Select Page

Audit: Queensland Audit Office’s State Entities 2022 reports deficiencies in information systems

Audit: Queensland Audit Office’s State Entities 2022 reports deficiencies in information systems

Queensland Audit Report 16 March 2023

Queensland Audit Office’s State Entities 2022 reports deficiencies in information systems

Only 33 per cent of departments have an effective system managing information security risks

Queensland Audit Office Report: State entities 2022

Read more Queensland Audit Office reports and Queensland incidents.

QAO Entities 2022 1

This report summarises the audit results of 253 Queensland state government entities, including the 20 core government departments. It also analyses the consolidated financial performance of the Queensland Government, which we previously reported in our annual state finances report.

Cyber threats continue to intensify in frequency and sophistication. The internet gateway (which monitors the computer traffic to and from the internet) for Queensland Government departments indicates that the number of security attempts has doubled during the year – from 750 million attempts in 2020–21 to 1.5 billion in 2021–22.

While the ISMS maturity of the Queensland Government shows evidence of improvement, the improvement needs to occur at a faster pace. In 2020–21, only 33 per cent of departments reported an operating level ISMS (where risks are identified, managed, and continuously improved) versus the target of 100 per cent set by the Queensland Government Customer and Digital Group.

COMMON WEAKNESSES IN INFORMATION SYSTEMS THAT NEED TO BE ADDRESSED

Managing privileged (system administration) access

Access to system administration allows users to make significant changes to system configuration, bypass security settings, or access sensitive information. The Australian Cyber Security Centre identifies the restricting of system administration access as one of the most effective strategies to mitigate against cyber security incidents.

We reported issues in relation to:

  • default accounts (well known accounts that come as part of system installation) or generic accounts, with system administration access not being secured to prevent them from unauthorised use. Using generic accounts limits a department’s ability to know who has used the accounts and the activities or transactions that the user performed in the system. As a result, the department will not be able to hold the user accountable for their actions in the system. In addition, these accounts are often targets for those intending to breach or gain unauthorised access to the systems
  • limited monitoring to alert departments when their users or external service providers perform high-risk activities with their system administration access
  • system administration access not being restricted to authorised personnel in line with their job roles.

Configuring security

Departments need to update their assessment of security risks and practices as technology advances and security loopholes are discovered. We identified the following common weaknesses during the year:

  • security configurations were not updated in line with departments’ latest security policies, vendor recommendations, or better practices for managing security
  • logging (of use) and monitoring capabilities in the systems were not implemented or improved to collect relevant data for security review or to confirm that the activities of users were appropriate.

Managing user access

The security of information systems relies on departments providing access to the systems only to users who need it to perform their job roles. We continue to observe:

  • departments not removing access to the system in a timely way when staff are terminated
  • users continuing to have system access even though they have not used the access for an extended period
  • departments not regularly reviewing who can access their systems and what they can do in the systems.

 


About The Author

Steven Kirby

I provide independent and practical consultancy services through raising awareness and fostering the energy for change that delivers improved business management of information security governance, risk and compliance.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please follow the Source link to the original article to support the content owner. We only provide a brief summary with metadata to assist in categorisation.

More Australian News

Unfolding in real time: Artificial intelligence is reshaping cybersecurity

Key takeaways The cybersecurity capability of next-generation frontier artificial intelligence (AI) models is increasing rapidly. Large language … [...]

NSW Government Bulletin: Managing employee social media content in the public sector

Over recent years, the increase in social media activity across different platforms has facilitated opportunities for employees to comment on a broad … [...]

Australia: Pixel Perfect – The regulator addresses use of tracking pixels

On 11 June 2026, the Office of the Australian Information Commissioner (OAIC) published two determinations against Medmate Australia Pty Ltd (Medmate) … [...]

Discover how modern corporate investigations are shifting from email to chat and encrypted apps. Learn essential strategies for defensible forensic… [...]

Australian Cyber Aware - As It Was 2606 - June 2026

This monthly review provides a curated summary of Australian and New Zealand cyber, privacy, and information security developments identified during … [...]

Key Trends in Cyber Security and Data Privacy (2026): a General Counsel lens - Governance Institute of Australia

Cyber security and data privacy are now core governance tests – demanding clear decision-making authority, disciplined escalation and evidence that … [...]

OAIC ordered to turn over Amex privacy determination in full

Australia’s privacy watchdog has been told to turn over full details of an investigation into American Express that uncovered security and access … [...]

How to stay cyber secure: Australia’s top cyber agency releases Privileged User Training video series

The new training series offers a pathway for IT professionals to strengthen their cyber security skills and better understand cyber criminal … [...]

NSW Rural Fire Service admits security incident

The NSW Rural Fire Service (RFS) is investigating a cybersecurity incident after a hacker gained access to its information and communications … [...]

Scams surge as cybercrime falls

Cybercrime declined in Australia last year, but fraud and scams bucked the trend and victims have given up complaining, the Australian Institute of … [...]

Generation Life confirms customers impacted in April cyber incident

Aussie investment firm Generation Life has confirmed that customer data was impacted in a cyber attack it suffered back in April. • Fri, 26 Jun 2026 • … [...]

In wake of KPMG scandal, government considers splitting accounting firms' auditing and consulting arms

Accounting firms could be asked to split their lucrative consulting services from their audit functions and individual firm partners could face far … [...]

Shares
Share This

Discover more from Australian Cyber Aware

Subscribe now to keep reading and get access to the full archive.

Continue reading