The Auditor-General’s report on Whole-of-Government Information and Communication Technology Security Management and Services paints a generally rosy picture of the ACT Government’s IT security.
But It worries us that attacks defended headlines the conclusions:
The protection of the ACT Government network is robust. Shared Services ICT Security Section’s security regime has successfully defended against over one million attempts to access the ACT Government’s network in the nine month period to 31 March 2012
The router on your home network from Dick Smith probably defended a similar number of “attempts” in the last year.
The problem with IT security is it’s not the attacks you can see that you need to worry about. Indeed in military info-war exercises easily defeated and clumsy intrusion attempts are frequently used as a distraction from the real attack. (this is itself a failing of the tight windows of exercises a real world attack might well prefer complete stealth at an unexpected hour)
More worrying is this bit at the end of the conclusions.
Despite it being a requirement, only 5% of the ACT Government’s 1025 information management systems have a system security plan; and even fewer, some 2.24% have a threat and risk assessment. The reasons for this were not able to be ascertained. This is an issue that needs to be addressed.
Hand held devices, known as ‘portable platforms’ that can access the ACT
Government networks and the internet are proliferating. New or amended policies to govern the use of new technologies are required as a matter of priority.
The ACT Government does not have an electronic records management system. The need for such a system is likely to increase.