The Auditor General of Western Australia has called on state government entities to upgrade their information security practices, with a new report finding, in some cases, a complete absence of infosec policies.

In its annual Information Systems Audit Report, Auditor General Caroline Spencer details the results of the 2018 probe of government entities, looking to determine whether controls "effectively support the confidentiality, integrity, and availability of information systems".

An audit of key business applications at four public sector entities found all four had weaknesses, the most common of which related to poor contract management, policies, procedures and information security.

The Recruitment Advertisement Management System is an application employed by the WA Public Sector Commission to manage staff recruitment and redeployments, and to record severance details. The public use the system to apply for WA government jobs.

The system is externally hosted and managed by a third-party vendor in a Software as a Service (SaaS) arrangement. It contains personal identifiable and sensitive information such as names, addresses, work history, qualifications, bank details and tax file numbers.

The Auditor General found that poor user access management has the potential to expose personal and sensitive information to inappropriate access or misuse, particularly as the Commission has kept all information stored on the system since 2003.

It also identified the following control deficiencies:

• Unsupported software – Some software components that underpin the application are no longer supported by the software vendors. In addition, 1 component has not had software updates applied that fix known security vulnerabilities. Unsupported and out–of-date software increases the risk of attackers using known vulnerabilities to gain access to sensitive information or disrupt systems.
• Disaster recovery not tested – The vendor has not performed a full disaster recovery test since 2015. The Commission cannot be certain that it can recover the application as required.
• Outdated technical specification documentation – The technical documentation describing the application does not reflect the current application environment. The Commission cannot be certain that all appropriate controls are in place to protect the application.
• Unspecified data retention – Data retention requirements have not been specified. All information since 2003 has been retained in the system. This information is vulnerable to exposure if the application is compromised. Further, retaining all this information increases the risk that Australia’s Privacy Act 1988 and the European General Data Protection Regulation may be breached, which could result in infringements and reputational damage. The contract should also be consistent with the State Records Office’s General Disposal Authority. This states that job applicant information should be disposed after 7 years for successful applicants and 1 year for unsuccessful applicants.

It also identified the following weaknesses in access controls to minimise the risk of unauthorised access:

• Ineffective user account management – The Commission does not have a policy or a procedure to manage entity user accounts, including highly privileged accounts. In addition, there is no process to routinely review user activity and their levels of access. There is an increased risk of unauthorised access to, or misuse of, information in the application. Ineffective user account management may have contributed to the high number of enabled accounts (approximately 30,000). 26% of these (8,000 accounts) have never been used and 50% (15,000 accounts) have not been used in over 6 months.
• Weak password configuration – The ‘admin’ portal does not meet good practice requirements for password complexity and does not limit the re-use of passwords. In addition, multi-factor authentication, where user access is only granted after successful presentation of 2 or more pieces of information, is not required to access the application. This leaves the portal susceptible to password guessing attacks and unauthorised access to information.
• Unmanaged generic accounts – Fifty five entities use generic accounts to access the internet facing reporting portal and the password for the generic account is easy to guess. Generic accounts and passwords are shared by email and the Commission does not know who has been given this information. As the password is easy to guess and not changed on a regular basis, staff moving within or leaving an entity may retain access to the reporting portal, increasing the likelihood of unauthorised access and disclosure.

The full report is available at Information Systems Audit Report [PDF].