The ACT Government’s computer systems remain vulnerable to hacking, fraud and the loss of data, according to an audit report.
The ACT Audit Office reviewed government agency controls over its computer systems as part of its annual financial audits, and identified weaknesses in how they are operated and administered, and urged agencies to speed up work to secure them.
Auditor-General Michael Harris said these weaknesses exposed the ACT Government’s systems and data to higher than necessary risks, which could lead to errors and fraud, unauthorised access to sensitive information, cyber security attacks, loss of critical data and the inability to promptly recover systems in the event of a major disruption or disaster.
He said the weaknesses related to how user access to the ACT Government network and applications is managed; the take-up of application whitelisting, a technique used to only allow authorised applications to operate on systems; and the monitoring of appropriate user activity.
Mr Harris acknowledged that agencies had made progress to address longstanding previously reported audit findings on their controls in recent years.
But he warned that agencies needed to give a higher priority to promptly resolving weaknesses in the future to ensure that their computer information systems and data are not exposed to unnecessary risks for prolonged periods of time.
The report says agencies have improved the general control environment over their computer systems in the last few years with the number of audit findings falling from 13 in 2015-16 to four in 2018-19.
Agencies have also made substantial progress in addressing the remaining four audit findings and say they expect most of them to be resolved in 2020.
This has involved the disabling of inactive user accounts and restricting the use of generic or shared user accounts, application whitelisting, eliminating duplicate systems and the reconciliation of system changes.
The Audit Office had long identified the use of generic or shared passwords in agencies as an issue and despite improvements it reported in 2017-18 that a high number were still in use.
But by 2020, the ACT Health Directorate had yet to fully address this weakness, advising that this work was still ongoing.
The Audit Office had also been warning Shared Services since 2014-15 about the failure to whitelist applications on desktop or server computer systems on the ACT Government network, increasing the risk of unauthorised access to systems and data from malicious programs such as computer viruses.
Shared Services advised in February that all workstations on the Education network and over 70 per cent of workstations on the ACT Government network – about 12,000 of 17,000 desktop computers – have had application whitelisting activated as part of the deployment of Windows 10 under the Desktop Modernisation Program.
Shared Services expects that 95 per cent of all desktops will be upgraded by 30 June 2020.
But the report says there are challenges with previous Windows versions and Linux which pose significant risks and require further technical investigation.
On controls over specific major applications, the report says that of the 18 previously reported audit findings, agencies had resolved seven (39 percent) and partially resolved three (17 percent) of these findings.
The remaining eight (44 percent) findings were yet to be resolved and two new audit findings were identified in 2018-19 in relation to the ACT Government’s human resource management information system.
”Most audit findings on controls over applications continue to be in relation to weaknesses in user access management and the monitoring of audit logs,” the report says.
”These controls need to be given a higher priority by agencies as they assist in the prevention and detection of fraud and errors in their financial systems.”
The Audit Office made 12 recommendations.