WA Auditor-General finds control weaknesses in four state IT applications
The auditor-general of Western Australia has found four business applications used by state government entities contain control weaknesses, mostly around poor information security and policies and procedures.
In her latest audit, the auditor-general probed the Teacher Registration System, handled by the Department of Education, Teacher Registration Board of Western Australia; the Forest Products Commission’s Deliveries and Billing System; the Housing Management System (Habitat) from the Department of Communities; and the TAFE Student Management System, which is under the watch of the Department of Training and Workforce Development.
The testing was performed during 2019-20. The report [PDF] declared all four applications had control weaknesses. Auditor-General Caroline Spencer reported 75 findings across the four applications — nine findings were rated as significant, 57 moderate, and another nine were considered minor.
The first project probed was the Department of Education’s Teacher Registration System, which it inherited in 2017.
The system is a combination of internally developed and commercial software applications, hosted on public cloud infrastructure and maintained by department staff and contractors.
“There are a number of significant weaknesses in the system which prevent the [Teacher Registration Board of Western Australia] and the department from efficiently managing public resources and effectively managing information security risks relating to sensitive teacher information,” the report said.
The audit determined basic governance and controls, including limiting access and segregation of duties for system changes, were not implemented.
“There is also a risk that insufficient disaster recovery planning and ongoing system failures could result in an outage that impacts teacher registration services,” it added.
IT governance, security, and risk management were poor, with the report saying there is currently no IT strategy; limited oversight; and no risk management, change management, project management, incident and problem management, cloud management, or continuity management.
Roles and responsibilities for managing the cloud environment have also not been defined, the report said, with there being 33 subscription owners that can manage and have full access to the cloud resources.
It also found 119 resources were allocated to data centres outside Australia, including in Southeast Asia and the United States.
The department’s Teacher Registration Directorate also spent approximately AU$240,000 between July 2019 and February 2020 on contracted services that the department could provide. The audit also found a conflict of interest risk, as the same contractor proposed and undertook projects — that contractor pulled in approximately AU$500,000 in a six-month period.
The next application probed was the Forest Products Commission’s Deliveries and Billing System (DAB), which enables it to generate revenue and payment information from the harvest and sale of timber products.
The audit determined security weaknesses in the DAB database and the commission’s network may expose it to malicious attacks and unauthorised access. In addition, weaknesses in controls, including the review of information entered into the DAB and monitoring of compliance with regulations, creates risks of incorrect revenue or payments and non-compliance.
The 2019 DAB implementation project encountered delays and cost overruns — it overspent by approximately AU$720,000 — and the auditor-general said the commission could not demonstrate that an effective project governance framework was in place.
The Department of Communities’ Housing Authority, meanwhile, was found to not have assessed the information security risks for its Habitat program. In addition, the auditor-general said the authority had not implemented adequate processes that provide oversight of Habitat controls, nor was there a disaster recovery plan in place.
The report said the auditor-general identified 178 database user accounts with easy to guess passwords and 1,195 accounts where the password had not been changed for five years. These included accounts with high privileges.
The authority’s IT staff also used and shared a highly privileged account to administer the Habitat database.
Lastly, the Student Management System used by Western Australian TAFE colleges was found to open sensitive student information to risk due to inadequate monitoring of user activity and poor user access management.
The auditor-general said application governance was not fully established, there was inadequate contract management, and service level arrangements were not defined.
In addition, sensitive information was not protected in the database, data was found to be not de-identified, user access management could be improved, 2FA was not adopted, and data files were not appropriately restricted.
“Application controls need to be considered in conjunction with existing organisational processes and IT controls. A holistic approach towards governance, risk management and security is critical for secure and effective operations,” Spencer said.
“Public facing applications are prone to cyber threats. It is therefore essential to manage system vulnerabilities and other weaknesses that could expose entities to compromise. We found that all audited entities could improve their controls around user access, vulnerability management, and situational awareness to address cyber risks.”