The ACT government’s computer systems fought off more than a million attempts to compromise their security in the nine months to April, the territory’s auditor-general has found.
And despite a ”denial of service” attack on a key government website just as the audit was coming to an end, auditor Maxine Cooper has found the territory’s information security system is ”robust”.
But Dr Cooper’s report found 95 per cent of the 1025 information management systems in the government’s sprawling network were not complying with the requirement to have a security plan and even fewer had undertaken a threat-and-risk assessment.
Dr Cooper’s office audited the government’s computer network nine months before March, but as the audit period came to a close, the Justice and Community Safety Directorate’s website came under successful attack.
The department, which holds sensitive information from the city’s justice agencies, was targeted by the Anonymous group in what is believed to be a case of mistaken identity.
The hackers appeared to believe they were attacking the Australian ”justice department”, protesting the federal government’s attitude toward WikiLeaks founder Julian Assange.
Dr Cooper warned that unauthorised accessing of information held by the government, including health and medical records, criminal records, case management records and sensitive government documents could cause strategic damage.
But Dr Cooper found successful attacks were externally exceptional in an otherwise good security record for the territory but which could be improved if all government websites were internally hosted.
”The protection of the ACT government network is robust,” the Auditor-General said yesterday.
”Shared Services ICT Security Section’s security regime has successfully defended against over one million attempts to access the ACT government’s network in the nine-month period to 31 March, 2012.
”Future similar breaches could be minimised if all directorate and agency websites were hosted on the ACT government network ran ACT government endorsed supplier.”
Dr Cooper also wants to see improvements, including more IT bureaucrats reading up on the essential documents governing security.
”While the administrative structures and processes that support whole and procedures are overall satisfactory there are some shortcomings,” Dr Cooper said.
”ICT security governance is based on the Protective Security Policy and Guidelines which is the ACT government’s pre-eminent protective security document.
”However it is unclear if the status of this document is well understood or if adequate processes exist to ensure that directorates and agencies are complying with it.”
The auditor was also unhappy with a failure to put plans in place to secure information management systems in the government network
”Despite it being a requirement, only 5 per cent of the ACT government’s 1025 information management systems have a system security plan; and even fewer, some 2.24 per cent have a threat-and-risk assessment,” she said.