taken equally as seriously," he said.
"IT security breaches can in fact have greater set-backs to organizations than physical security breaches."
Frost & Sullivan security analyst James Turner has a slightly different take.
"IT security and information security should not be in such a hurry to become a boardroom issue, because the business will have its own challenges that need attention," he said.
Instead, his suggestion is for managers and executives dealing with risk, compliance, governance and information security is to make a noise about this issue in order to "loosen up the purse strings".
"Once Australian organizations (big, small, public and private) have accepted that they need to commit money to the protection of their viability as an operating entity, then the awareness phase of information security is achieved," he said.
"Ideally, information security should be a part of our working lives, just like locking the front door when we leave the house in the morning. We should not be afraid, we should be aware of the consequences of our actions and inactions."
Vectra director of information security, Jo Stewart-Rattray also said it is a concern that the government agencies have not implemented top-level IT security policies.
"The commonwealth government is certainly trying to do the right thing. However, as is often the case, it is the individual agencies that are responsible for implementing such policy. Sometimes this is where the issues occur and sometimes those issues are budget related or in some cases skills related. There are very few organizations (in the private or public sector) that have all the ducks in a row."
Stewart-Rattray said that awareness of information security is generally higher in government than it is in the private sector.
"For example, the South Australian government has rolled out to its agencies its own Information Security Management Framework (ISMF) which is an information security governance framework based on risk management standard AS/NZ 7799," she said.
"There is a general understanding of the need for information security, both in Public and Private sectors, but there is less of an understanding as to what actually constitutes information security governance or indeed IT governance and how both of these should cascade from the overall governance framework of the organization."
The audit identified a number of opportunities for further improvement in agencies' policies and procedures relating to IT security management practices.
These included improving the content and processes for developing and maintaining IT security policy alignment with organizational risk management processes; ensuring a regular process exists within the IT security control framework to identify gaps between an agency IT environment and Australian government expectations; ensuring policies clearly identify the physical and environmental security controls and standards for managing IT equipment; ensuring performance reporting of network security practice is designed to make sure that security controls are adequately addressing IT security risks; and ensuring standards exist and are applied for the use of audit trails.
Most agencies agreed to the recommendations and are putting strategies in place to implement them.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from CIO and leading technology partners.- White PaperWhat you don’t know can destroy your business. It’s hard to imagine modern business without the internet but in the last few years it has become fraught with danger. Read on to discover how internet security can give your business a competitive advantage.
- White PaperView this webcast and discover the drivers for changing network design practices, why many organisations are changing their approach to network architecture and how enterprises should be moving forward with open architecture multi-vendor network solutions. Register now and learn how your business can maximize the business value of the enterprise network.
- White PaperJoin industry expert Bob Spurzem and Chuck Arconi of Fox Hollow to discover how to reduce Exchange total storage and keep it at a manageable level. Learn how Exchange storage growth can be contained without sacrificing security and accessibility.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00
Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00
Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05
Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
- +
TJX Maxx hacker banged up for 30 years 09 January, 2009 11:26:00
Key figure in the infamous TJX Maxx Wi-Fi hack of 2005 has been sentenced to 30-years in prison by a Turkish court.Maksym Yastremskiy, the Ukrainian accused of being a key figure in the infamous TJX Maxx Wi-Fi hack of 2005, has been sentenced to 30-years in prison by a Turkish court. - +
Data breaches rose sharply in 2008, says study 08 January, 2009 08:27:00
More than 35 million data records were breached in 2008, according to the Identity Theft Resource Center.More than 35 million data records were breached in 2008 in the U.S., a figure that underscores continuing difficulties in securing information, according to the Identity Theft Resource Center (ITRC). - +
Rogue SSL certificate exploit puts VeriSign on the spot 07 January, 2009 11:04:00
Wishes "white hat" researchers had notified VeriSign before public demo.Following the success of researchers last week in creating a false SSL certificate based on VeriSign's RapidSSL brand, the company is scrambling to explain how it happened, how it's preventing it from reoccurring, and whether its other SSL certificate-generation services are at risk. - +
With Gaza conflict, cyberattacks come too 05 January, 2009 08:03:00
Pro-Palestinian hackers have defaced thousands of sites following attacks in Gaza.The conflict raging in Gaza between Israel and Palestine has spilled over to the Internet. - +
5 ways to secure your Blackberry 18 December, 2008 12:58:00
What do Tom Cruise and the McCain campaign have in common? They have both been bitten by the loss of a Blackberry. Mobile expert Dan Hoffman gives advice on how to keep your cherished mobile device safe, even if it's out of your handsWhat do Tom Cruise and the McCain campaign have in common? They have both been bitten by the loss of a Blackberry. Mobile expert Dan Hoffman gives advice on how to keep your cherished mobile device safe, even if it's out of your hands.
IT industry veteran advises caution on outsourcing selection in light of Satyam problems 09 January, 2009 21:45:00
Research software developer appoints Susan Dart to new Business Development Director role 08 January, 2009 09:08:00
Research software developer appoints Susan Dart to new Business Development Director role 08 January, 2009 09:08:00
Anyware Introduce Two Powerful PCI TV Tuner Cards with S5 Power Up and Windows Media Center Remote 07 January, 2009 17:30:00
Fortinet Cures Mobile Phone “Curse of Silence/CurseSMS” Attack 07 January, 2009 16:30:00
|
||
|
||
|
|
||
|
Gaining Competitive Advantage Through Enterprise Planning
No matter how good its products or innovative its services, no organization can perform to its full potential without an adequate planning structure in place. Discover how this can be done by reading on.
