Select Page

Audit: Western Australia Auditor General’s State Government Information Systems Audit 2021-22

Audit: Western Australia Auditor General’s State Government Information Systems Audit 2021-22

West Australian State Government Audit Report 22 March 2023

Western Australia Auditor General’s State Government Information Systems Audit 2021-22 566 control weaknesses 34 significant

Cases: malicious insiders no MFA, outage from an unauthorised device, former employee accessing finance system one month after termination.

Western Australia Auditor General Report: Information Systems Audit – State Government 2021-22

Read more Western Australia Auditor General Reports and West Australia incidents.

WA State Gov Audit 2023 1

Auditor General Ms Caroline Spencer said 566 information system weaknesses were reported to 61 entities, compared to 526 findings to 54 entities last year. ‘Concerningly, similar to last year, half of the audit findings were unresolved issues from the previous year.

The report found a significant majority of the entities failed to meet our benchmark in endpoint security, access management and human resource security. Information security control weaknesses were so pervasive in 13 entities they resulted in a record number of qualified audit opinions – a serious matter – related to various data breach risks.

The report includes a number of case studies that the public sector and community can learn from:

  • A former employee accessed an entity’s physical facility, logged on to the entity’s network and accessed the financial system more than one month after their employment had been terminated as the entity had failed to complete exit procedures required to revoke employee’s access to the network and systems.
  • A network outage caused by an unauthorised device interrupted key services.
  • Decades old network equipment leaves an entity, which has a significant number of connected sites, without modern security features to detect or prevent unauthorised devices and attacks – an attack would severely impact that entity’s ability to deliver vitally important services to the community.
  • A malicious insider reset the password of another staff member to gain access to a key business system and copied information. The entity was unaware of the malicious access and data extraction for several months as their access logging and monitoring processes were not working effectively. This inappropriate access could have been prevented or made more difficult if multi-factor authentication was enforced.

WA State Gov Audit 2023 2

 


About The Author

Steven Kirby

I provide independent and practical consultancy services through raising awareness and fostering the energy for change that delivers improved business management of information security governance, risk and compliance.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More Australian News

Weekly Australian News and Monthly Incident Review Emails

No advertisements, marketing, sales, or unsolicited emails. Your email address is ONLY used to send the publications listed above.

* indicates required


Shares
Share This