IT Security Management
This audit is a part of the ANAO's protective security audit coverage. The objective of this audit was to determine whether agencies audited had developed and implemented sound IT security management principles and practices supported by an IT security control framework, in accordance with Australian Government policies and guidelines. The audit at each agency examined the framework for the effective management and control of IT security, including the management of IT operational security controls and, where applicable, was based on the Australian Government protective security and information and communications technology (ICT) security guidelines that were current at that time.
Information technology (IT) security management is an essential part of agencies' protective security environments. The management of IT security is a key responsibility of Australian Government agencies1, and is necessary to protect the confidentiality, integrity, and availability of information systems and the information they hold2. Effective IT security management requires the development and implementation of an IT security control framework 3 designed to minimise the risk of harm to acceptable levels. Given the increasing reliance on the interconnectivity of Australian Government information systems, agencies have an additional responsibility to consider how their IT security environment may impact other government agencies as well as other parties with whom they share information.
The Australian Government Protective Security Manual (PSM) establishes the framework of policies, practices and procedures designed for Australian Government agencies to use in protecting Australian Government functions and official resources from sources of harm4 that would weaken, compromise or destroy them. The PSM, which was re-issued in October 2005, identifies standards for protective security, and specifies minimum requirements for the protection of Australian Government resources.
Audit scope and objective
This audit is a part of the ANAO's protective security audit coverage. The objective of this audit was to determine whether agencies audited had developed and implemented sound IT security management principles and practices supported by an IT security control framework, in accordance with Australian Government policies and guidelines.
The audit at each agency examined the framework for the effective management and control of IT security, including the management of IT operational security controls and, where applicable, was based on the Australian Government protective security and information and communications technology (ICT) security guidelines that were current at that time.
The eight agencies selected for review were:
- Australian Agency for International Development;
- Australian Office of Financial Management;
- Bureau of Meteorology;
- Department of Education, Science and Training;
- Department of the Environment and Heritage;
- Department of Immigration and Multicultural and Indigenous Affairs; and
- Department of Transport and Regional Services.
Overall, the ANAO concluded that the audited agencies had identified relevant Australian Government policies, practices and procedures for the protection of information. However, most agencies had not implemented structured processes to ensure the effective alignment of the IT security policy objectives with organisational risk management processes and Australian Government policy, practices, and standards for the safeguarding of information resources.
The ANAO found that the majority of agencies audited had adequately identified relevant external compliance obligations, and IT personnel interviewed were aware of relevant legislation and the associated compliance requirements. However, only two agencies could demonstrate suitable processes to assess system compliance with their IT security policy and with government requirements, and processes for managing exceptions/variations.
The ANAO found that most agencies did not maintain key IT operational procedures and configuration documentation. This was particularly evident of agencies that had contracted to third-party service providers for the provision of IT and/or IT security services.
The audit identified a number of opportunities for further improvement in agencies' policies and procedures relating to IT security management practices. These included:
- improving the content and processes for developing and maintaining IT security policy alignment with organisational risk management processes;
- ensuring a regular process exists within the IT security control framework to identify gaps between an agency IT environment and Australian Government expectations. This will assist in determining whether systems are operating at an acceptable level of risk;
- ensuring policies clearly identify the physical and environmental security controls and standards for managing IT equipment;
- ensuring performance reporting of network security practices are designed to ensure that security controls are adequately addressing IT security risks; and
- ensuring standards exist and are applied for the use and monitoring of audit trails5.
The ANAO has made five recommendations based on the audit findings from the agencies reviewed. Given the need for all agencies to effectively implement and manage IT security, these recommendations are likely to have relevance to the operation and management of IT security in all Australian Government agencies.
The eight agencies examined in the audit agreed with the recommendations. In addition, the Attorney-General's Department and the Department of Defence – Defence Signals Directorate (DSD), stakeholders in Australian Government IT Security, responded positively to the audit report. DSD specifically noted that the recommendations are consistent with a fundamental requirement of the Australian Government Information and Communications Technology Security Manual (ACSI 33).
1 For the purposes of this report, the ANAO has used the definition of ‘agency' as provided by the Protective Security Manual 2005, which defines agency as including ‘all Australian Government departments, authorities, agencies or other bodies established in relation to public purpose, including departments and authorities staffed under the Public Service Act 1999.'
2 Confidentiality, integrity and availability are considered key objectives of IT security controls for protecting information.
3 An IT security control framework is the design of management processes and supporting policies and procedures, that together provide assurance that IT security management is operating effectively.
4 The PSM defines harm as being any negative consequence, such as a compromise of, damage to, or loss incurred by the Australian Government.
5 In computer security terms, an audit trail provides a chronological record of system resource usage. It is commonly referred to as logging. This includes user login, file access, other various activities, and whether any actual or attempted security violations occurred.