This is my ninth annual Information Systems Audit Report. The report summarises the results of the 2016 annual cycle of audits, plus application reviews completed by our Information Systems audit group since last year’s report.
The report is important because it reveals the common information system weaknesses we identified that can seriously affect the operations of government and potentially compromise sensitive information held by agencies. It also contains recommendations that address these common weaknesses and as such, has a use broader than just the agencies we audited.
Disappointingly, I must again report that many agencies are simply not taking the risks to their information systems seriously. I continue to report the same common weaknesses year after year and yet many agencies are still not taking action. This is particularly frustrating given that many of the issues I have raised can be easily addressed. These include poor password management and ensuring processes to recover data and operations in the event of an incident are kept updated.
A pressing issue that must be acknowledged and addressed across the sector is for agencies’ executive management to engage with information security, instead of regarding it as a matter for their IT departments. As recent high profile malware threats have shown us, no agency or system is immune from these evolving and ongoing threats. The risk to agency operations and information is real and needs to be taken seriously.
Our applications reviews show that agencies also need to take the initiative and perform their own business process reviews to identify critical controls, inefficiencies and problems and potential solutions. An analysis of people, process, technology and data relevant to key IT applications would help management identify risks and make improvements.
I must stress that this report is not all bad news. In the first part of this report, I identified some good practice and improvements across 5 key business applications. And in the second part of this report, I was pleased to identify 3 agencies that have consistently demonstrated good management controls.
It has not been my practice to name agencies when weaknesses are found in their general computer control environment as this could potentially expose these agencies to hackers. By naming those agencies that have demonstrated good practice and including case studies that show how agencies’ security had been compromised, I hope to encourage improvement across the sector.