The report covers an examination of electronic security at the Department of Prime Minister & Cabinet, Medicare, ComSuper and the Australian Office of Financial Management - characterised as a cross-section of the national bureaucracy.
It highlighted concerns regarding network security, with recommendations that agencies should -
• ensure content filtering blocks access to internet sites that are inappropriate for work use or may be high risk for malicious content (eg those with adult content, gambling, chatrooms, dating sites, criminal or terrorist information and music downloads)Prime Minister & Cabinet has responded, indicating that it will cease allowing staff access to free email services from 1 July, a response that will presumably be emulated by other national agencies and cited by state/territory public sector bodies.
• use email filtering software that block delivery of suspicious emails and prevent transmission of unmarked or inappropriately marked messages
• ensure that information security policies and procedures are complete and up-to-date. Some agency policies and procedures were outdated and each agency needed to compile or update Standard Operating Procedures (SOPs) for ICT security officers to assist "consistent implementation of key ICT security measures, controls and practices"
• block public email services such as Gmail and Hotmail on agency networks "as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure."
• document patching processes for the network operating system and third party applications and monitor that the processes are correctly implemented.
The ANAO also calls on agencies to review log-in credentials and reflect the level of access through appropriate password complexity requirements, finding that administrator or service account passwords (20% of passwords) were compromised at three of the four agencies examined in the report. That figure "compared reasonably favourably with some private sector and state government agencies".
The recommendations reflect the requirement under the national Protective Security Policy Framework (which superseded the 2007 Protective Security Manual) for Commonwealth agency chief executives to maintain "effective protective security programs" covering -
• each agency’s capacity to function;The report cites the June 2010 Directive from the Attorney-General regarding that Framework -
• maintaining the public's confidence in agencies;
• the safeguarding of official resources and information held on trust; and
• the safety of those employed to carry out the functions of Government and those who are clients of Government
agency heads are to ensure that protective security is a part of their agency's culture. A successful culture will effectively balance the competing requirements of limiting access to those that have a genuine 'need to know' with ensuring key business partners receive the information in an appropriate timeframe.It comments that -
The recent 'Wikileaks' release of Government electronic information has demonstrated the importance of maintaining appropriate protective security frameworks and the risks of failing to adequately protect electronic information.