8 June 2012

95% of ACT Government IT systems without the required System Security Plan

| johnboy
Join the conversation
9
matrix

The Auditor-General’s report on Whole-of-Government Information and Communication Technology Security Management and Services paints a generally rosy picture of the ACT Government’s IT security.

But It worries us that attacks defended headlines the conclusions:

The protection of the ACT Government network is robust. Shared Services ICT Security Section’s security regime has successfully defended against over one million attempts to access the ACT Government’s network in the nine month period to 31 March 2012

The router on your home network from Dick Smith probably defended a similar number of “attempts” in the last year.

The problem with IT security is it’s not the attacks you can see that you need to worry about. Indeed in military info-war exercises easily defeated and clumsy intrusion attempts are frequently used as a distraction from the real attack. (this is itself a failing of the tight windows of exercises a real world attack might well prefer complete stealth at an unexpected hour)

More worrying is this bit at the end of the conclusions.

Despite it being a requirement, only 5% of the ACT Government’s 1025 information management systems have a system security plan; and even fewer, some 2.24% have a threat and risk assessment. The reasons for this were not able to be ascertained. This is an issue that needs to be addressed.

Hand held devices, known as ‘portable platforms’ that can access the ACT

Government networks and the internet are proliferating. New or amended policies to govern the use of new technologies are required as a matter of priority.

The ACT Government does not have an electronic records management system. The need for such a system is likely to increase.

[Photo by Patrick Hoesly CC BY 2.0]

Join the conversation

9
All Comments
  • All Comments
  • Website Comments
LatestOldest

Duffbowl said :

$15k/system for a TRA? You’re getting ripped off.

Im sure they are.

steveu said :

Cue an expensive consultancy to knock up cookie cutter TRA (Threat and Risk Assessment) papers (apx $15K per system) and policy documents for these systems.

$15k/system for a TRA? You’re getting ripped off.

The people who work in IT Security in ACT gubmint are very smart and very competent.

Unfortunately they don’t make the decisions.

steveu said :

You could assume from this that they have spent their money on the technical systems themselves, instead of having some public servant draft up pieces of paper that people ignore…

Most of the technically able people I work with who need to get things done NOW have long since given up on the 6+ week process it seems to take for approval of the simplest things and use their own private solutions.

You could assume from this that they have spent their money on the technical systems themselves, instead of having some public servant draft up pieces of paper that people ignore could be a good thing. Surprising given the number of Chiefs/Project managers doing their micro political dances around the few little Indians (techos) at IntACT.

Cue an expensive consultancy to knock up cookie cutter TRA (Threat and Risk Assessment) papers (apx $15K per system) and policy documents for these systems.

The mobile devices thing is probably execs wanting to bring their flashy toys to work. The need to keep within DSD approved guidelines doesn’t apply above a certain level. Just a pity that when the s*** hits the fan its never the guy who wanted to use his iTem that cops it.

How do “portable platforms” access the ACT network?
Are they saying that they have no security policy or standards for mobile device usage within the service itself, or for the general public to access ACT Govt. information? Or both.

Bluey said :

False. They have one its just not
a) centralised
b) universally used
c) given any thought and/or care.

But they do certainly have licenses for a certain records management system, ive installed it for them all over the place.

well, that would be the all important singular “an”!

The ACT Government does not have an electronic records management system.

False. They have one its just not
a) centralised
b) universally used
c) given any thought and/or care.

But they do certainly have licenses for a certain records management system, ive installed it for them all over the place.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.