West Australian State Government Audit Report 22 March 2023

Western Australia Auditor General’s State Government Information Systems Audit 2021-22 566 control weaknesses 34 significant

Cases: malicious insiders no MFA, outage from an unauthorised device, former employee accessing finance system one month after termination.

Western Australia Auditor General Report: Information Systems Audit – State Government 2021-22

Read more Western Australia Auditor General Reports and West Australia incidents.

Auditor General Ms Caroline Spencer said 566 information system weaknesses were reported to 61 entities, compared to 526 findings to 54 entities last year. ‘Concerningly, similar to last year, half of the audit findings were unresolved issues from the previous year.

The report found a significant majority of the entities failed to meet our benchmark in endpoint security, access management and human resource security. Information security control weaknesses were so pervasive in 13 entities they resulted in a record number of qualified audit opinions – a serious matter – related to various data breach risks.

The report includes a number of case studies that the public sector and community can learn from:

• A former employee accessed an entity’s physical facility, logged on to the entity’s network and accessed the financial system more than one month after their employment had been terminated as the entity had failed to complete exit procedures required to revoke employee’s access to the network and systems.
• A network outage caused by an unauthorised device interrupted key services.
• Decades old network equipment leaves an entity, which has a significant number of connected sites, without modern security features to detect or prevent unauthorised devices and attacks – an attack would severely impact that entity’s ability to deliver vitally important services to the community.
• A malicious insider reset the password of another staff member to gain access to a key business system and copied information. The entity was unaware of the malicious access and data extraction for several months as their access logging and monitoring processes were not working effectively. This inappropriate access could have been prevented or made more difficult if multi-factor authentication was enforced.