Engineers identify poor Government internet security

Stan Beer
Tuesday, 20 June 2006 19:42

IT Policy - Government Tech Policy

An Auditor-General’s report on internet security in Federal Government agencies highlights the critical need for sound security management practices and policies in all organisations using the internet, according to a peak body of engineers.  The Australian Electrical and Electronic Manufacturers' Association has called on the Government to facilitate greater use of mutual authentication and related management practices as a possible solution to the troubling issue of internet security today.

Joint Chairs of AEEMA’s forums, David Curtis and Geoff Rhodes, commented: “The Audit Report has identified several key areas where employee practices and management policies are inadequate to guard against the risk of attacks and compromises.  In fact, in the five years since 2001, government has seen a 129% increase in reported security ‘incidents’ including email scams, DOS attacks, defacement and virus infections.”

In those agencies audited, the Report found that ICT security documentation did not fully comply with the Government’s own security policies set out in the PSM and ACSI 33. Non-compliance examples included: no systematic and co-ordinated program for the ongoing management of ICT security-related risk assessments; security policies and system security plans were not linked to ICT risk assessments and plans; and no system security plans.

The Report notes that while several of the agencies had initiated development of business continuity and disaster recovery plans for their Internet services, only one had sound plans in place. The other agencies had deficiencies such as dependence on the knowledge of key staff, few documented procedures documents left in draft form and failure to regularly review plans.

While most of the audited agencies had developed and implemented standard operating procedures that covered Internet security, these standard operating procedures did not always comply with the requirements of ACSI 33, including: inappropriate password management; user account privileges inappropriately administered; no documented procedures for incident detection and response, management of hardware, and the use of remote access; and hardware not adequately secured.