Audit: Queensland Audit Office Education 2021 Report finds “all need to strengthen their security”

Posted by Steven Kirby | Jun 16, 2022 | 18.02.01 Independent review of information security, Australian Audit Report 2022, Availability, Compliance, Confidentiality, Integrity, kirbyIDau News, Queensland, State Government | 0 |

Australian Audit Report 16 June 2022

Queensland Audit Office Education 2021 Report finds “all need to strengthen their security”

Deficiencies identified with user and privilege access management, audit log and user activity monitoring

Queensland Audit Office Report: Education 2021

Queensland government’s education sector continues to struggle with the audit finding 55 control deficiencies in entities’ systems and processes (internal controls) relating to information systems. Some entities have taken steps in recent years to strengthen their information systems but more action is required.

According to the report “We continue to identify weaknesses in the entities’ information systems. While the entities are continually improving the security of their systems, the risk of cyber attacks continues to increase. The sensitive nature of information the entities hold about students and research makes them an attractive target. In response to this evolving risk, we have expanded our testing and identified more weaknesses. Given how much entities rely on their information systems, they all need to strengthen their security.”

The audit looked at more systems, databases, and networks for education entities than previously, to respond to the growing cyber security risk. This led to identifying additional weaknesses, including:

ineffective management of user accounts and access to systems
insufficient monitoring of the access and activities of privileged users
audit logs and user activity not being regularly monitored and reviewed.

Figure 2A shows the nature of internal control deficiencies reported this year.

The report concludes by recommending that education entities address the security of their information systems. It noted that QAO made the same recommendation last year in Education 2020 (Report 18: 2020–21). All entities need strong security practices and must emphasise the importance of them – in their processes and to their staff – in protecting against fraud or error and significant reputational damage.

About The Author

Steven Kirby

I provide independent and practical consultancy services through raising awareness and fostering the energy for change that delivers improved business management of information security governance, risk and compliance.

Trackbacks/Pingbacks

Australian Cyber News Summary #06 - June 2022 - Australian Information Security Awareness and Advisory - […] […]

Weekly Australian News and Monthly Incident Review Emails

No advertisements, marketing, sales, or unsolicited emails. Your email address is ONLY used to send the publications listed above.

Featured

Incident: Frontier Software breach spreads to NSW Health | iTnews

Featured

Incident: ANZ bank apologises after customers' personal information found in Perth skip bin | ABC News (Australia)

Incident: The Good Guys customers possibly affected by data breach at former third-party provider My Rewards | ABC News (Australia)

Incident: Black and White Cabs booking service offline after cyber attack | ABC News (Australia)

Incident: Fire Rescue Victoria investigating security incident | iTnews

Featured

Audit: Western Australia Auditor General's Local Government Financial Audit 2020-21 reports 358 information system control weaknesses

Featured

Audit: WA Auditor General tables the 2021 Financial Audit Results for Universities and TAFEs

Audit: Vic privacy watchdog uncovers third-party infosec risks at four agencies | iTnews

Audit: West Australian Local Government Information Systems Audit Report "a significant area of concern"