Is Report 2019
Is Report 2019
Is Report 2019
Information Systems
Audit Report 2019
Mail to:
Perth BC, PO Box 8489
PERTH WA 6849
T: 08 6557 7500
F: 08 6557 7600
E: info@audit.wa.gov.au
W: www.audit.wa.gov.au
Report 20
May 2019
THE PRESIDENT THE SPEAKER
LEGISLATIVE COUNCIL LEGISLATIVE ASSEMBLY
CAROLINE SPENCER
AUDITOR GENERAL
15 May 2019
Contents
Auditor General’s overview ......................................................................................... 4
Introduction .................................................................................................................. 5
Audit focus and scope .................................................................................................. 5
Summary...................................................................................................................... 6
Recruitment Advertisement Management System – Public Sector Commission ........... 8
New Land Registry - Titles – Western Australian Land Information Authority ..............29
Introduction .................................................................................................................35
Conclusion ..................................................................................................................35
Background .................................................................................................................35
Audit focus and scope .................................................................................................36
Audit findings...............................................................................................................36
Recommendations ......................................................................................................46
Appendix 1 – Cloud application (SaaS) better practice principles ............................ 47
Ensuring good security practices are implemented, enforced and regularly tested should be a
focus and key responsibility for all entities’ executive teams. Continually raising staff
awareness, at all levels, about information and cyber security issues is another proven way
to embed good practice and security hygiene into everyday operations.
Summary
The 4 applications we reviewed all had control weaknesses. Most related to policies and
procedures, and poor information security. We also found weaknesses in controls aimed to
ensure the applications function efficiently, effectively and remain available. We reported 37
findings across the 4 applications. Nine findings were rated as significant, 17 moderate and
11 minor.
Most of the issues we found are relatively simple and inexpensive to fix. Figure 1 shows the
findings for each of the control categories and Figure 2 shows the findings for each of the 4
applications reviewed.
Source: OAG
Introduction
Western Australian (WA) government entities use the Recruitment Advertisement
Management System (RAMS) to manage staff recruitment and redeployments, and to record
severance details. The public use the system to apply for WA government jobs. The system
is externally hosted, and managed by a third-party vendor in a Software as a Service (SaaS)
arrangement. It contains personal identifiable and sensitive information such as names,
addresses, work history, qualifications, bank details and tax file numbers.
Conclusion
RAMS has successfully facilitated a significant number of recruitment processes since the
application was implemented in 2003. However, we identified a number of opportunities to
improve application governance. The Public Sector Commission (the Commission) has not
undertaken or received independent assurance that key vendor managed information
security controls are adequate and operating to ensure the confidentiality, integrity and
availability of information in RAMS.
Further, the Commission cannot demonstrate it is monitoring and managing vendor
compliance in accordance with the service level agreement and so may not be fully informed
of any issues with service delivery or not meeting all users’ needs.
There is also a risk that insufficient business continuity planning could see an outage
impacting recruitment activities across the whole of the WA government.
Poor user access management has the potential to expose personal and sensitive
information to inappropriate access or misuse, particularly as the Commission has kept all
information stored on the system since 2003.
Background
RAMS is a mandated whole of government e-recruitment solution. All relevant WA state
entities must use the application to advertise vacancies, manage redeployments and record
severances. Entities access the application via an internet administration portal. A separate
portal is provided for data analysis and reporting. The public can view vacancies, create a
profile and submit job applications online through multiple job boards (Figure 3).
In 2017-18, RAMS processed about 238,000 applications for almost 15,400 job
advertisements. Currently, there are about 712,000 people with a job seeker profile in the
application.
The vendor manages the underlying environment (network, storage, servers, virtualisation,
operating systems, middleware, runtime, data and applications) and controls to protect the
system.
The Commission retains ownership of the data and the risks to its confidentiality, integrity
and availability (Figure 4). It is also responsible for monitoring delivery of service as per the
SaaS contract arrangement.
Security responsibility Software (as a service)
Governance Entity
Data Entity and Vendor
Runtime Vendor
Middleware Vendor
Operating Systems Vendor
Virtualisation Vendor
The WA public sector has used RAMS since 2003. The most recent contract extension was
awarded in April 2018 for 2 years. A service level agreement is in place that sets out
expectations of service.
Audit findings
The Commission has not sought adequate assurance on vendor controls
The Commission has not undertaken or received independent assurance that key vendor
managed information security controls are adequate and operating effectively. As a result,
the Commission does not have assurance that information in RAMS is protected to ensure its
confidentiality, integrity and availability.
We identified the following control deficiencies:
• Unsupported software – Some software components that underpin the application are
no longer supported by the software vendors. In addition, 1 component has not had
software updates applied that fix known security vulnerabilities. Unsupported and out–
of-date software increases the risk of attackers using known vulnerabilities to gain
access to sensitive information or disrupt systems.
• Disaster recovery not tested – The vendor has not performed a full disaster recovery
test since 2015. The Commission cannot be certain that it can recover the application
as required.
• Outdated technical specification documentation – The technical documentation
describing the application does not reflect the current application environment. The
Commission cannot be certain that all appropriate controls are in place to protect the
application.
1
https://cloudsecurityalliance.org/download/security-guidance-v4/
Vendor compliance has not been well monitored to ensure RAMS meets
entities’ needs
We identified weaknesses in how the Commission manages the service level agreement
(SLA). These increase the risk that the Commission will not receive the contracted services,
or be aware of issues with the vendor’s service delivery.
In particular, the Commission has not implemented key requirements of the SLA to manage
the contracted service delivery. For example, the Commission has not:
• held annual contract review and periodic contract management meetings
• established, or allocated, a governance body to support forward planning and provide
feedback on vendor performance
• conducted annual user satisfaction surveys since 2013
• received application backup reports and capacity management plans from the vendor.
We note that the Commission does hold quarterly and ad hoc meetings with the vendor. The
Commission informed us that the 3rd quarter meeting is considered to be the annual review of
the contract. However, we found no documentary evidence of an annual contract or SLA
review in our examination of the most recent 3rd quarter meeting agenda or minutes.
1. implement a risk assurance framework for SaaS arrangements and conduct a risk
assessment of the RAMS application and information. Update contractual terms based on
identified risks
Commission response: Agreed
Implementation timeframe: by December 2019
3. establish a suitable mechanism for obtaining feedback from stakeholders in key entities
Commission response: Agreed
Implementation timeframe: by July 2019
4. implement appropriate user account management practices and communicate these to all
entities
Commission response: Agreed
Implementation timeframe: by October 2019
5. review and update the RAMS Business Continuity Plan based on an appropriate Business
Impact Analysis involving key stakeholders, and update contractual availability
requirements, if required.
Commission response: Agreed
Implementation timeframe: by December 2019
Introduction
Our audit focused on the applications within the Advanced Metering Infrastructure used by
the Regional Power Corporation, trading as Horizon Power (Horizon), to record, monitor and
bill for the consumption of electricity. The applications store personal and sensitive client
information such as customer name, address, date of birth and locations where electricity
meters are installed.
Conclusion
The AMI system achieves its purpose. It collects and stores electricity consumption data and
communicates the information to other Horizon business systems.
However, the integrity and confidentiality of the system and information it holds is at risk due
to inadequate background checks and contractor access management. Improved network
and database security controls would also strengthen system integrity.
Background
Horizon, is a state government-owned corporation that generates, procures and distributes
electricity to residential, industrial and commercial customers in regional towns and remote
communities. Currently it provides electricity to over 100,000 residents and 10,000
businesses.
Horizon has a suite of applications to manage electricity consumption and billing. Together,
they are referred to as Advanced Metering Infrastructure (AMI). These include the MV90,
Velocity, MDR, MData21 and SSN systems. Our audit focused on the MV90 commercial
metering system, and associated applications including the ‘My Account’ portal.
The following figure (Figure 5) shows an overview of information flow across the different
parts of the AMI system.
In October 2016, more than 47,000 ageing electricity meters across regional WA were
replaced with advanced meters. These meters allow Horizon to use the MV90 and other
systems to collect electricity consumption data over the network without staff having to
physically visit customer sites.
Audit findings
There are appropriate processes to detect and remedy consumption errors
before bills are issued, but the value of errors is high
Horizon has good processes to detect and remedy data errors in consumption readings.
Consumption readings occur daily for all advanced meters with network access. The Velocity
system reports significant billing variances for early corrective action where required, and
account managers review bills before they are issued to commercial customers.
In 2017-18, Horizon corrected errors valued at $1.43 billion (Figure 6). These comprised
errors of $1.42 billion for one commercial customer and $8.5 million for other commercial
customers. The $1.42 billion error arose from the manual reading of the customer’s meter
which does not have network access and must be read using a handheld device. Remaining
errors were due to factors such as incorrect rates being applied to a customer, incorrect data
and system changes.
While Horizon resolves errors as they arise, their high value is concerning.
Firewall
Control to separate networks
AMI 3G network and filter malicious traffic from Main network
reaching the main network.
Source: OAG
• Lack of logging and event monitoring policy – A formal activity log and event
monitoring policy is not in place. This increases the risk that monitoring will be
inconsistent and not identify potential problems, trends or ongoing attempts to
compromise systems and information. We found that Horizon has good processes to
capture application and system transactions, and activity. A formal monitoring policy
would significantly strengthen controls.
1. Determine, and where necessary resolve, the causes of consumption reading errors
Horizon response: Agreed
Implementation timeframe: by December 2019
2. develop appropriate policies and procedures to conduct adequate staff and contractor
background checks
Horizon response: Agreed
Implementation timeframe: by July 2019
3. review manual processes and consider the use of digital forms and processes
Horizon response: Agreed
Implementation timeframe: by July 2019
Introduction
The Office of State Revenue (State Revenue) process local government entities’ (LGs)
claims for reimbursement of concessions they pay to eligible pensioners and seniors through
the Pensioner Rebate Scheme (PRS) system and its Pensioner Rebate Exchange (PRX)
interface.
LGs use PRX to exchange claims information with State Revenue.
PRS and PRX were developed and are maintained by State Revenue.
Conclusion
The PRS and PRX effectively support State Revenue and LGs to process reimbursement
claims. The rebate calculation process works well. However, State Revenue has not
performed land ownership and occupancy checks since 2005. This increases the risk of
concessions being paid to ineligible individuals.
Weak access controls and a lack of disaster recovery planning may also compromise the
confidentiality, integrity and availability of information in PRS and PRX. State Revenue also
does not effectively protect its systems from the threat of cyber-attacks.
Background
The State Revenue is a business unit of the Department of Finance. It collects duties and
taxes, and administers several grants and subsidies paid to the community.
It also manages LG claims in line with the Rates and Charges (Rebates and Deferments) Act
1992 (the Act). To be eligible for rebates and deferments on LG rates (sewerage, drainage
and underground electricity) and emergency services levy charges, a person must:
• register with the Water Corporation or relevant Local Government as a pensioner or
senior under the Act
Audit findings
State Revenue does not perform land ownership and occupancy checks, which
increases the risk of payments being made to ineligible individuals
State Revenue does not perform land ownership and occupancy checks as required by the
Act. State Revenue took over this responsibility from LGs in 2003 but stopped doing the
checks in 2005. Appropriate validation processes reduce the risk of incorrect concessions
being paid to pensioners and seniors.
We were told by State Revenue that the checks stopped because a high number of payment
claims were falsely rejected due to inaccurate land occupancy and ownership information in
LG claim files and State Revenue records. State Revenue did not inform LGs that the checks
had stopped until June 2018.
In 2010, we made a similar finding that PRS did not perform land ownership and occupancy
checks against land records². Over 15 years later, the function has not been fixed. State
Revenue told us that it will now fix this by June 2019.
2
General Computer Controls Audit FY 2009-10
PRS 18 of 29 0%
Security vulnerabilities are not well managed, leaving PRS and PRX exposed to
attack
There is insufficient security vulnerability management. We found:
• over 600 vulnerabilities on workstations due to unsupported third party applications and
missing security updates (patches)
• state Revenue has not installed anti-malware software on the PRS production (live)
server
• State Revenue does not have a process to identify vulnerabilities in PRS or PRX.
Vulnerabilities could be exploited by attackers to gain unauthorised access to sensitive data
or interrupt State Revenue’s business. Timely patching of software reduces the footprint for
potential attacks.
State Revenue may not be able to recover PRS and PRX following a major
incident or disruption
State Revenue does not have an information technology Disaster Recovery Plan for PRS
and PRX. This could compromise the availability of the system following a major incident or
disruption. State Revenue told us that Disaster Recovery Plans for other systems may help
recover PRS and PRX, but it has not tested recovery.
State Revenue technical support documentation for PRS and PRX is not up-to-date and
does not describe the current system environments. We found some documentation had not
been reviewed since 2001. The State Revenue may not have the technical documentation to
recover the system in the event of a major incident or disruption.
1. update its information security policy and processes to better manage user access
State Revenue response: Agreed
Implementation timeframe: by August 2019
2. reinstate validation of identity processes and checks of land ownership and occupancy in
accordance with the Act
State Revenue response: Agreed
Implementation timeframe: by July 2019
4. develop and implement an effective framework to log and monitor key changes to PRX
and PRS
State Revenue response: Agreed
Implementation timeframe: by December 2019
6. develop and regularly review information technology Disaster Recovery Plans for PRX
and PRS.
State Revenue response: Agreed
Implementation timeframe: by December 2019
Introduction
The New Land Registry – Titles (NLR-T) application is used by the Western Australian Land
Information Authority, trading as Landgate, to manage property ownership and location
information records for Western Australia. The NLR-T partially automates the previous
paper-based land registration process. The NLR-T was developed and is maintained as part
of an outsourced ICT arrangement using public cloud infrastructure. This arrangement is
jointly managed by a Landgate subsidiary co-owned with a third party vendor.
Conclusion
The NLR-T application works as intended and allows Landgate to effectively manage land
title transactions. However, Landgate’s management of user access and information could
be improved to protect the confidentiality and integrity of information in the NLR-T. Data
verification and external network security reviews will further strengthen the security of the
system and information.
Background
Landgate is one of the oldest state government entities. It manages property and land
information and maintains the State’s official register of land ownership under the Transfer of
Land Act 1893 (the Act).
Landgate uses the NLR-T to manage land title information, including transfers of ownership,
mortgages, and discharge of mortgages. In 2017, the NLR-T processed over 1.4 million titles
and $36.2 billion worth of transactions.
Prior to 2015, Landgate used the Smart Register system to manage land ownership.
However, the aging technology became costly to maintain and lacked the flexibility needed to
suit business needs.
The application was built by the jointly-owned subsidiary using modern principles and is
maintained on a cloud platform. Implementation started in June 2015 and was completed in
January 2017. The NLR-T was delivered in stages to minimise the impact on Landgate’s
business. The NLR-T replaced the old Smart Register system.
Audit findings
Changes to land information are not reviewed
Landgate does not review transactions in the NLR-T for accuracy. It stopped these reviews in
2016. From a review of 8 land transactions in 2018, we identified 2 land title changes that
were made without appropriate delegation. This increases the risk of erroneous or
inappropriate changes to NLR-T information, and is a breach of the Act. However, we found
the 2 transactions had appropriate documentation to support the changes.
Landgate should:
1. review its access policies, procedures and controls to ensure they are implemented
effectively
Landgate response: Agreed
Implementation timeframe: by July 2019
2. assess the risks around not performing land registry transaction reviews and ensure
implemented controls align with this assessment
Landgate response: Agreed
Implementation timeframe: by July 2019
5. consider a review of delivery and the cost of services under the Master Agreement, and
ensure appropriate controls and assurances are maintained in any future commercialised
arrangement.
Landgate response: Agreed
Implementation timeframe: by July 2019
Landgate has extended its security framework to further strengthen its infrastructure,
taking additional steps to mitigate risks:
• ICT Security monitoring extended to 24/7 coverage;
• Additional vulnerability-detection software deployed to bolster internal testing;
• A provider for external penetration testing is currently being procured.
Access to NLR-T is now independently managed via Landgate’s Service Now application
ensuring an audit trail of access and approvals, including appropriate authorisation.
The recommendation regarding the protection of sensitive information, including credit
cards, relates to a business control that is not specific to the NLR-T. Changes have been
made to how Landgate captures the submission of customers credit card details with long-
term back-ups now encrypted.
Landgate has renegotiated its Master Services Agreement with ICT service provider,
Advara Ltd. The new agreement has been reviewed independently. The governance
framework requires all services to be reviewed monthly for performance and delivery
outcomes, with comprehensive service level agreement reporting.
Conclusion
We reported 547 general computer controls issues to the 47 state government entities
audited in 2018 compared with 539 issues at 47 entities in 2017.
There was a small increase in the number of entities that met our expectations across all 6
control categories. Thirteen entities met our expectations, compared with only 10 in 2018.
While system change controls and physical security are managed effectively by most
entities, less entities met our expectations in these categories in 2018. The 2 categories of
information security and business continuity continue to show little improvement in the last 11
years. We saw an increase in the number of entities with defined business continuity
controls, but half of the entities we reviewed still do not manage this area well. The majority
of issues we identified can be easily addressed with better information security management
and keeping processes to recover data and operations in the event of an incident up to date.
By not prioritising the security and continuity of information systems, entities risk disruption to
the delivery of vital services to the community and compromise the confidentiality and
integrity of the information they hold. Embedding a security culture across all levels of an
organisation is essential to building a cyber and information security aware workforce.
Background
We use the results of our GCC work to inform our capability assessments of entities.
Capability maturity models are a way to assess how well developed and capable the
established IT controls are. The model provides a benchmark for entity performance and
means for comparing results from year to year.
The model we have developed uses accepted industry good practice as the basis for
assessment. Our assessment of GCC maturity is influenced by various factors. These
include: the business objectives of the entity; the level of dependence on IT; the
technological sophistication of their computer systems; and the value of information
managed by the entity.
Audit findings
Our capability maturity model assessments show that entities need to establish better
controls to manage information security, business continuity and IT risks. Figure 1
summarises the results of the capability assessments across all 6 control categories for the
39 entities we assessed. We expect entities to achieve a level 3 (Defined) rating or better
across all the categories.
3 Theinformation within this maturity model assessment is based on the criteria defined within the Control
Objectives for Information and related Technology (COBIT) manual.
The percentage of entities rated level 3 or above for individual categories was as follows:
The 2018 results show a decline in 4 of the 6 categories. Business continuity continued to
show improvement, however, it is still of concern that only half of the entities were
adequately controlled in this area.
Of the entities we review every year there are only 4 that have consistently demonstrated good
practices across all control categories assessed:
• Department of the Premier and Cabinet (6 years at level 3 or higher)
• Racing and Wagering Western Australia (5 years at level 3 or higher)
• Western Australian Land Information Authority (3 years at level 3 or higher)
• Curtin University (3 years at level 3 or higher)
Source: OAG
Figure 2: Information security
Note: Green represents the percentage of entities that met the benchmark and red represents
the entities that did not meet the benchmark.
Continually raising staff awareness at all levels, about information and cyber security issues
is a proven way to embed good practice and security hygiene into everyday operations.
Business continuity
To ensure business continuity, entities should have in place an up to date business continuity
plan (BCP), disaster recovery plan (DRP) and incident response plan (IRP). The BCP
defines and prioritises business critical operations and therefore determines the resourcing
and focus areas of the DRP. The IRP needs to consider potential incidents and detail the
immediate steps to ensure timely, appropriate and effective response.
These plans should be tested on a periodic basis. Such planning and testing provides
important rapid recovery of computer systems in the event of an unplanned disruption to
business operations and services. Senior executives should monitor that plans are
developed and tested in accordance with the risk profile and appetite of the entity.
We examined whether plans had been developed and tested. We found a 13% improvement
from last year, however, 50% of the entities still did not have adequate business continuity
and disaster recovery arrangements in place. The trend over the last 11 years has shown
entities are not affording sufficient priority to disaster recovery and continuity.
Management of IT risks
Sixty-nine percent of entities met our expectations for managing IT risks, a 33% improvement
since our first assessment in 2008. Entities showed improved management controls over IT
risks.
IT operations
Entities’ IT practices and service level performance to meet their business needs increased
7% compared to the previous year. There has been a steady improvement since 2011 when
we first added this area to the CMM.
Effective management of IT operations is key to maintaining data integrity and ensuring that
IT infrastructure can resist and recover from errors and failures.
We assessed whether entities had adequately defined their requirements for IT service levels
and allocated resources according to these requirements. We also tested whether service
and support levels within entities were adequate and meet good practice. Other tests
included whether:
• policies and plans were implemented and working effectively
• repeatable functions were formally defined, standardised, documented and
communicated
Source: OAG
Figure 8: IT operations
Note: data only available from 2011 when we added this area to the CMM.
Change control
We examined whether system changes are appropriately authorised, implemented, recorded
and tested. We reviewed any new applications acquired or developed to evaluate
consistency with management’s intentions. We also tested whether existing data converted
to new systems was complete and accurate.
Although we saw a 9% decrease in performance in this category, change control practices
have slowly been improving since 2008, with over 70% of entities achieving a level 3 or
higher rating.
Physical security
We examined whether computer systems were protected against environmental hazards and
related damage. We also reviewed whether physical access restrictions were implemented
and administered to ensure that only authorised individuals had the ability to access or use
computer systems.
Seventy-six per cent of entities met our expectations for the management of physical
security. However, this represents a 14% decrease from 2017 in the number of entities that
met our expectations for physical security.
2. Business continuity
Entities should have an up to date business continuity plan, disaster recovery plan and
incident response plan. These plans should be tested on a periodic basis.
3. Management of IT risks
Entities need to ensure that IT risks are identified, assessed and treated within
appropriate timeframes and that these practices become a core part of business activities
and executive oversight.
4. IT operations
Entities should ensure that they have appropriate policies and procedures in place for key
areas such as IT risk management, information security, business continuity and change
control. IT strategic plans and objectives support entities’ strategies and objectives. The
OAG recommends the use of standards and frameworks as references to assist entities
with implementing good practices.
5. Change control
Change control processes should be well developed and consistently followed for
changes to computer systems. All changes should be subject to thorough planning and
impact assessment to minimise the occurrence of problems. Change control
documentation should be current, and approved changes formally tracked.
6. Physical security
Entities should develop and implement physical and environmental control mechanisms to
prevent unauthorised access or accidental damage to computing infrastructure and
systems.
Vendor Knowing who the vendor is and what they do. Vendor
reputation and its compliance with recognised security
standards should be assessed. The Australian Cyber
Security Centre maintains a list 5 (CCSL) of Australian
government certified cloud vendors
Data ownership Contracts should clearly state who has legal ownership
of any data during and after the contract
Data retention and Contracts should clearly define the data retention
deletion method and period
Access to data and Controls to restrict and monitor access to data should be
monitoring in place
4
https://www.cyber.gov.au/publications/cloud-computing-security-considerations
5
https://acsc.gov.au/infosec/irap/certified_clouds.htm
Security breaches Contracts should clearly define how the vendor must
report security breaches and include penalties and
indemnities. Entities should have access to relevant
evidence (e.g. logs) for forensic investigations
Report
Reports Date tabled
number
Mail to:
Perth BC, PO Box 8489
PERTH WA 6849
T: 08 6557 7500
F: 08 6557 7600
E: info@audit.wa.gov.au
W: www.audit.wa.gov.au