Joint Chairs of AEEMA’s forums, David Curtis and Geoff Rhodes, commented: “The Audit Report has identified several key areas where employee practices and management policies are inadequate to guard against the risk of attacks and compromises.  In fact, in the five years since 2001, government has seen a 129% increase in reported security ‘incidents’ including email scams, DOS attacks, defacement and virus infections.”

In those agencies audited, the Report found that ICT security documentation did not fully comply with the Government’s own security policies set out in the PSM and ACSI 33. Non-compliance examples included: no systematic and co-ordinated program for the ongoing management of ICT security-related risk assessments; security policies and system security plans were not linked to ICT risk assessments and plans; and no system security plans.

The Report notes that while several of the agencies had initiated development of business continuity and disaster recovery plans for their Internet services, only one had sound plans in place. The other agencies had deficiencies such as dependence on the knowledge of key staff, few documented procedures documents left in draft form and failure to regularly review plans.

While most of the audited agencies had developed and implemented standard operating procedures that covered Internet security, these standard operating procedures did not always comply with the requirements of ACSI 33, including: inappropriate password management; user account privileges inappropriately administered; no documented procedures for incident detection and response, management of hardware, and the use of remote access; and hardware not adequately secured. {moscomment}