Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
The Protection and Security of Electronic Information Held by Australian Government Agencies
The objective of the audit was to assess the effectiveness of Australian Government agencies' management and implementation of measures to protect and secure their electronic information, in accordance with Australian Government protective security requirements.
Summary
Introduction
1. The Attorney-General has overall policy responsibility for Australian Government[1] protective security arrangements, while agency[2] Chief Executive Officers (CEOs) are responsible for the protective security arrangements within their own organisations. This includes the requirement to ‘actively manage security risks associated with electronic data transmission, aggregation and storage'.[3] Given the increasing reliance on Information and Communications Technology (ICT) to deliver services, electronic information security is an increasingly important element of the overall protective security framework.
2. Agency CEOs are required to have in place effective protective security programs that cover requirements associated with:
- each agency's capacity to function;
- maintaining the public's confidence in agencies;
- the safeguarding of official resources and information held on trust; and
- the safety of those employed to carry out the functions of Government and those who are clients of Government.[4]
3. Attacks on agency computer systems can be aimed at damaging critical infrastructure; obtaining access to Government, personal or financial information (for example, identity theft); or making a political point (issue-motivated groups).[5] The recent ‘Wikileaks' release of Government electronic information has demonstrated the importance of maintaining appropriate protective security frameworks and the risks of failing to adequately protect electronic information.
The Protective Security Policy Framework
4. In June 2010 the Attorney-General announced that the new Protective Security Policy Framework (PSPF) had come into effect. The PSPF places an emphasis on the need for agencies to develop an appropriate security culture to securely meet their business needs. The Directive from the Attorney-General to agency CEOs states:
…agency heads are to ensure that protective security is a part of their agency's culture. A successful culture will effectively balance the competing requirements of limiting access to those that have a genuine ‘need to know' with ensuring key business partners receive the information in an appropriate timeframe (‘need-to-share').[6]
5. The PSPF outlines four core protective security policies covering Governance, Personnel, Physical and Information security. These four policies incorporate a total of 33 mandatory protective security requirements for agencies,[7] which assist CEOs in developing a security culture within their agency. For example:
- agencies must provide all staff, including contractors, with sufficient information and security awareness training to ensure they are aware of, and meet the requirements of the PSPF; [8]
- agencies must appoint a member of the Senior Executive Service as the security executive, responsible for the agency protective security policy and oversight of protective security practices;[9] and
- agencies must develop an agency security plan, protective security policies, procedures and risk assessments that are endorsed by agency heads.[10]
The Protective Security Manual
6. The Protective Security Manual 2007 (PSM) has been superseded by the PSPF as the source of policy, procedures, and minimum standards for agencies in setting their protective security arrangements. Currently, there is a 12 month transition period between the introduction of the new PSPF and phasing out of the PSM, which is due to be completed by the middle of 2011. AGD has advised that:
The launch of the Protective Security Policy Framework (PSPF) in June 2010 changed the status of the Protective Security Manual (PSM) to a secondary document, with the PSPF now the prime source on protective security policy expectations. Redevelopment of PSM subject matter into new PSPF protocol, standard, and guidance documents for the new PSPF is underway and expected to be completed by mid 2011. The subject matter in the PSM will be replaced by the new PSPF documents as they are progressively released.[11]
The Information Security Manual
7. While the PSPF provides the overarching policy framework, the Information Security Manual (ISM 2010[12] provides the detail on ICT security for agencies to follow. The ISM is prepared by the Defence Signals Directorate (DSD)[13] and its purpose is to ‘provide a risk-managed approach to the protection of information and systems in Government'.[14] The ISM sets out the technical measures (controls) for agencies to implement to protect information stored or transmitted via electronic means.[15]
Audit objective and scope
8. The objective of the audit was to assess the effectiveness of Australian Government agencies' management and implementation of measures to protect and secure their electronic information, in accordance with Australian Government protective security requirements.
9. The following agencies were selected for inclusion in the audit:
- the Australian Office of Financial Management (AOFM);
- ComSuper;
- Medicare Australia; and
- the Department of the Prime Minister and Cabinet (PM&C).
10. These agencies were selected as they represent a general cross-section of agencies and their associated ICT systems
11. To address the audit objective, the ANAO examined the extent to which agencies had an effective framework and controls in place across the following four areas: information security framework; network security management; access management; and equipment security.
12. The audit also assessed whether the selected agencies had implemented recommendations from previous ANAO audit reports[16] relating to ICT security management, installation of security patches,[17] review of event logs, and maintenance of ICT documentation. The protection and security of non-electronic information, and Government information held by third parties, such as service providers, was not examined in this audit.
13. The audit was conducted with the support of AGD and the specialist advice of DSD. The ANAO appreciates the time and comments provided by staff at both those agencies throughout the course of the audit.
14. The audit is part of a program of cross-agency performance audits that examines processes supporting the delivery of services by Government agencies. Since 1995 the ANAO has undertaken 11 cross-agency audits on the Government's protective security arrangements. In each of these audit reports the ANAO has encouraged all Government agencies to assess the benefits of the recommendations in light of their own circumstances and practices.
Overall conclusion
15. Delivery of services by Government is reliant on secure and protected ICT systems. Vulnerabilities within ICT systems may allow an attacker to gain access to sensitive information, including information about Government decision making, significant financial transactions, and aggregate personal and financial information. Attackers could also potentially cause disruption to agency services, payments and public information.
16. Agency CEOs are responsible for ensuring that protective security is a part of their agency's culture. Therefore, agencies should build protective security into their business processes and organisation's values. While no ICT system can be completely safe from an intentional or unintentional security breach, agencies should take a risk-based approach in implementing ICT security policies and practices that are based on their assessment of the requirements of the PSPF and the ISM.
17. Overall, the audit concluded that the measures examined in the audited agencies to protect and secure electronic information were generally operating in accordance with Government protective security requirements. The agencies had established information security frameworks; had implemented controls to safeguard information, to protect network infrastructure and prevent and detect unauthorised access to information; and had controls in place to reduce loss, damage or compromise to ICT assets.
18. However, the audit did identify scope for the audited agencies to enhance their security measures in the following key areas:
- information security policies and procedures need to be complete and
- up-to-date. Some agency policies and procedures were out-of-date, and each agency needed to compile or update their Standard Operating Procedures (SOPs) for ICT security officers. These policies and procedures assist in the consistent implementation of key ICT security measures, controls and practices;
- third-party software applications should be regularly assessed for the availability of patches, and patches applied accordingly, to better protect their security, especially given their known vulnerability to attack. This was an issue identified in two of the four audited agencies;
- administrator accounts and service accounts, which allow a high level of access across ICT systems, should use suitably complex password configurations to reduce the potential for inappropriate access. A password test applied by the ANAO had mixed results, showing weaknesses in passwords for administrator and service accounts in several agencies; and
- emails using public web-based email services[18] should be blocked on agency ICT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure. Webmail accounts were accessible in one of the audited agencies, and logs showed that some staff were using these accounts on a regular basis.
19. The audit highlights several areas of better practice and makes four recommendations aimed at improving approaches to the protection and security of electronic information. Only the first recommendation applies directly to AOFM. The other three audited agencies each had several issues to address, reflected in the four recommendations. All four of the report's recommendations may also have applicability to other Government agencies.
Key findings by chapter
The Information Security Framework (Chapter 2)
20. Agency CEOs must establish an appropriate and functional information security framework which facilitates the implementation of security measures that match the information's value, classification and sensitivity, and adhere to all legal requirements. More generally, CEOs are also responsible for overseeing the development of an appropriate protective security culture amongst their staff.
21. The PSPF provides an overarching policy framework, including prescribed mandatory requirements, to assist agencies in implementing an information security framework that has regard to principles of accountability, transparency, efficiency and leadership. There are specific requirements regarding oversight arrangements, information security policies and associated plans, including disaster recovery plans.
22. The four agencies subject to audit each had an appropriate information security framework in place. The agencies also had key information security policies and plans. However, some of the policies, and associated procedures, were not regularly updated. These procedures are important to establish that key ICT security measures are consistently implemented and, if necessary, could be undertaken by system users who do not have a strong technical knowledge of the system. The ANAO has recommended that agencies review their information security policies and procedures for completeness and currency.
23. Audited agencies had developed suitable plans to manage a security incident within their agency, and had implemented these plans successfully for recent ICT security incidents. Agencies also had an appropriate program for security training to facilitate staff awareness of information security issues.
Network Security Management (Chapter 3)
24. Network security management refers to the controls implemented by agencies to manage the confidentiality, integrity and accessibility of information as it passes within the agency's network and to, and from, outside networks.
Network security framework
25. The PSPF requires agencies to implement an appropriate network security framework that responds to the business need and level of risk involved. In assessing the network security framework of the audited agencies against the PSPF requirements, the ANAO reviewed key aspects of each agency's ICT system, including: the Intrusion Detection Strategy (IDS); software product patching and the Standard Operating Environment (SOE).
Intrusion Detection Strategy
26. Each audited agency had adequate technical measures for their IDS, in accordance with ISM requirements. Three of the four agencies also had implemented sound procedures for detecting, logging and reviewing intrusions to their ICT systems. However, one agency lacked a robust, documented process for reviewing Internet access logs, thereby increasing the risk of exposing the agency to external intrusion.
Software product patching
27. While the four audited agencies were adequately managing the patching of their core operating systems, two of the agencies had not developed and documented appropriate procedures for managing patches relating to third-party software applications. Patching third-party software is a practice that is recognised by DSD as an effective strategy to mitigate the risk of intrusion into ICT systems. The ANAO has recommended that agencies review their third-party application patching policies, undertake risk assessments on vendor-identified patches and apply patches in a timely manner.
Standard Operating Environment
28. Audited agencies were compliant with the requirements of the ISM regarding the settings applied to SOEs; had implemented procedures regarding the management of relevant changes to network settings; and had up-to-date diagrams showing all connections to the agency network to facilitate the management of system configuration.
Security of information exchange
29. The security of information transmitted within an agency and to external parties is important to agency network security. The ANAO reviewed the cryptographic security and email infrastructure settings of each audited agency to evaluate its security of information exchange settings.
30. Cryptography (the science of writing in a secret code) is a crucial mechanism for ensuring the security of the transmission of agency data. The ISM prescribes that an agency that chooses to use cryptography must comply with approved systems of encryption set out by DSD. Each audited agency used cryptography in a manner compliant with the ISM.
31. Configuring email servers in a secure manner and implementing protective markings to mitigate the risk of malicious emails is a central element of the security of information exchange within, and to and from, an agency. The ISM requires agencies to have specific systems in place to manage the security of email systems. While audited agencies were compliant with the ISM requirements regarding email system security, users could easily circumvent the classification requirements in the email system by attaching a document with a high protective classification marker to an email with a lower protective marker. The risk to agencies is that a classified document may intentionally or unintentionally be emailed to an unsecured or lower-classified network. This is a known risk accepted by most Government agencies in the interests of system functionality. It highlights the need for security awareness and training about the appropriate use of the email classification system.
Implementation of Gateway and network access point security
32. The access point between a secure network and an external environment such as the Internet is an important control for agencies in managing the security of their ICT systems. Agencies need to have appropriate Gateway controls in place on such access points to manage the confidentiality, integrity and availability of agency data. In assessing the access point security controls implemented by agencies, the ANAO considered whether: Gateway configurations were ISM compliant and certified to DSD requirements; content filtering settings were appropriate; and firewalls were appropriately configured.
Gateway configurations
33. The ISM sets out specific technical requirements regarding the configuration of communication paths in and out of internal networks, known as the system's Gateways. There is a certification process for agency Gateways to minimise the security risk faced by agencies when connecting internal networks to external environments. While each agency had appropriate certification for their main Gateways, two agencies were also using uncertified Gateways. The use of uncertified Gateways exposes the agencies to an increased risk of unauthorised access from outside the internal network and is not in accordance with DSD requirements.
Content filtering
34. Audited agencies had appropriate and functional content filtering systems for accessing Internet sites, in accordance with the requirements of the ISM. However, personal email accounts were found to still be accessible in one agency, increasing the risk of external intruder attack for that agency. The ANAO has recommended that agencies reconsider the risks of allowing users access to personal email accounts.
Firewall configurations
35. System firewalls help to protect internal ICT systems from external attack and malicious data originating from the Internet. Audited agencies were using appropriate firewall systems in accordance with ISM requirements.
Access Management (Chapter 4)
36. Agencies are required to develop policies and procedures to manage access to internal ICT networks. The ANAO reviewed user management, including granting and removing user access; agency password policies; and the management of privileged access accounts.
User management
37. Audited agencies had a documented process for granting and removing user access. ANAO analysis of a sample of user commencements and exits found that these documented processes were being followed correctly.
Password policies
38. The ISM prescribes specific controls regarding the selection of passwords in order to mitigate the risk of attempted password compromise. Three of the audited agencies had appropriate password policies, which were reflected in their system configurations. One agency's password settings were not meeting the ISM requirements, however the ANAO was advised this would be corrected with the implementation of a new operating system in February 2011.
39. The ANAO applied a password compromise test designed to assess the strength of users' passwords in the audited agencies. Overall, the test results were mixed, indicating a need for agencies to regularly monitor passwords and ensure users are following password security policies.
Privileged access accounts
40. The password compromise test was also applied to user accounts with privileged access. These types of accounts typically have a high level of system access and would allow an attacker high levels of access to an agency's ICT network, if compromised. In three of the four audited agencies testing indicated that the passwords for privileged access accounts could be compromised.
41. The ANAO has recommended that agencies review the complexity requirements of passwords being used by privileged access account users, to better reflect the risk associated with the level of access these accounts provide.[19]
Equipment Security (Chapter 5)
42. The PSPF and ISM require agencies to implement appropriate levels of physical security to minimise the risk of agency ICT equipment being compromised. The ANAO reviewed agencies' implementation of physical security practices related to ICT equipment.
43. Audited agencies had appropriate management measures in place to minimise the risk of equipment theft or loss, and were compliant with the requirements of the PSPF in relation to the security controls applied to equipment provided by third-party providers.
44. Also, audited agencies had implemented appropriate data protection controls such as the encryption of remotely accessed data to safeguard mobile devices used by agency staff. The agencies also had appropriate policies and controls in place to facilitate remote access for agency staff accessing an internal network externally from the organisation and to monitor usage with anti-virus software in accordance with the ISM requirements.
Summary of agencies' responses
45. The agencies' responses to each recommendation are included in the body of the report, directly following each recommendation. Agencies' general comments on the audit report are below.
Australian Office of Financial Management
46. The AOFM notes that of the four recommendations, only Recommendation No.1 applies directly to the AOFM. The AOFM agrees to this recommendation.
ComSuper
47. ComSuper welcomes the ANAO report and notes that most of the matters raised will be of interest to all Government agencies. ComSuper notes that its actual protection of electronic information is generally sound, with some differences between ComSuper's arrangements and the prescribed and better practices outlined in the report.
48. ComSuper supports all recommendations in the Report, and commits to remedial action in those particular areas where required.
Medicare Australia
49. Medicare Australia welcomes this report and considers that implementation of the recommendations will enhance the protection and security of electronic information held by Australian Government agencies. Medicare Australia agrees with the recommendations in the report.
The Department of the Prime Minister and Cabinet
50. The Department agrees with all recommendations articulated in the report.
51. As a general comment, the protection and security of electronic information by Australian Government agencies is of increasing importance. Recent events surrounding the unauthorised release of classified US information, as well as the increasing incidents of cyber attacks are a stark reminder of the damage that poor information security can do to Australia's national interests. In that context, [PM&C] would welcome further audits of this nature in the near future.
Footnotes
1] For the remainder of this report ‘Government' refers to the Australian Government, unless otherwise stated.
[2] In the Government's Protective Security Policy Framework (PSPF) an ‘agency' is defined as those agencies subject to the Financial Management and Accountability Act (FMA Act); those that are subject to the Commonwealth Authorities and Companies Act 1997 (CAC Act) and who have received a Ministerial direction to apply the general policies of the Government; and other bodies established for a public purpose under a law of the Commonwealth and other Australian Government agencies, where the body or agency has received a notice from the relevant Minister that the Framework applies to them (Source: Attorney-General's Department, Protective Security Policy Framework: Securing Government Business, v.1.1, September 2010). The ANAO has used this definition of ‘agency' throughout this report.
[3] The Hon. Robert McClelland MP, Attorney-General, Directive on the Security of Government Business, Protective Security Policy Framework, Attorney-General's Department, June 2010.
[4] ibid.
[5] Mike Burgess, Deputy Director Cyber and Information Security, Defence Signals Directorate, Speech to the National Security Australia 2010 Conference, 26 February 2010.
[6] The Hon. Robert McClelland MP, op. cit.
[7] See Appendix 1 for the full list of the 33 mandatory PSPF requirements.
[8] Attorney-General's Department, Protective Security Policy Framework, version 1.1, September 2010, GOV-1.
[9] Protective Security Policy Framework, op. cit, GOV-2.
[10] Protective Security Policy Framework, op. cit, GOV-4, GOV-5, GOV-6, INFOSEC-2 and PHYSEC-1.
[11] Attorney-General's Department, PSPF: Transition Interpretation Advice, 2 December 2010.
[12] The ISM was previously known as the Australian Government Information and Communications Technology Security Manual, (ACSI 33), September 2007. The ISM was first released in September 2009 and updated in December 2010.
[13] The Defence Signals Directorate provides the Australian Government with: advice and assistance to federal and state authorities on matters relating to the security and integrity of information; a greater understanding of sophisticated cyber threats; and coordination of and assistance with operational responses to cyber events of national importance across Government and systems of national importance. <http://www.dsd.gov.au/aboutdsd/roleinfosec.htm> [accessed 6 January 2011].
[14] Defence Signals Directorate, Information Security Manual, December 2010, p. 1.
[15] The objective statement refers to measures to both ‘protect' and ‘secure' electronic information held by agencies. In this audit, ‘protect' refers to measures to safeguard information from external threats, while ‘secure' refers to agencies' internal mechanisms to ensure the appropriate safeguarding of information.
[16] ANAO Audit Report No.23 2005–06, IT Security Management, and ANAO Audit Report No.45 2005–06, Internet Security in Australian Government Agencies.
[17] ‘Patches' are pieces of software designed to fix problems with, or update, a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance of the software. Patch management is the process of using a strategy and plan that details which patches should be applied to which systems, at a specified time.
[18] This includes the use of unsecured public Internet services such as ‘hotmail' or ‘gmail' accounts.
[19] It is noted that the ISM prescribes the minimum requirements. Individual agencies should consider their own unique circumstances, and make a determination as to whether more stringent controls are required.