Introduction

1. Governments, businesses, organisations and individuals use Information and Communications Technology (ICT) for a variety of purposes and functions. Government agencies rely on ICT systems to conduct their core business, and the information collected, stored and transmitted via agency ICT systems includes dealings with international governments, State and local governments, business, not-for-profit and interest groups, and individuals.

2. The protection of government information requires constant vigilance on the part of agencies because of the variety of systems and communication channels used, the increasing ‘portability’ of information, and the ever-present risk of cyber attack.

3. The focus of this audit is the measures taken by agencies to protect against the information security risks posed by Portable Storage Devices (PSDs). A PSD is a portable electronic device, which can be capable of storing large volumes of data (for example, a USB flash drive, CD/DVD or a portable hard drive) and/or transmitting data via voice or email and connecting to the Internet (for example, laptop computers, smartphones or tablet computers).

4. The convenience of using PSDs to store and transfer data and connect to the Internet has supported an increase in their use by agencies as part of day-to-day activities. In particular, PSDs assist agencies to engage in flexible work practices such as working away from the office, either at home or when travelling.

5. However, there are a number of risks associated with the use of PSDs, particularly due to their size and portability. The risks include the loss and/or theft of data, and the introduction of viruses and malware into the organisation’s ICT environment.¹ The consequences of these risks are that government data relevant to national security, decision-making, commercial interests or the privacy of Australian citizens could be accessed by unauthorised persons. There are a number of reported instances, both in Australia and overseas, of government data being inappropriately accessed as a result of lost or stolen PSDs.

6. To address these and other security risks, the government has directed agency Chief Executive Officers (CEOs), via the Protective Security Policy Framework (PSPF), to have effective protective security programs that ensure:

• their agency’s capacity to function;
• maintenance of the public’s confidence in agencies;
• the safeguarding of official resources and information held on trust; and
• the safety of those employed to carry out the functions of government and those who are clients of government.²

7. Included in the PSPF are a number of mandatory requirements and guidelines regarding ICT security, including for agency use of PSDs. Additionally the Information Security Manual (ISM) written by the Defence Signals Directorate (DSD), outlines mandatory and recommended technical controls for agency ICT systems and hardware, including PSDs.

Audit objective, criteria and scope

8. The objective of the audit was to assess the effectiveness of the management of risks arising from the use of PSDs in selected Australian Government agencies. The PSDs included within the scope of this audit were: USB flash drives; CDs and DVDs; external hard drives; laptop computers and smartphones.

9. The following agencies were selected for inclusion in the audit:

• the Australian Taxation Office (ATO);
• the Insolvency and Trustee Service Australia (ITSA); and
• Australian Hearing.³

10. This cross-section of agencies was selected as representative of Commonwealth agencies and ICT systems, and each uses the PSDs included within the scope of this audit. Additionally, each agency collects, stores and transmits personal information relating to Australian citizens.

11. To address the audit objective, the ANAO examined the extent to which agencies had an effective framework in place for the management of PSDs, including risk assessments; policies and procedures; hardware and software controls; staff training and awareness activities; and incident response and reporting mechanisms.

12. The audit criteria and testing were based on the requirements of the PSPF and the ISM.

13. Under Government policy directions, the ATO and ITSA must meet the requirements of the PSPF and ISM. However, at the time of this audit, Australian Hearing was not required to meet these requirements as the agency had not been directed by its Minister to follow the PSPF and ISM.⁴ Accordingly, the ANAO is reporting on Australian Hearing’s compliance with the PSPF and ISM as a benchmark of the minimum standard required for security of government information rather than a formal requirement.

14. The audit was conducted with the support of the Attorney-General’s Department (AGD) and the specialist advice of the Office of the Australian Information Commissioner and DSD. The ANAO appreciates the assistance provided by these agencies during the course of the audit.

Overall conclusion

15. The rapidly developing world of the Internet and associated ICT systems and devices has transformed the way government operates. The significance of this transformation and the risks involved in the use of ICT systems and devices has been recognised, with a Cyber White Paper currently under development (due to be released in 2012). The White Paper’s objective is to:

ensure Australia is well prepared to optimise the benefits of greater online engagement, and…outline how government, industry and the community can work together to address the challenges and risks arising from greater digital engagement.⁵

16. Agencies are increasingly using PSDs to assist their day-to-day operations. These devices are designed to be ‘user friendly’ and to facilitate quick and efficient transfer of information. While this brings great benefits, there are also ever-present risks, including the accidental loss or theft of information facilitated by the use of a PSD, and exposure of agency ICT systems to viruses and malware.

17. Central to agencies’ use of PSDs, and other existing and emerging technologies, is the question of how to balance the advantages of their use with appropriate security measures to protect sensitive data.

18. Agency CEOs are responsible for ensuring that the information their organisation holds is adequately protected, and the Attorney-General’s Directive makes it clear that agency heads are to ensure that protective security is a part of their agency’s culture.⁶ As previously reported by the ANAO, while no ICT system can be completely safe from an intentional or unintentional security breach, agencies should take a risk-based approach in implementing ICT security policies and practices that are based on their assessments of the government’s security requirements, including those of the PSPF and ISM.⁷

19. There is a range of possible approaches that agencies can take in their management of PSDs, ranging from a complete ‘lock down’ of all connections to the ICT network, through to an accepted use of personal devices for work purposes. Against this background, agencies should assess the business need for the use of PSDs against the security risks particular to their organisation, and monitor their experience over time.

20. This audit examined the extent to which the three audited agencies had considered both the opportunities and risks presented by PSDs, and the adequacy of their risk assessments, policies and procedures, ICT security controls, training and awareness activities, and incident response procedures.

21. Overall, the audit concluded that the ATO had taken steps to effectively manage the risks associated with the use of PSDs in that agency. However, ITSA and Australian Hearing had scope to significantly improve their approach, particularly in relation to:

• risk assessments of the capacity in which PSDs may be used, and the type of information they can transmit and store;
• policies and procedures articulating the accepted parameters for the use of PSDs in the organisation;
• ICT controls for the use of PSDs being appropriate to the identified organisational risks;
• security training and awareness programs addressing the risks associated with the use of PSDs and agency expectations of their staff; and
• security incident response mechanisms covering the possible theft or loss of PSDs and processes for managing the associated risks of these incidents.

The report's recommendations, which are directed to ITSA and Australian Hearing improving their management of PSDs, may have broader application to other public sector agencies. The audit also highlights several areas of better practice that may be of wider benefit.

Key findings by chapter

Risk assessments (Chapter 2)

23. The PSPF aims to assist agency CEOs in taking a risk-managed approach to security in their organisations. As part of the PSPF’s overarching framework, there are several mandatory requirements for agencies to undertake risk assessments and implement appropriate controls to mitigate residual risk. This applies to PSDs, which may fall both within the ‘asset’ and ‘information’ realms of protective security.

24. Additionally, better practice, as outlined by the Privacy Commissioner,⁸ would see agencies use PSDs based on a risk assessment of how the devices are used, and the type of information they store.

25. While the ATO had a robust risk assessment framework in place for its use of PSDs, ITSA and Australian Hearing had not conducted specific risk assessments for the use of PSDs or adequately considered the risks associated with these devices as part of their wider agency risk management processes.

26. As risk assessments provide the vital underpinning for a layered approach to ICT security (incorporating policies and procedures, ICT controls, training and awareness activities and incident response procedures), the ANAO has recommended that agencies include in their risk management activities a risk assessment of their use of PSDs, and develop and document risk mitigation strategies where necessary.

Policies and procedures (Chapter 3)

27. Agency policies and procedures assist staff in their day-to-day business and are designed to assist with compliance, legislative and other requirements. In the protective security context, clear policies aid staff to understand their agency’s security risks, and the agency’s expectations of them with regard to security responsibilities. Procedures are often technical documents that set out working requirements, for example Standard Operating Procedures for ICT staff set out the required actions in a number of scenarios, including incident response.

28. The PSPF and ISM require agencies to have documented policies and procedures for the management of PSDs. The Privacy Commissioner has also provided some guidance on topics for agencies to consider including in their policies and procedures for PSD use.

29. Each agency could make some improvements to their policies and procedures for the way their staff are to use PSDs, although at the ATO this was considered to be minor in nature. In line with the Privacy Commissioner’s guidance, policies and procedures are expected to be based on a risk assessment and to cover key considerations such as the permitted uses of PSDs and the type of information they are permitted to hold, and expected practices for disposal and incident reporting.

30. Accordingly, the ANAO has recommended that agencies review their existing policies and procedures, or develop new policies and procedures, that clearly state the accepted parameters for PSD use. Policies and procedures for security matters in general (and relevant to this audit, PSD use), should be readily available to staff and reinforced via training and awareness programs.

Hardware and software controls (Chapter 4)

31. Appropriate ICT controls are a vital element to an effective overall approach to security for PSDs in agencies. An effective risk assessment will highlight the most appropriate controls in individual agencies to mitigate identified security risks. Agency ICT controls should also be in line with the Government’s requirements set out in the ISM and other DSD publications such as hardening guides and formal evaluations of ICT equipment.

32. The ANAO tested agencies’ ICT controls for PSDs against a number of ISM controls. In light of potential security concerns, the ANAO’s findings have not all been reported in detail in this report. However, the findings were provided to each of the agencies during the course of the audit.

33. Overall, the ATO had implemented ICT controls that met the requirements of the ISM and adequately addressed the risks of PSDs to that organisation. However, both ITSA and Australian Hearing could improve aspects of their ICT controls framework.

34. The ANAO observed that a common weakness was in the ICT controls for the use of USB flash drives and CDs/DVDs. Due to their size, portability and capacity to store large amounts of data, these devices can pose security risks to agencies.

35. ITSA’s laptop computers did not have hard disk encryption at the time of the audit, however, ITSA advised the ANAO that all of its laptops were expected to have hard disk encryption early in 2012.

36. Australian Hearing laptop computers had a number of control weaknesses at the time of the audit. Australian Hearing advised that it was working to address many of these issues, while continuing to consider the business impact of implementing other controls.

37. The ANAO has recommended that agencies implement hardware and software controls that mitigate the risks specific to their organisation.

Staff training and awareness (Chapter 5)

38. Mandatory requirements of the PSPF and ISM, and the Privacy Commissioner’s better practice guidance, all recognise the importance of training and awareness programs in enabling agencies to build a security culture.

39. The ATO had a comprehensive security training and awareness program that covered the risks associated with the use of PSDs. However, ITSA and Australian Hearing could improve their approach to security training and awareness in their organisations.

40. At ITSA a comprehensive security training session had been run in previous years but this had been an ad-hoc arrangement, with no plan or framework for ongoing security training and awareness programs. While Australian Hearing was developing a formal training framework including online delivery of security training, this was not in place at the time of the audit.

41. The ANAO has recommended that the security training and awareness programs of both agencies address the risks of PSDs to their organisation.

Lost and stolen Portable Storage Devices (Chapter 6)

42. Incident response procedures are an important part of any agency’s security management framework. These procedures document the steps to be undertaken in the event of a security incident (physical, personnel or information security). In an ICT security and more specifically, PSD security context, an incident response procedure should outline the expected responses both from general agency staff and the officer/s assigned responsibility for managing security incidents.

43. In each agency, policies and procedures gave clear advice to staff about their reporting obligations in the case of a lost or stolen device. However, at ITSA and Australian Hearing there were not adequately documented procedures that detailed the incident response steps required of responsible officer/s.

44. Another element that was not addressed by the two agencies was the reporting of lost or stolen devices to DSD.⁹ While individual incidents may appear innocuous, DSD uses reports of these incidents to identify and respond to trends across government, and to develop new policies, procedures, techniques and training measures.¹⁰

45. The ANAO has recommended that agency incident response procedures include steps to respond to the theft or loss of a PSD.

Summary of agency responses

46. The agencies’ responses to each recommendation are included in the body of the report, directly following each recommendation. Agencies’ general comments on the audit report are below.

Australian Taxation Office

47. The Australian Taxation Office (ATO) welcomes the audit report on Information and Communications Technology Security: Management of Portable Storage Devices and agrees with the Australian National Audit Office overall assessment that steps have been taken to effectively manage risks associated with the use of Portable Storage Devices (PSDs).

48. The review highlights that the ATO is compliant in all fields of Information and Communications Technology controls such as, USB flash drives, CDs/DVDs, laptop computers and smart phones. The review also identifies our robust risk assessment framework for the use of PSDs, as well as our comprehensive security training and awareness programs. We acknowledge that the five recommendations noted in the report are not directed to the ATO.

49. Overall, the Tax Office appreciates the recognition given for the work we have undertaken to ensure we have highly developed practices for the management of PSDs.

Insolvency and Trustee Service Australia

50. The Insolvency and Trustee Service Australia welcomes this report and considers that implementation of the recommendations will enhance the protection and security of electronic information held by Australian Government agencies. The Insolvency and Trustee Service Australia agrees with the recommendations in the report.

Australian Hearing

51. Australian Hearing notes that while not currently subject to the requirements used to measure the organisation’s management of PSDs, the audit findings do provide a valuable baseline for comparison against organisations that are subject to them. Australian Hearing welcomes the recommendations made by ANAO and effort has commenced to address the risks posed by Portable Storage Devices to the Australian Hearing environment.

Footnotes

[1]   Trusted Information Sharing Network for Critical Infrastructure Program, Portable Data Storage Security Information for CIOs/CSOs, November 2009.

[2]   The Hon. Robert McClelland MP, Attorney-General, Directive on the Security of Government Business, Protective Security Policy Framework, Attorney-General’s Department, June 2010.

[3]   Australian Hearing is an entity under the Commonwealth Authorities and Companies Act 1997 (the CAC Act), not an agency as defined by the Financial Management and Accountability Act 1997 (the FMA Act). However, the Protective Security Policy Framework and the Information Security Manual refer to ‘agencies’. For ease of reference, this report will refer to Australian Hearing as an agency.

[4]   The PSPF and ISM apply to: ‘those agencies subject to the FMA Act; those subject to the CAC Act who have been directed by their Minister to follow the general policies of the government; and other bodies established for a public purpose under a law of the Commonwealth, where the body or agency has been directed by their Minister that the PSPF applies to them’. Source: <http://www.ag.gov.au/pspf>, [accessed 8 August 2011].

[5]   Department of the Prime Minister and Cabinet (PM&C), Public Discussion Paper: Connecting With Confidence – Optimising Australia’s Digital Future, August 2011, p. 5.

[6]   The Directive applies to those agencies subject to the FMA Act and certain other bodies – see footnote 4. The Hon. Robert McClelland MP, Directive on the Security of Government Business, op.cit.

[7]   ANAO Audit Report No.33 2010–11 The Protection and Security of Electronic Information Held By Australian government Agencies, March 2011, p. 17.

[8]   The Office of the Privacy Commissioner, Public Sector Information Sheet 3 – Portable Storage Devices and personal information handling, May 2009.

[9]   This is a requirement of the ISM 2010 (termed ‘media’ in the ISM).

[10]  Information Security Manual 2011, p. 68. Agency ICT security staff can become members of DSD’s Onsecure website which provides advice on cyber security and an online incident reporting tool. See <http://www.onsecure.gov.au>.