Audit: Queensland Audit Office’s State Entities 2022 reports deficiencies in information systems
Queensland Audit Report 16 March 2023
Queensland Audit Office’s State Entities 2022 reports deficiencies in information systems
Only 33 per cent of departments have an effective system managing information security risks
Queensland Audit Office Report: State entities 2022
This report summarises the audit results of 253 Queensland state government entities, including the 20 core government departments. It also analyses the consolidated financial performance of the Queensland Government, which we previously reported in our annual state finances report.
Cyber threats continue to intensify in frequency and sophistication. The internet gateway (which monitors the computer traffic to and from the internet) for Queensland Government departments indicates that the number of security attempts has doubled during the year – from 750 million attempts in 2020–21 to 1.5 billion in 2021–22.
While the ISMS maturity of the Queensland Government shows evidence of improvement, the improvement needs to occur at a faster pace. In 2020–21, only 33 per cent of departments reported an operating level ISMS (where risks are identified, managed, and continuously improved) versus the target of 100 per cent set by the Queensland Government Customer and Digital Group.
COMMON WEAKNESSES IN INFORMATION SYSTEMS THAT NEED TO BE ADDRESSED
Managing privileged (system administration) access
Access to system administration allows users to make significant changes to system configuration, bypass security settings, or access sensitive information. The Australian Cyber Security Centre identifies the restricting of system administration access as one of the most effective strategies to mitigate against cyber security incidents.
We reported issues in relation to:
- default accounts (well known accounts that come as part of system installation) or generic accounts, with system administration access not being secured to prevent them from unauthorised use. Using generic accounts limits a department’s ability to know who has used the accounts and the activities or transactions that the user performed in the system. As a result, the department will not be able to hold the user accountable for their actions in the system. In addition, these accounts are often targets for those intending to breach or gain unauthorised access to the systems
- limited monitoring to alert departments when their users or external service providers perform high-risk activities with their system administration access
- system administration access not being restricted to authorised personnel in line with their job roles.
Departments need to update their assessment of security risks and practices as technology advances and security loopholes are discovered. We identified the following common weaknesses during the year:
- security configurations were not updated in line with departments’ latest security policies, vendor recommendations, or better practices for managing security
- logging (of use) and monitoring capabilities in the systems were not implemented or improved to collect relevant data for security review or to confirm that the activities of users were appropriate.
Managing user access
The security of information systems relies on departments providing access to the systems only to users who need it to perform their job roles. We continue to observe:
- departments not removing access to the system in a timely way when staff are terminated
- users continuing to have system access even though they have not used the access for an extended period
- departments not regularly reviewing who can access their systems and what they can do in the systems.