Information Systems
Audit Report
2 Information Systems Audit Report l Western Australian Auditor General
THE PRESIDENT THE SPEAKER
LEGISLATIVE COUNCIL LEGISLATIVE ASSEMBLY
INFORMATION SYSTEMS AUDIT REPORT
I submit to Parliament my Information Systems Audit Report under the provisions of sections 24 and 25
of the Auditor General Act 2006.
GLEN CLARKE
ACTING AUDITOR GENERAL
24 March 2010
Western Australian Auditor General l Information Systems Audit Report 3
Contents
Auditor General’s Overview 4
IS Compliance Audit: Security of Laptop and Portable Storage Devices 5
Application and General Computer Controls Audits 17
Application Controls 20
General Computer Controls and Capability Assessments for Agenices 24
4 Information Systems Audit Report l Western Australian Auditor General
This is the second annual Information Systems Audit Report tabled by this Oce. Following the inaugural
2009 report, I have been encouraged by feedback that the reported results provide an important
performance benchmark for agencies.
This report has two sections covering three items:
• Information systems compliance audit
m Security of laptop and portable storage devices.
• Application and general computer controls audits
m Application controls
m General computer controls and capability assessments of agencies.
The rst item of the report, ‘Security of laptop and portable storage devices’, rounds out a four year focus
on various aspects of Information Systems security. This year’s audit looked at how agencies manage
the physical security of laptops, mobile phones, media players and ash drives and at the security of
information stored on those devices.
Laptops and other portable storage devices oer benets through allowing exible work arrangements
and easy access, storage and transfer of large amounts of data. However their portability also places
them at greater risk of being lost or stolen. Information stored on portable devices also needs to
be adequately protected. None of the seven agencies we reviewed had adequately considered or
addressed these risks.
Our audit of four key business applications at four agencies, found weaknesses in security and data
processing controls that could potentially impact delivery of key services to the public. Our general
computer control audits involved assessing 52 agencies and benchmarking 42 against good practice for
IS management. Forty-ve per cent of agencies failed to meet the benchmark.
While we have seen some good practice and some signs of improvement, too many agencies continue to
ignore the risks from not eectively managing their information systems. The standards and frameworks
we audit against do not place unrealistic expectations on agencies and are generally accepted across
all industries. I strongly urge senior management of agencies to act on the recommendations of this
report.
Auditor General’s Overview
Western Australian Auditor General l Information Systems Audit Report 5
Western Australian Government agencies own and use large numbers of laptop computers and other
portable storage devices (PSDs) – including ash drives, portable hard drives and mobile phones. These
devices can hold large volumes of information. The portability of laptops and PSDs allow exible work
arrangements and easy transfer of information. However, their portability also increases the risk that
they will be lost or stolen. On average about 250 laptops are reported stolen by agencies each year.
Without adequate safeguards in place these losses can easily result in unauthorised access to sensitive
information.
Agencies therefore have a responsibility to manage these items eectively. This includes protecting the
physical assets and ensuring appropriate security for the information stored on them. The challenge
facing agencies is to meet security needs without restricting the benets that portable devices oer.
This is the fourth and last in a series of information systems compliance audits we have carried out
since 2007 that has focused on information security. The previous examinations were: Protection of
personal and sensitive information held in databases (Report 2, 2009); Information security: disposal of
government hard drives (Report 1, 2008); and Security of wireless local area networks in government
(Report 3, 2007).
This examination assessed whether seven government agencies were eectively managing their
laptops and PSDs to reduce the risk of loss or theft and subsequent access to sensitive information. The
agencies were:
• Curriculum Council
• Department of Commerce
• Department of Education (Central Oce)
• Department of Water
• Royal Perth Hospital
• Western Australia Police
• WorkCover WA
All seven agencies lacked comprehensive management, technical and physical controls over their
laptops and PSDs to minimise the risk of them being lost or stolen and of sensitive information being
accessed. More serious weaknesses included:
• not knowing the number of laptops or PSDs owned, who had them, or where they were located
• ineective controls to prevent information being accessed if a laptop was lost or stolen
• basic security weaknesses including inadequate access controls and failure to implement vendor
security patches to x known security aws
• gaps in relevant policies and procedures including action to be taken in the event of a laptop or
PSD being lost or stolen.
IS Compliance Audit: Security of Laptop and Portable
Storage Devices
6 Information Systems Audit Report l Western Australian Auditor General
• The Department of Commerce and Royal Perth Hospital did not have up-to-date registers to track
laptops and so did not know how many laptops they owned. The lack of this information increases
the risk that laptops and information stored on them will be lost without agencies knowing. It also
limits eective asset planning and replacement.
• None of the agencies had complete knowledge of the number of PSDs they owned or the potential
security risks of their PSDs. Only two agencies – Western Australia Police (WAP) and WorkCover WA
– had registers to track portable hard drives.
• WAP was the only agency that had addressed the risks associated with ash drives. Sta are only
allowed to use the encrypted devices they are issued.
• All agencies used systems logons on their laptops. However, all agencies had weaknesses in other
fundamental access controls:
m Five agencies had not ensured that boot passwords were systematically used on laptops.
Department of Commerce and Royal Perth Hospital had activated ‘boot’ passwords on some
individual and unit/branch computers. When activated, boot passwords protect information
on computer hard drives from being accessed by unauthorised users, even if the hard drive is
removed from the computer. All laptops have this capability.
m Four agencies – the Curriculum Council, the Department of Water, Royal Perth Hospital and
the Department of Education (Central Oce) – did not use screen lock-outs. These require a
password to unlock a computer if it is not used for a set period of time.
• Six agencies had not used basic security controls on laptops to protect them from dangers
associated with connecting to external networks. This increased the risk of unauthorised access to
sensitive data on the laptops and/or on networks systems.
m Only WorkCover had enabled local rewalls on its laptops. Local rewalls are necessary to protect
laptops from external threats from the internet when they are connected outside their home
networks. Only WorkCover and WAP had controls in place to prohibit users from connecting
their laptops to external networks.
m Four agencies – the Curriculum Council, the Department of Water, the Department of Commerce
and WAP had not updated software patches on their laptops. While the Department of
Commerce did have an automated patch update program, it was not working. Product vendors
release software patches regularly to x critical security aws.
• Only WAP had comprehensive polices and procedures, including those dealing with the use and
security of PSDs. The Curriculum Council had weaknesses in all policy and procedure areas.
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Western Australian Auditor General l Information Systems Audit Report 7
• All agencies should ensure that they have adequate information about their portable IT assets. In
particular:
m they should maintain comprehensive registers for their laptops
m they should consider the best way to record information about PSDs.
• All agencies should ensure that basic access controls - ‘boot’ passwords and screen lock-outs – are
activated as standard.
• Agencies should ensure that their external security controls and practices – including updating
patches, and rewall strategies – meet their security needs.
• All agencies should assess the threats and vulnerabilities to their laptops and PSDs and implement
policies, procedures and practices to mitigate those risks. This will likely include deciding about:
m accessing external networks
m dierent rules for dierent types of information and devices
m the need for laptops and PSDs.
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Curriculum Council – An Information and Communications Technologies security policy and
procedures plan is being developed covering laptops, portable storage devices, security of data and
physical security of equipment.
Progress is being made for all laptops on:
• boot passwords and BIOS passwords
• removal of local administrator rights
Department of Commerce – The Department agrees with the ndings and has:
• implemented an IT Asset Management module to provide a single register for laptop information
and to emulate the physical stocktake process
• updated software patches on all laptops which connect to the Department’s network
Other actions in progress are:
• development of policy and procedures dealing with PSDs, external network connections and
missing assets
• risk assessment to determine information classication levels and the appropriateness of local
rewalls and boot passwords.
Department of Education – The Department of Education will consider the ndings of the audit
and the recommendations of the Auditor General to determine the appropriate action to be taken.
Improvements in our security procedures for all portable storage devices are continually sought to
ensure the security of the stored information.
Department of Water – The Department of Water has taken steps to address the issues and will continue
to implement changes to improve security for laptops
Department of Health – The Department of Health, on behalf of Royal Perth Hospital (RPH), accepts
the ndings and implications set out in the OAG’s report of its examination. Steps to address the
most important of the examination’s recommendations have already been taken. Action in relation
to the other recommendations is being assessed by RPH management and other areas of WA Health,
particularly the Health Information Network, and will form part of WA Health’s ongoing endeavours to
improve its information and communication technology governance framework.
WorkCover WA – WorkCover WA is actively working towards addressing the areas of concern identied
in the audit. A comprehensive Portable Storage Device Policy that covers all aspects of use of PSDs
is in the nal stages of management approval. WorkCover WA will also be implementing the use of
encrypted ash drives throughout the agency.
8
Information Systems Audit Report l Western Australian Auditor General
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Western Australian Auditor General l Information Systems Audit Report 9
Most agencies have an increasing number of laptops and use a variety of PSDs. PSDs include mobile
phones with storage, USB memory sticks (ash drives), media players, CDs, DVDs and portable hard
drives. Their portability assists with information access and sharing and can make working life easier
and more eective. However, their size and portability increases the risk of them being lost or stolen.
In the last two years there have been a number of high prole incidents in the United Kingdom where the
loss or theft of laptops and PSDs has led to serious data breaches. There have also been cases reported
in Australia where laptops containing personal and sensitive information have been lost or stolen.
Fifty-six State Government agencies reported 750 laptops stolen or lost with a total value of $828030
in the three years to 2009. In addition to the loss of the asset, many of these devices are likely to have
contained sensitive data. This creates a signicant risk of data breaches through unauthorised access to
the information stored on the devices.
To mitigate these risks, agencies should have two basic types of controls in place. The rst are physical
tracking and security controls to minimise the risk that laptops or PSDs will be lost or stolen. The second
are information security controls to prevent access to information stored on these devices if they are
lost or stolen.
Physical tracking and security controls include keeping good records of assets. These should include
listing where the assets are, who has them and if the assets have up-to-date patches and software
licences.
Information security controls include good lock-out measures – including diering levels of passwords
and encryption. These help limit opportunities for unauthorised people to access information on
devices. Figure 1 illustrates the types of devices and the controls that can be used.
Figure 1: Types of portable storage devices
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Information Security Controls:
• Appropriate data policies
• System and logon passwords
• Keypad locks
• Encryption
• External device controls
Physical tracking and security
controls:
• Asset registers
• Safe storage and handling
to minimise risk of loss or
theft
10 Information Systems Audit Report l Western Australian Auditor General
We examined seven agencies that have reported theft and loss of laptops. These agencies maintain
various types of sensitive information including nancial, medical, legal and educational records.
Having suered these losses, we expected that these agencies would have acted to put good controls
in place. The agencies were:
• Curriculum Council
• Department of Commerce
• Department of Education (Central Oce)
• Department of Water
• Royal Perth Hospital
• Western Australia Police
• WorkCover
The Department of Education reported 561 laptops lost or stolen from its total of more than 26000.
This is 75 per cent of all those reported lost or stolen in this period. The Curriculum Council lost the next
largest number – 24 – but 22 of those were lost in one break-in to their oces. Only two other agencies
reported double gures – 10 and 11 lost in the period. The agencies in our examination represent 81
per cent of losses in this period. Table 1 shows the agencies we examined and the numbers and value
of laptops they have reported lost.
Agency Total number of
laptops in 2009
Number laptops
reported lost/
stolen 2006-09
Insured value
of lost/stolen
laptops
Curriculum Council 100 24** $31036
Department of Commerce * 5 $7166
Department of Education 26 278 561 $580434
Department of Water 289 5 $7464
Royal Perth Hospital * 4 $4200
Western Australia Police 1443 4 $9509
WorkCover 40 5 $1325
Total 28 150 608 $641134
Table 1: Laptops reported lost
All agencies had reported some lost laptops in the past three years.
* Figures not available for these agencies (see below for detail).
** 22 laptops were lost in a single break-in to one Curriculum Council building.
Source: Insurance Commission of WA and OAG
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Western Australian Auditor General l Information Systems Audit Report 11
Our objective was to determine whether agencies have implemented appropriate management,
technical and physical controls over laptops and portable storage devices to reduce the risk of them
being lost or stolen and of sensitive information being accessed.
Specically we examined whether agencies had:
• appropriate policies and procedures
m dening the use and security of laptops and PSDs
m in the event of laptops and PSDs being lost or stolen
m covering sensitive or personal information stored on laptops and PSDs.
• accurate registers detailing agency laptops and PSDs – information about how many assets they
had, and who had them
• appropriate guidelines and controls to physically secure equipment inside and outside of the
agency
• adequate controls in place to prevent unauthorised access to and removal of any sensitive or
personal information stored on the equipment.
We tested a sample of laptops and PSDs in each agency. This involved testing whether they were subject
to logical and physical controls to restrict access by authorised users and to maintain the condentiality
of the data stored on them. We also examined the accuracy of asset records for these devices.
At the Department of Education and WAP we tested policies generally, but only tested laptops and PSDs
at head oce. We tested Royal Perth Hospital devices and policies, but included general Department of
Health policies, procedures and guidance where relevant.
We conducted the audit in accordance with Australian Auditing Standards.
We expected the agencies to have clear knowledge of their portable IT assets, particularly laptops. We
found that ve of the agencies had reasonable registers of laptops, but only one had such knowledge
across PSDs.
A basic requirement of good asset management is to have a clear understanding of the numbers and
age of assets. Without this, agencies are limited in their ability to protect the assets, and to plan for their
replacement and maintenance. Computer assets also need to be tracked for other reasons:
• to ensure software updates and patches are in place, and software licences are current
• to recognise and take appropriate action in the event of them being lost or stolen
• to comply with the intent of Treasurer’s Instruction 410. This requires that all portable or attractive
assets should be appropriately managed, and suggests that such assets should be on a register.
IS Compliance Audit: Security of Laptop and Portable Storage Devices
12 Information Systems Audit Report l Western Australian Auditor General
We found appropriate registers of laptops at ve agencies, although three of the registers had some
inaccuracies. Each of these agencies had conducted stocktakes to test the registers.
Neither Royal Perth Hospital (RPH) nor the Department of Commerce (DoC) had accurate records of
their laptops. RPH had two lists recording the numbers of laptops. One listed 601 laptops while the
other listed 324. Further, RPH had not conducted stocktakes and did not have an ongoing process
to update laptop information. As a result, RPH could not provide any assurance on the number of its
laptops, where they were, or who had them.
DoC also had an inadequate recordkeeping system for its IT equipment including laptops. DoC ceased
to maintain a register of IT equipment in September 2008 when it changed its threshold for capitalising
assets from $1000 to $5000.
Without proper registers, RPH and DoC could not conduct stocktakes or be condent of knowing
whether any of these assets have been lost or stolen. They also could not ensure that they had the
correct numbers of software licences or that the software patches were up-to-date.
Our examination covered the three main types of PSD used in agencies:
• mobile phones (practically all of which now have memory and email/browsing capability)
• portable hard drives
• ash drives.
All agencies had registers for mobile phones, but only WAP and WorkCover had listings of portable hard
drives.
Flash drives are extremely common in workplaces and are also commonly owned by individuals. We
found private ash drives in use in all seven agencies, however, no agency had employed any controls
to restrict the use of these drives. Such devices constitute a security risk that is hard to manage. It is
important that agencies understand the technology used in their organisation. This should inform
policy and training decisions about access, usage, and necessary levels of security. We found that no
agency had comprehensive knowledge of their PSD assets, although WAP had taken steps to limit the
risks posed by these technologies.
Flash drives are the most common, most mobile, and arguably most easily lost or stolen of all PSDs. Six of
the seven agencies had no clear idea of how many they owned, or which sta had them. These agencies
also lacked policies and procedures about PSDs in general and ash drives in particular. However, the
WAP did have policies (see below) including a new policy to issue only encrypted ash drives to sta.
Even if they are lost or stolen, the information on such devices cannot be accessed by unauthorised
users.
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Western Australian Auditor General l Information Systems Audit Report 13
We expected that the seven agencies would have all basic security controls in place to protect
information on portable IT devices from unauthorised use. These controls include limiting access to the
information held on the devices, and protecting the devices and ‘home’ networks from external threats.
It is also possible to prevent data being copied from laptops to USB devices. We found that all agencies
employed basic access controls but other simple and eective access controls were not utilised. We
also found that only one of the seven agencies was adequately protecting laptops from the risks of
connecting them to external networks such as the internet.
The other key component of protection is comprehensive policies and procedures. Only one agency had
policies which explicitly dealt with PSDs. All other agencies had weaknesses in some policy/procedure
areas.
A range of basic controls exist to protect information within laptops or information that can be accessed
through them. If in place, these controls make it dicult for individuals inside an organisation to access
any unauthorised information and for outsiders to access information using a lost or stolen computer.
The key initial control to secure information is a ‘boot’ password. This is employed when a laptop is rst
turned on. It helps prevent unauthorised people from accessing the operating system and therefore
from accessing information stored on the laptop. These passwords also protect information from
unauthorised access even if the computer hard drive is removed from the computer. All modern laptops
can use boot passwords.
None of the seven agencies employed boot passwords as a normal precaution. Some limited use of
boot passwords was found in laptops at RPH and in one division at DoC. DoC advised they had assessed
the risk of information contained on their laptops and had implemented boot passwords on that basis.
While no agency used boot passwords eectively, all seven agencies had various other controls in
place. All agencies used network passwords. These passwords prevent unauthorised users from easily
accessing the information held on the computer. However, they can be by-passed by technically adept
individuals, and do not protect information if the hard drive is removed from the computer.
Another standard control is a screen-lock. This locks a computer from use if it is not used for a set period
of time. It requires the user to re-enter a password to unlock the computer. Five agencies used this
control, but RPH and the Department of Education (Central Oce) did not.
We also found that three agencies, the Curriculum Council, RPH and Department of Education (Central
Oce) had given administrator rights to all their laptop users. This is contrary to basic information security
practice. It allows individuals to install software and alter any computer settings without permission
or agency knowledge. This increases the risks to information security for individual computers, and
cumulatively poses even greater risks to agency networks and information.
IS Compliance Audit: Security of Laptop and Portable Storage Devices
14 Information Systems Audit Report l Western Australian Auditor General
We found weaknesses in how a number of agencies managed passwords. Some agencies had disabled
password complexity settings (the length and number/letter mix). We also found cases where password
expiry was not enforced. Both of these weaknesses make it easier to ‘crack’ passwords, and do not
comply with good security practices. Table 2 shows the various access control issues at the agencies
Agency ‘Boot’
password
Network
password
Screen
lock-out
Administrator
rights
Curriculum Council
û ü ü û
Department of Commerce
Partial
ü ü ü
Department of Education
(Central Oce)
û ü û û
Department of Water
û ü ü ü
Royal Perth Hospital
û ü û û
Western Australia Police
û ü ü ü
WorkCover
û ü ü ü
Table 2: Adequacy of access controls
No agency had universally activated boot passwords. Two agencies did not have screen lock-outs as a policy and
two gave administrator rights to all users. Each agency employed network passwords.
Security controls are required to protect laptops and information when users connect their laptops to
external networks. These controls assist in preventing attacks which may result in unauthorised access
to sensitive data on the laptops and/or on agency networks. It is important that agencies have policies
and education to support any technical controls.
All agencies had ‘perimeter rewalls’ on their network systems, to protect their computer systems
including laptops from external threats. However, when laptops are disconnected from the home
network and connected to un-trusted external ones, these rewalls are not available. A major control
over this risk is to activate local rewalls on laptops. However, local rewalls are not always compatible
with some business applications on laptops. Therefore, agencies need to have clear guidelines and
policies for using external networks that match their own settings and needs. These will likely include
banning access to external networks where necessary.
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Western Australian Auditor General l Information Systems Audit Report 15
Only WorkCover had enabled local rewalls on laptops to prevent security threats from external
connections such as the internet. It also had policies banning the use of external networks. No other
agency had enabled local rewalls. WAP had not enabled its local rewalls, but had policies banning
the use of external networks. No other agency had policies about connecting to external networks.
As noted above, laptop users at the Curriculum Council, RPH and Department of Education (Central
Oce) had administrator rights, which would allow them to congure and connect their laptops to any
external network.
We also found that four agencies – the Curriculum Council, the Department of Water, the Department
of Commerce and WAP had not installed software patches released by product vendors to x critical
security aws. The Department of Commerce had a Security Update Server congured to manage
software patch updates across all laptops, however we found that it had not been functioning properly.
The lack of up-to-date security patches meant the agencies had security vulnerabilities on their laptops
that could lead to unauthorised access to sensitive data or to damage laptop and network systems.
We found that most agencies had some weaknesses in their policies and associated procedures.
Maintaining comprehensive policies is important for controlling information. The key policy/
procedures areas we examined were: PSD-specic, general acceptable use, sensitive data, disposing of
storage devices, and dealing with missing assets. Table 3 shows an assessment of agency policies and
procedures.
Only WAP had policies and procedures specically dealing with PSDs. In particular, it had made clear
choices about the use of ash drives. WAP assessed the risks posed by PSDs, and decided only to allow
encrypted ash drives. WAP was also the only agency that had encrypted sensitive information on hard
drives and emails. These activities make it practically impossible for information to be accessed even if
devices are lost.
The Department of Water, Curriculum Council and Department of Education (Central Oce) had
weaknesses with their acceptable use policies and procedures. We found instances where ‘acceptable
use’ policies only referred to internet and email activity, but ignored internal material and personal
applications.
WorkCover and the Curriculum Council did not have comprehensive policies on using sensitive data.
Some agencies deal with obviously sensitive information, but all agencies need to consider if the
mobility provided by laptops and PSDs increases the risk of loss, and therefore if they require separate
policies for these devices. We also found that training on information security was inconsistent, both in
content and in personnel coverage.
IS Compliance Audit: Security of Laptop and Portable Storage Devices
16 Information Systems Audit Report l Western Australian Auditor General
Three agencies, the Curriculum Council, RPH and DoC did not have documented procedures for dealing
with lost or stolen laptops. While all three had reported lost assets, their procedures were not formalised.
Without formal guidance, the risks arising from lost or stolen assets may not be properly considered and
dealt with. This issue was exacerbated at RPH and DoC because they did know how many assets they
possessed. However, we were reassured to nd that all sampled agencies required sta to present a
Police report before a laptop could be replaced. This should be required by all agencies.
Agency
Use of PSDs
General
acceptable
use
Sensitive
data
Dealing
with missing
assets
Curriculum Council
û û û û
Department of Commerce
û ü ü û
Department of Education
(Central Oce)
û û ü
û
Department of Water
û û ü û
Royal Perth Hospital
û ü ü ü
Western Australia Police
ü ü ü ü
WorkCover
û ü û ü
Table 3: Detailed policy and procedures
Only WAP had comprehensive policies dealing with PSDs. The Curriculum Council had weaknesses in all policy and
procedure areas.
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Western Australian Auditor General l Information Systems Audit Report 17
Application and General Computer Controls Audits
Computer controls can be dened as specic activities performed by people (manual) or by systems
(automatic) to ensure the condentiality and integrity of data and the ongoing availability of computer
systems. Computer controls are often divided into two categories: application controls that apply to
specic software programs, and general computer controls (GCC) that apply to computing systems as
a whole.
Applications are the software programs that are used to facilitate key business processes of an
organisation. For example nance, human resource, licensing and billing are typical processes that are
dependant on software applications. Application controls are designed to ensure the complete and
accurate processing of data from input to output.
Each year we review a selection of key applications relied on by agencies to deliver services to the
general public. Failings or weaknesses in these applications have the potential to directly impact other
organisations and members of the general public. Impacts range from delays in service to possible
fraudulent activity and nancial loss. This report describes the results of an audit of one key application
at each of four agencies.
This year we focused on ve general computer control categories: management of IT risks, information
security, business continuity, change control and physical security.
We use capability maturity models in conjunction with our GCC audits to help report the results of our
work. A capability maturity model is a way of assessing how well developed and capable the established
controls are and how well developed or capable they should be. Capability assessments were prepared
for 42 of the 52 agencies examined. The models provide a benchmark for agency performance and a
means for comparing results from year to year.
We found multiple information system control weaknesses at the vast majority of the agencies
we examined. These weaknesses have the potential to compromise the condentiality, integrity
and availability of the computer systems we examined. However, we are beginning to see signs of
improvement in general computer controls at some agencies.
18 Information Systems Audit Report l Western Australian Auditor General
Application and General Computer Controls Audits
All of the four business applications we reviewed had control weaknesses though change management
and business continuity controls were relatively strong. In total, we identied 29 control weaknesses of
which:
• security weaknesses made up 55 per cent of the control weaknesses. These included computer
vulnerabilities such as easy to guess passwords, unauthorised user accounts and failure to remove
accounts belonging to former sta
• data processing controls issues made up 28 per cent of our ndings. Weaknesses in these controls
put the integrity of information processed at risk.
• the remaining 17 per cent of weaknesses related to operational issues such as software licensing,
asset management and vendor support and contractor management.
We reported 333 general computer controls related issues to agencies in 2009. Two per cent of these
issues were rated as signicant, requiring immediate attention. Sixty-three per cent were rated as
moderate, requiring attention as soon as possible. These results are similar to last year.
Our capability assessments show there has been some improvement in general computer controls across
the agencies we have reviewed. Specically, 26 per cent of agencies we reviewed last year using the
capability assessments made improvements in at least one of the categories without regressing in any
area. Forty-one per cent of agencies showed no change. The remainder may have made improvements
in one area but regressed in another.
Despite some improvement, we still found many areas requiring attention. Fifty-two per cent of the
agencies we assessed using capability models had not established eective controls to manage IT
risks, information security and business continuity. Thirty-one per cent of agencies had not established
eective change controls and 33 per cent had not established eective controls for management of
physical security.
Western Australian Auditor General l Information Systems Audit Report 19
Application and General Computer Controls Audits
• Policies and procedures – agencies should ensure that they have appropriate policies and
procedures in place for key areas such as IT risk management, information security, business
continuity and change control. We recommend the use of standards and frameworks as references
to assist agencies with implementing good practices.
• Management of IT risks – agencies need to ensure that IT risks are identied, assessed and treated
within appropriate timeframes and that these practices become a core part of business activities.
• Information security – agencies should ensure good security practices are implemented, up-to-
date and regularly tested and enforced for key computer systems. Agencies must conduct ongoing
reviews for user access to systems to ensure they are appropriate at all times.
• Business continuity – agencies should have a business continuity plan, a disaster recovery plan and
an incident response plan. These plans should be tested on a periodic basis.
• Change control – change control processes should be well developed and consistently followed
for changes to computer systems. All changes should be subject to thorough planning and impact
assessment to minimise the likelihood of problems. Change control documentation should be
current, and approved changes formally tracked.
• Physical security – agencies should develop and implement physical and environmental control
mechanisms to prevent unauthorised access or accidental damage to computing infrastructure
and systems.
20 Information Systems Audit Report l Western Australian Auditor General
Application and General Computer Controls Audits
Each year we review a selection of key applications relied on by agencies to deliver services to the
general public. Failings or weaknesses in these applications have the potential to directly impact other
organisations and members of the general public. Impacts range from delays in service to possible
fraudulent activity and nancial loss.
Our application reviews involve an in-depth focus on the step by step processing and handling of data.
Our main purpose for reviewing computer applications is to gain assurance that:
• data entered into the application is accurate, complete and authorised
• data is processed as intended in an acceptable time period
• stored data is accurate and complete
• outputs, including online or hardcopy reports, are accurate and complete
• a record is maintained to track the process of data from input, through the processing cycle to
storage and to the eventual output
• access controls are in place and user accounts are managed.
We audited one key business application at each of four agencies. Each application was selected on
the basis of the signicant impact on the agency or the public if the application was not managed
appropriately. The applications we reviewed support the provision of critical public services and contain
hundreds of thousands of sensitive records relating to the general public. We assessed the adequacy of
the controls for each application. The controls were:
• security controls
• data controls
• operational controls
• change control
• business continuity
We do not publically report the specic applications or agencies examined in our IS audits to minimise
the risk they will be targeted to exploit reported weaknesses. Another reason is that our ndings and
recommendations are relevant across government and not just the specic agencies examined.
Western Australian Auditor General l Information Systems Audit Report 21
Application and General Computer Controls Audits
We identied 29 control weaknesses from the four business application systems reviewed. Security
control weaknesses made up 55 per cent of the ndings. Control weaknesses included computer
vulnerabilities such as easy to guess passwords, unauthorised user accounts and failure to remove
accounts belonging to former sta. Data processing control issues made up 28 per cent of our ndings.
These weaknesses put the integrity of information processed at risk. The remaining issues related to
operational controls. No control weaknesses were identied for change control and business continuity.
Figure 2 provides a graphical summary of our application controls ndings.
Figure 2: Application Control Findings
Inadequate security controls and data controls were the two most common types of control weakness found in the
four applications.
We assessed whether security controls were implemented, administered and appropriately congured
to restrict access to information held by agencies.
22 Information Systems Audit Report l Western Australian Auditor General
Application and General Computer Controls Audits
Attempting to login to a system by guessing simple passwords is a commonly used strategy for gaining
unauthorised system access. The combination of weaknesses we found create serious exposures and
could lead to the information stored and handled by these agencies being comprised.
All four agencies had weaknesses in the IT applications we audited. These included:
• At two agencies we guessed passwords for highly privileged database accounts and obtained full
access to sensitive information. We also found that any changes made using these accounts would
not be detected. A third agency’s application did not enforce basic password controls. This allowed
users to create single character passwords that do not expire.
• In two agencies we found numerous network and application user accounts with the highest
privileges had been created without approval. A number of these accounts belonged to former
sta.
• One agency had not dened what access privileges should be required by dierent sta. As a result,
inappropriate levels of access had been assigned to numerous users. One agency was unable to
produce a list of user accounts and respective access privileges for its application.
• At three of the four agencies we found active user accounts belonging to former sta that allowed
access to key applications, the network, and databases. At two of these agencies there was no
monitoring or logging of user access. This makes it impossible to know whether unauthorised
access or changes to information had occurred.
• Critical security updates were missing from key servers hosting business applications in two
agencies. This leaves the applications inadequately protected against potential threats and may
result in unauthorised access and/or loss of system operation and information. The rewall for one
application was ineective against these threats.
• In one agency we found multiple physical and environmental control weaknesses such as no air
conditioning in server rooms and no physical protection of equipment. This signicantly increases
the risk of applications and networks being compromised.
• Two of the applications did not log failed access attempts and only held information relating to
successful logons for the previous three days.
• At one agency we found that condential information such as client names and address details
was unnecessarily attached to other data sent to external contractors. This increases the risk of
information being leaked and/or misused. In another agency security controls were not in place to
protect sensitive information from access by unauthorised sta.
• At two agencies support sta used generic administrator accounts to access computer systems
with sensitive information. Sta that use these accounts cannot be identied on the network and
made accountable. One of these agencies was unable to provide the required police clearances for
sta accessing such information. These practices are contradictory to each agency’s own policies.
Western Australian Auditor General l Information Systems Audit Report 23
Application and General Computer Controls Audits
Agency management rely on accurate information from their business applications to make informed
decisions. This requires controls that ensure the complete and accurate processing of data from input
to output.
Typical data controls include:
• standard input formats, rules and data verication prior to input
• data change controls and authorisations to ensure any changes or anomalies are identied and
addressed during processing
• output checking through validation of reports or reconciliation and tracing of transaction
processing.
Prior to examining data controls for an application we obtain an understanding of the business processes
involved and the underlying IT systems. We identify all relevant business and control activities and map
the ow of information from input to output. This includes reviewing any policies and procedures as
well as interfaces between applications.
Data control weaknesses we identied included:
• Input control weaknesses in one application – decient rules in the system allowed incorrect
information to be entered or updated. As well, processes to verify information contained in the
system were not documented and were unreliable due to their ad-hoc nature.
• One agency had not formalised the types of controls that should be established over data
processing at its sub-agencies. Such controls should be documented in approved policies and
procedures.
• Three of the four agencies were not conducting routine verication of data accuracy and validity
for key business processes.
Operational controls ensure that applications are used consistently and correctly across an agency to
meet business requirements. These controls include sta training, application specic manuals as well
as monitoring and reporting of data input, processing and output.
Change control is required to ensure that any modications to existing computer systems are
appropriately implemented and changes are authorised, approved and tested where appropriate.
Business continuity planning is vital for all agencies as it provides for the rapid recovery of computer
services in the event of an unplanned disruption.
24 Information Systems Audit Report l Western Australian Auditor General
Application and General Computer Controls Audits
The management over change control and business continuity planning were adequate for the four
applications. However, we did identify a number of operational control weaknesses. Specically:
• One application did not notify users when they accessed restricted information. This increases the
risk that sta may unwittingly disclose condential information.
• Managers at two agencies did not fully understand the level of access they authorised for sta and
consequently had allocated inappropriate access to sensitive information. Segregation of duties
was not in place to mitigate the risk of unauthorised or inappropriate transactions being made.
• Contractor service level agreements in one agency were not monitored so the agency does not
know if contractors were meeting their contractual obligations.
• Management for one of the applications did not monitor or review the security logs and audit trails
of the application. Any unauthorised access or inappropriate modications to system data will not
be identied by the agency.
• We reviewed a sample of sub-agencies accessing the parent agency application. These sub-
agencies were managing their own data on site using inadequate backup regimes. This increases
the risk of losing information permanently. We recommended that the backup and recovery plans
of the agencies and sub-agencies be consolidated for eciency and eectiveness.
The objective of our general computer controls (GCC) audits is to determine whether the computer
controls eectively support the condentiality, integrity, and availability of information systems. General
computer controls include controls over the information technology (IT) environment, computer
operations, access to programs and data, program development and program changes. In 2009 we
focused specically on the following types of GCC categories:
• management of IT risks
• information security
• business continuity
• change control
• physical security
Capability maturity models are a way of assessing how well developed and capable the established IT
controls are and how well developed or capable they should be. We use the results of our GCC work to
inform our capability assessments of agencies. This is the second year we have used capability maturity
models.
Western Australian Auditor General l Information Systems Audit Report 25
Application and General Computer Controls Audits
The models we developed use accepted industry good practice as the basis for assessment. Our
assessment of the appropriate maturity level for an agency’s general computer controls is inuenced
by various factors. These include: the business objectives of the agency; the level of dependence on IT;
the technological sophistication of their computer systems; and the value of information managed by
the agency.
We conducted GCC work at 52 agencies and did capability assessments at 42 of these agencies of which
35 were also assessed last year.
We provided the 42 selected agencies with capability assessment forms and asked them to complete
and return the forms at the end of the audit. We then met with each of the agencies to compare their
assessment and that of ours which was based on the results of our GCC audits. The agreed results are
reported below.
We use a ve scale rating
1
listed below to evaluate each agency’s capability and maturity levels in each
of the GCC audit focus areas. The models provide a baseline for comparing results for these agencies
from year to year. Our intention is to increase the number of agencies assessed each year.
0 (non-existent)
Management processes are not applied at all. Complete lack of any
recognisable processes.
1 (initial/ad hoc)
Processes are ad hoc and overall approach to management is
disorganised.
2 (repeatable but
intuitive)
Processes follow a regular pattern where similar procedures are followed
by dierent people with no formal training or standard procedures.
Responsibility is left to the individual and errors are highly likely.
3 (dened)
Processes are documented and communicated. Procedures are
standardised, documented and communicated through training.
Processes are mandated however, it is unlikely that deviations will be
detected. The procedures themselves are not sophisticated but are the
formalisation of existing practices.
4 (managed and
measurable)
Management monitors and measures compliance with procedures
and takes action where appropriate. Processes are under constant
improvement and provide good practice. Automation and tools are used
in a limited or fragmented way.
5 (optimised)
Good practices are followed and automated. Processes have been
rened to a level of good practice, based on the results of continuous
improvement and maturity modeling with other enterprises. IT is used in
an integrated way to automate the workow, providing tools to improve
quality and eectiveness, making the agency quick to adapt.
Table 4: Rating criteria
1 The information within this maturity model assessment is based on the criteria dened within the Control Objectives for
Information and related Technology (COBIT) manual.