
Audit: WA registry system flaws force auditor to delay findings by 18 months | iTnews

Australian Audit Report November 26 2020
WA registry system flaws force auditor to delay findings by 18 months
‘Highly unusual step’ taken to protect foundational system.
WA Auditor General’s Report: Western Australian Registry System – Application Controls Audit
Reported in: WA registry system flaws force auditor to delay findings by 18 months | iTnews
More reports from iTnews
Western Australia’s auditor was so concerned about vulnerabilities in the state’s registry system last year that she took the unusual step of delaying the release of findings so the issues could be addressed.
Caroline Spencer made the revelation in a one-off audit on Thursday, a full 18 months after tabling the 2019 information systems review that would have otherwise detailed the vulnerabilities.
Audit Conclusion
However, our 2019 audit found that the System was not adequately protecting the confidentiality and integrity of information housed within it. Highly confidential and foundational information was at risk of unauthorised access, alteration and disclosure due to inadequate database controls, security vulnerabilities and insufficient monitoring of changes to critical information. Insufficient disaster recovery planning also meant that the System was at risk of not being recovered in a timely manner in the event of a disruptive incident.
Key Findings:
- The Department did not know if inappropriate or unauthorised changes were made to information stored in the System
- The security of electronic records needed improvement:
- Insecure databases – there was no data encryption to protect confidential information in the database
- Unprotected personal data – confidential information was replicated without obfuscation in the test and development environments,
- Security vulnerabilities were not well managed, leaving the System exposed to attacks
- The change of name process could be misused
- The Department does not know if it will be able to recover the System following an incident