Financial Systems Controls Report: 2015–16

Conclusions

We are concerned that we continue to detect and report on significant numbers of deficiencies in IT controls, many in systems that have been in place for a number of years. The weaknesses we continue to observe each year unnecessarily expose the financial and associated information held by the affected entities to higher risks of unauthorised disclosure, loss or corruption.

More troubling, is that the management of the relevant entities have not effectively addressed 60 per cent of our IT audit findings from previous years.

Accountable officers and the governing bodies of these entities need to pay greater attention as to how best to mitigate their information systems risks. Applying more focused oversight on tracking management actions on our recommendations would be a good start.

Some entities need also to replace the many 'legacy' IT systems and software they still use, which their software vendors no longer support. This situation not only poses IT security and operational risks, it also adds to their maintenance costs.

Controls to mitigate targeted cyber intrusions to IT systems require significant improvement, specifically in the area of application whitelisting. Application whitelisting is a security technique in which only a limited set of approved programs are allowed to run on an entity's computer systems, while all other programs, are blocked. We observe also that entities can improve aspects of their wireless security.

Major themes

Addressing underlying risks or issues

While in-scope entities are gradually undertaking specific remediation activities in response to IT audit findings, they are not tackling the underlying risks or issues.

Sixty per cent of our findings from previous reports remain open or we raised them again. This indicates to us that entities focus on fixing symptoms to address our findings rather than diagnosing and implementing improvements to processes that address the root causes. Examples of this include:

• poor governance structures exist—entities with poor governance structures or those undergoing organisational change are less likely to track and to remediate control weaknesses
• entities ignore the risks and focus on our recommendations—the underlying risks flagged in our findings are ignored and entities only attempt to acquit themselves against our recommendations
• entities address only some components of our findings and recommendations—they focus on remediating a specific component of a finding without mitigating the overall and underlying risk
• symptoms are remediated, however no change is made to policies, procedures and processes—entities remediate the findings highlighted in our audit, but do not change their policies, procedures and processes, thereby allowing the same symptoms to recur
• processes that cover multiple IT systems are not improved—entities may only remediate the systems in-scope for our audit, rather than all IT systems.

Entities need to improve their oversight and strengthen their management's accountability to be sure that their processes for implementing all agreed management actions are effective, and to assess whether completed actions have effectively addressed the underlying risks or issues.

Managing controls at outsourced IT environments

A number of entities outsource part or all of their IT environments, but this does not absolve them from their statutory responsibility for maintaining effective controls. Indeed, it can make it harder for them to gain assurance because each entity does not have a direct line of sight over the controls operating at their outsourced service providers.

To overcome this, we observe growth in the number of public sector entities seeking comfort about the design and operation of controls at their outsourced provider's IT environments—usually in the form of a service assurance report.

Counter to this positive trend, we continue also to identify entities that do not seek or obtain any substantive assurance that the controls implemented and managed by their outsourced providers are operating effectively. In a number of instances, this is not presently available to them contractually, because there is no provision in their contracts with providers to enable other third parties, such as auditors, to assess those controls.

This 'black box' approach to outsourced IT environments contravenes the intent of the Financial Management Act 1994 and the Standing Directions of the Minister for Finance, which require an entity's management to maintain an effective internal control environment.

End-of-life legacy IT systems

This year we reported 31 matters to the management of 42 per cent of our in-scope entities that related to their IT systems passing their 'end-of-life'.

Entities may continue to use IT systems and applications after vendor support ceases. This applies, for example, to older versions of software. This can increase the cost of maintenance and support of critical business systems, as they typically also become unstable and less reliable.

Even with vendor support, systems that are approaching end-of-life typically are more vulnerable to attack by exploiting their security weaknesses.

The majority of our end-of-life findings related to key financial systems. Maintaining these systems past their end-of-life systems typically comes at a significant cost, but also means that to upgrade or move to a new system entities will generally incur higher costs and take longer, than if they had upgraded earlier.

Recommendations

We recommend that the Department of Premier & Cabinet monitor and report to the Victorian Secretaries' Board on the status of:

1. risks resulting from IT obsolescence in departments and public service agencies (see Section 2.4.7)
2. the implementation of disaster recovery frameworks and plans by shared services boards, which should:

• prioritise IT systems recovery in the event of a disaster affecting several departments and agencies
• cover financial and non-financial systems

(see Section 2.4.6).

We recommend that the governing bodies and management of public sector entities, where necessary:

3. strengthen their monitoring of controls at outsourced service providers by:

• including a right of access and audit in their contracts with outsourced providers
• obtaining positive assurance reports for their outsourced IT environments
• assessing exceptions raised in assurance reports to identify where compensating controls are needed in their own control environment

(see Section 2.4.7)

4. for systems approaching, or past end-of-life:

• conduct a risk assessment over the entity's security exposure and take steps to mitigate those immediate risks
• formulate plans to upgrade or migrate to fully supported solutions

(see Section 2.4.7)

5. strengthen their governance and monitoring mechanisms by:

• identifying and addressing the root causes of IT audit findings
• tracking recommendations post-implementation to establish that sustainable improvements have been made to processes that will prevent future recurrence

(see Sections 2.3.2)

6. align their IT control frameworks with relevant Victorian Government IT security standards, including the Victorian Protective Data Security Standards (see Sections 2.4.2, 3.3, 4.3).

7. require that their shared service providers implement frameworks for disaster recovery that prioritise the recovery of IT systems in the event of a disaster affecting a number of departments and agencies, covering both financial and non-financial systems (see Section 2.4.6)

8. undertake a gap analysis against the Australian Signals Directorate (ASD) Top 4 Strategies, to identify areas of significant risk and implement appropriate controls to mitigate these risks (see Section 4.3).

Responses to recommendations

We consulted the Department of Premier & Cabinet and the members of the Chief Information Officers Leadership Group while preparing this report and we have considered their views when forming our findings and drawing our audit conclusions.

As required by section 16(3) of the Audit Act 1994, we provided a copy of this report, or relevant extracts, to the Department of Premier & Cabinet, portfolio departments, the Commissioner for Privacy and Data Protection, and CenITex, and requested their submissions or comments.

We received responses from all these agencies. Four agencies provided responses for inclusion in this report, summarised below.

The Department of Premier & Cabinet plans to address its specific recommendations by working with selected public service entities and relevant shared services boards to better understand the status of government's major systems and the mechanisms for prioritising systems recovery in the event of a disaster.

The Department of Treasury & Finance supports the findings in the report, and the Department of Environment, Land, Water & Planning accepts the recommendations. The Commissioner for Privacy and Data Protection states that it will continue to invest in education and training activities around the Victorian Protective Data Security Framework.

Full responses from these four agencies are included in Appendix A.

1.1 Internal control framework

Our annual financial audits enable us to form an opinion on an entity's financial report. Evaluating the strengths of an entity's internal control framework and governance processes as they relate to its financial reporting is an integral part of this process, as well as a requirement of Australian Auditing Standard Identifying and Assessing the Risk of Material Misstatement through Understanding the Entity and Its Environment (ASA 315).

Internal controls are systems, policies and procedures that help an entity to reliably and cost-effectively meet its objectives, and minimise risk and fraud. Figure 1A depicts the components of an internal control framework.

Figure 1A

Components of an internal control framework

Source: VAGO using the COSO Framework.

The control environment provides the fundamental discipline and structure for controls and includes governance and management functions as well as the attitudes, awareness and actions of those charged with governance and management of an entity.

Risk management involves identifying, analysing, mitigating and controlling risks.

Monitoring of controls involves observing the internal controls in practice and assessing their effectiveness.

Control activities are the policies, procedures and practices designed by management to help meet an entity's objectives, one of which is reliable financial reporting.

Information and communication involves communicating control responsibilities throughout the entity and providing information in a form and time frame that allows staff to discharge their responsibility.

While we consider internal controls that are relevant to financial reporting, we are not required to provide an opinion on their effectiveness, nor do we. The audit opinion we issue is on the financial statements. The ultimate responsibility for the effective operation of the internal controls at all times remains with the entity's management.

We communicate all significant internal deficiencies in controls we identify during an audit to the entity's governing body and its management so that they can take steps to rectify them. Such deficiencies or weaknesses may not result in a qualified audit opinion, as an entity will often have compensating controls in place that mitigate the risk of a material error or misstatement in the financial report.

However, for entities that use highly automated IT systems to initiate and process financial transactions, the IT system is the sole repository of the record of transactions. A significant internal control weakness in the IT system may require us to qualify the entity's financial statements if it prevents us from obtaining sufficient evidence about the accuracy, completeness and reliability of the financial information being reported.

1.1.1 IT systems and controls

An IT system is a collection of computer hardware and programs that work together to support business or operational processes. IT systems are generally made up of three components:

• operating system—core programs that run on the IT hardware that enable other programs to work, such as Microsoft Windows, Unix and IBM OS/400
• databases—programs that organise and store data, such as Oracle database and Microsoft SQL Server
• applications—programs that deliver operational or business requirements. The various types of IT applications are described in Appendix B.

These components are supported by an entity's network infrastructure. Figure 1B shows the typical scope of an IT general controls audit.

Figure 1B

Typical scope for an IT general controls audit

Source: VAGO.

IT general controls are the policies, procedures and activities put in place by an entity to ensure the confidentiality, integrity and availability of its IT systems and data. An example of an IT general control is, whether access requests to IT systems are properly reviewed and authorised by management. The objective of this control is to ensure that only authorised users have access to the entity's IT systems.

Ineffective IT general controls may affect the reliability and integrity of the system's underlying financial data and programs, and may affect our ability to rely on underlying business and process controls.

We write to the accountable officer and, where relevant, the chair of the governing body of each entity about any weaknesses we identify during an IT audit. We seek management's comments on remediation plans and time frames for addressing any audit observations or recommendations.

In February 2016, we published a better practice guide, Information and Communications Technology Controls Guide, to help organisations identify areas for improvement in their information and communications technology controls. This guide complements the standards and guidelines which Victorian public sector organisations must comply with.

Several major changes within the public sector in relation to IT have the potential to strengthen IT control frameworks, and as such we will incorporate them into our considerations in future audits:

• Information Technology Strategy for the Victorian Government 2016–2020
• Victorian Protective Data Security Standards (VPDSS)
• establishment of the Office of the Victorian Information Commissioner
• changes to the Standing Directions of the Minister for Finance.

These are summarised in Appendix F.

1.2 Status of our 2014–15 recommendations

In our Financial Systems Controls Report: Information Technology 2014–15, we made recommendations directed specifically to the Commissioner for Privacy and Data Protection (CPDP) and the Department of Premier & Cabinet (DPC), along with general recommendations to public sector entities' governing bodies and management.

In our 2015 report we recommended that:

• CPDP provide education and training to relevant entities on the requirements of the VPDSS—once issued
• DPC monitor and report on the status of risks of IT obsolescence at departments and public service agencies
• DPC monitor and report on the status of the implementation of disaster recovery frameworks and plans by shared services boards.

The CPDP has acted to address our recommendations and, following the release of the Victorian Protective Data Security Framework and VPDSS in June and July 2016, has released information and publications—including security guides and an awareness video on their website.

To date, DPC has made limited progress addressing the recommendations on software obsolescence and disaster recovery planning.

To address the risk of software obsolescence, DPC has produced Statements of Direction, approved by the Victorian Secretaries' Board in August 2016, to provide high-level requirements for a consistent shared platform across government departments and agencies.

DPC also plans to assess whether departments are engaged in the development and ongoing review of their disaster recovery plans and—in the case of shared services—that their providers are conducting and communicating the planning and recovery time frames on behalf of their customers.

Departments' shared service providers should use the findings of this review to discuss ways of achieving a match between expectations and reality in systems recovery times in the event of a disaster.

1.3 Audit conduct

The financial audits of the 52 entities included in this report were undertaken under section 15 of the Audit Act 1994 and Australian Auditing Standards. The cost of these audits is paid for by each entity. The results of these audits were used in preparing this report. The cost of preparing this report was $267 000, which is funded by Parliament.

In accordance with section 20(3) of the Audit Act 1994, we express no adverse comment or opinion about anyone we name in this report.

1.4 Report structure

The remainder of this report is structured as follows:

• Part 2 provides a summary of the IT audit findings noted as part of the 2015–16 audits (including December 2015 year end audits) and an IT general controls maturity assessment.
• Part 3 examines the wireless security focus area.
• Part 4 examines the Australian Signals Directorate 'Top 4 Strategies to Mitigate Targeted Cyber Intrusions' focus area.

2.1 Conclusion

Overall, we assessed that entities were able to rely on their IT control environments to produce reliable financial reports, because they had satisfactory mitigations in place, such as compensating management controls, to manage risk.

Nevertheless we continue to identify a significant number of IT control deficiencies, most of which we rated as medium- and high-risk issues. The number of high-risk findings decreased only slightly to 34 per cent of the total findings in 2015–16, compared to 37 per cent last year. This is too many. Three audit findings we rated as extreme risk, to reflect their importance to the entities' control environments.

2.2 Summary audit results

For the 52 selected entities for the 2015–16 financial year, 458 new and previously identified IT audit findings were reported, commensurate with the 462 IT audit findings from 2014–15.

As shown in Figure 2A, of these audit findings:

• 103 are common as a result of IT environments being shared across entities
• 59 arose from outsourced IT service assurance reports, which are discussed as a theme in Section 2.4.7 of this report
• 296 stand alone, in that they are neither shared across entities nor identified from outsourced IT service assurance reports.

Figure 2A

Total new and prior-year audit findings not addressed

Source: VAGO.

2.3 Analysis by risk rating and category

2.3.1 Introduction

We assign our IT audit findings a risk rating. The rating reflects our assessment of both the likelihood and consequence of each identified issue, and helps management to prioritise remedial action.

Audit findings are rated either as extreme, high, medium or low risk—further details are found in Appendix D.

In this report we also group like findings into the following logical categories:

• user access management
• authentication controls
• audit logging and monitoring of the IT environment
• IT change management
• patch management
• backup management, business continuity and IT disaster recovery planning
• other IT general controls.

Risk rating

Figure 2B analyses new and open prior-year findings by risk rating. It shows:

• Consistent with prior years, most audit findings were rated as medium risk.
• We identified three extreme-risk-rated audit findings during 2015–16, an increase on the one identified in 2014–15, and 2013–14 when no extreme‑risk‑rated audit findings were raised.
• The total number of high- and medium-risk findings has decreased slightly.

Figure 2B

Findings by risk rating—new and prior-year audit findings not addressed

Source: VAGO.

Category

Figure 2C highlights the number of IT audit findings in each IT general controls category.

Figure 2C Findings by IT general controls category

Source: VAGO.

Our analysis of audit findings by category in 2015–16 showed that:

• Consistent with the prior year, our findings mostly relate to the categories of User access management and Authentication controls.
• There is a significant increase in audit findings assigned to the 'Other' category (refer to Section 2.4.7), which is mainly due to our focus areas being wireless security and the Australian Signals Directorate 'Top 4 Strategies to Mitigate Targeted Cyber Intrusions' (ASD Top 4 Strategies)—as discussed in Parts 3 and 4 of this report—and open IT audit findings being carried over from the prior-year focus areas, which were identity and access management and software licensing.

The categories of User access management, Authentication controls and Other account for 68 per cent of all reported findings in 2015–16.

Category and risk rating

Figure 2D shows the distribution of risk ratings within each category.

Figure 2D

Audit findings by risk ratings

Source: VAGO.

Of the three extreme risk-rated audit findings we identified, two related to Authentication controls and one to User access management.

Our high-risk findings related to:

• password controls that do not comply with leading practices or government IT standards
• excessive numbers of users having administrator access to systems
• financial systems that are either past or approaching their end-of-life and may not be supported by the vendor.

2.3.2 Remediation of prior-period IT audit findings

We monitor past audit findings and the status of management's remedial actions.

Figure 2E demonstrates that although entities are generally undertaking remediation activities in response to our IT audit findings, they are not sufficiently and effectively addressing the underlying risks or issues.

In total, 60 per cent of our 462 prior-year findings remain open (25 per cent) or we have closed and re-raised them (35 per cent) as the underlying issues still exist.

Figure 2E

Status of prior-year audit findings

Source: VAGO.

Figure 2F shows the disposition of past findings that we closed because of:

• Satisfactory remediation—management has acted on the recommendation and we have not noted similar findings in 2015–16. These findings account for 48percent of the closed audit findings.
• Re-raised as a new finding—we identified a similar finding in 2015–16, which demonstrated that management are not sufficiently and effectively addressing the underlying risk or issue. Prior-year IT audit findings may be closed and re-raised:
  • when the specific details of the current finding substantially vary from the prior-year finding, although the root causes are the same
  • to consolidate multiple similar findings under a single finding
  • when only some components of the prior-year finding have been addressed and other components remain open
  • when a similar finding to the prior-year finding has been raised in a service assurance report received by the entity.

These findings account for 47 per cent of the closed audit findings.

• Finding no longer relevant—as a result of changes in an entity's organisational structure or IT environment, prior-period audit findings may no longer be relevant or require any further remediation. For example, an IT system may have been decommissioned during the financial year and therefore all findings related to this system are no longer relevant. These findings account for 3 per cent of the closed audit findings.
• Management accepts the risk—management has decided not to remediate the control weakness identified, and accepts the risk and underlying exposure associated with the finding. These findings account for 2 per cent of the closed audit findings.

Figure 2F

Insights on closed audit findings

Source: VAGO.

Addressing the underlying risks or issues

Entities are not adequately addressing the audit findings through remediation activities. Remediation activities undertaken are fixing the symptoms with the aim of addressing our findings, but sustainable process improvements and controls within those processes have not been made, which would address the underlying risks and issues. This commonly results in similar findings being identified in future years.

Figure 2G illustrates an audit finding that has not been adequately remediated.

Figure 2G

Case study: User access management finding not adequately remediated

Source: VAGO.

Accountable officers and governing bodies (including audit committees) need to apply more focused attention and oversight to address our IT audit findings from previous years and make sustainable improvements to processes to address the underlying risks and issues, thereby preventing future recurrence.

The Standing Directions of the Minister for Finance 2003 (Standing Directions) set out the core requirements, responsibilities and functions of audit committees. One of the key requirements of the Standing Directions is that audit committees oversee risk management, the internal audit function and the implementation of management actions in response to internal and external audit recommendations.

As reported in our August 2016 audit report Audit Committee Governance, tabled on 31 August 2016, members consistently highlighted that their role in monitoring these actions—particularly the high number of outstanding and overdue actions—is one of their greatest challenges, and takes up a significant amount of their time. As a result, they are working to reduce the number of outstanding and overdue actions.

However, only one of the audit committees we examined has a follow-up process in place for assessing whether completed management actions have effectively mitigated the risks and issues they are meant to address. This audit committee's 2016 follow-up review found that management actions are inconsistently implemented across divisions and business units, and that there is no clear consideration of the original audit finding or of risk mitigation. This reinforces the value of such follow-up reviews and indicates that agencies still have work to do to improve the effective implementation of audit actions across the organisation.

Audit committees need to establish effective processes for monitoring the implementation by management of agreed actions and adopt a risk-based approach for assessing whether completed management actions have effectively addressed the underlying risks or issues.

2.4 Findings by control category

2.4.1 User access management

Introduction

User access management relates to the process of managing access to applications and data, including how access is approved, revoked and periodically reviewed to ensure it is aligned with staff roles and responsibilities. User access management's primary objective is to maintain the confidentiality and integrity of IT systems and data.

This category also involves a review of the appropriateness of 'super users', who have wide-ranging authorisation within applications and systems, including the ability to create other users.

Weaknesses in user access management controls may result in inappropriate and excessive system and data access, which could affect the completeness and accuracy of transactions.

Audit findings

A total of 105 user access management findings were reported in 2015–16, representing 23 per cent of total findings and 31 per cent of high-risk audit findings, down from the 137 findings in 2014–15, making this category the highest percentage of high-risk findings. One audit finding was rated as extreme risk.

The extreme risk was raised mainly due to the high and excessive number of accounts—including shared user accounts—with privileged access to the finance system and network. In conjunction with multiple other IT audit findings relating to user access management, urgent remediation is required to prevent inappropriate access to systems and data.

Figure 2H shows an even distribution of audit findings across the IT environment—network, application, database and operating system—which suggest that user access management findings are systemic in nature and that improvements are required at all levels.

Figure 2H

User access management audit findings

Source: VAGO.

The distribution of 2015–16 results is generally consistent with last year's results. User account administration findings account for around 61 per cent of the control weaknesses, which is a reduction from 80 per cent in the prior year. User account administration typically covers matters such as:

• absence of appropriate approval prior to access being granted
• user's system access not being removed following their termination
• management not conducting reviews to ensure system access rights are aligned to users' roles and responsibilities.

Restricted privileged access is one of the ASD Top 4 Strategies, which have been assessed to be the most effective security controls an organisation can implement to mitigate against 85 per cent of targeted cyber intrusions. The ASD Top 4 Strategies is a focus area for 2015–16 and is included in Part 4 of this report.

2.4.2 Authentication controls

Introduction

Authentication controls assist in determining whether a user attempting to access a system is who they claim to be.

Authentication is commonly performed through the use of passwords, and through the use of two-factor authentication in more tightly managed environments. Two-factor authentication includes something the user knows—i.e. a password—and something the user has—i.e. a security token.

Weaknesses in authentication controls may increase the risk of breaches in the confidentiality, integrity and availability of systems and data.

Audit findings

Authentication controls weaknesses accounted for 63 audit findings, which is 14 per cent of the total—up from 56 findings in 2014–15. They accounted for 23 per cent of high-risk audit findings, and two findings were rated as extreme risk.

The extreme risks were raised due to passwords implemented within systems not being aligned with policies, the high and excessive number of accounts not being subject to password controls across the finance systems and networks, and default passwords not being changed on a periodic basis or at all. Urgent remediation is required to prevent inappropriate access to these systems and data.

As shown in Figure 2I, authentication control audit findings are reasonably evenly spread across policy and procedures weaknesses and password control weaknesses across the IT environment: the network, application layer, database and operating system.

Figure 2I

Authentication controls audit findings

Source: VAGO.

In November 2013, new IT security standards were published by the former Department of State Development, Business and Innovation to take effect from 1 January 2014. One of the published standards—the Victorian Government's Identity and Access Management (IDAM) Standard 03 Strength of Authentication Mechanism v1.0—provided specific guidance on password controls and aligns the overall Victorian IT control framework with the applicable Commonwealth standards and better practices, such as the Australian Government Information Security Manual. At time of the 2015–16 financial audits, this standard was only mandatory for members of the Victorian Secretaries' Board, which is made up of the seven departments and Victoria Police.

Following the release of the Victorian Protective Data Security Standards (VPDSS) in July 2016 by the Commissioner for Privacy and Data Protection, the Victorian Government's IDAM Standard 03 Strength of Authentication Mechanism v1.0 was withdrawn.

However, the new VPDSS Standard 17 Information Communications Technology (ICT) Lifecycle states 'an organisation should align its ICT security controls with the [Australian Government] Information Security Manual published by the Australian Signals Directorate (ASD)'. Therefore, there is no change to the whole-of-government password requirements from July 2016 onwards.

2.4.3 Audit logging and monitoring of the IT environment

Introduction

Audit logging and monitoring of the IT environment involves the recording and analysing of system and user activities in order to detect and mitigate unusual events within financial systems.

Weaknesses in audit logging and monitoring of the IT environment may lead to an increased risk that inappropriate or unauthorised activities could go undetected by management. Where inappropriate activities have occurred, management may not be able to trace the origins of the event due to incomplete or missing audit trails.

Audit findings

Audit logging and monitoring of the IT environment control weaknesses accounted for 31 audit findings, which is 7 per cent of all findings—down from 34 findings in 2014–15. There was one high-risk audit finding, and most findings were rated medium risk.

Figure 2J

Audit logging and monitoring audit findings

Source: VAGO.

As shown in Figure 2J, most audit logging and monitoring audit findings relate to the IT infrastructure levels of database and operating system, with application and network logging and monitoring generally being stronger.

2.4.4 IT change management

Introduction

The objective of IT change management is to ensure that changes to an IT environment are appropriate and preserve the integrity of underlying programs and data.

Weaknesses in IT change management may lead to unauthorised changes being made to systems and programs. This could adversely impact the integrity of the data of underlying financial systems.

Audit findings

IT change management control weaknesses accounted for 38 audit findings, which is 8 per cent of the total findings—down from 55 findings in 2014–15.

Figure 2K

IT change management audit findings

Source: VAGO.

Figure 2K shows a reasonably even distribution of audit findings across the following control activities:

• policies and procedures—change management policy and procedures drive operational processes
• segregation of duties—change management staff have access to both production and non-production environments, such as development and test environments, increasing the risk that staff may both develop changes and implement them without independent oversight
• acceptance testing—levels of testing performed as part of the change process are inadequate
• retention of evidence—insufficient documentation is retained to demonstrate that key controls are being performed.

2.4.5 Patch management

Introduction

A patch is an additional piece of software released by vendors to fix security vulnerabilities or operational issues. Periodic patching aims to reduce the risk of security vulnerabilities in systems and enhance the overall security profile of the IT infrastructure.

When patches are not applied regularly, known security vulnerabilities remain. This may result in unauthorised access to systems and data, and increases the risk of financial, operational and reputational loss.

Audit findings

Patch management control weaknesses accounted for 32 audit findings, which is 7 per cent of the total findings—the same number of findings as in 2014–15. These findings account for 7 per cent of our high-risk audit findings.

Figure 2L

Patch management audit findings

Source: VAGO.

Figure 2L shows most patch management findings related to database and operating system patching, with an even distribution across the remaining control activities.

Although we have seen improvements in 2015–16, the number of findings in this area has remained the same as in the prior year, due to:

• some entities doing little to improve patch management processes
• new entities or systems being subjected to IT audits.

Patching of applications and operating systems are two of the ASD Top 4 Strategies, which have been assessed to be the most effective security controls an organisation can implement to mitigate against 85 per cent of targeted cyber intrusions. The ASD Top 4 Strategies is a focus area for 2015–16 and is included in Part 4 of this report.

2.4.6 Backup management, business continuity and IT disaster recovery planning

Introduction

Backup management, business continuity and IT disaster recovery planning involves the identification of the entity's business continuity requirements and data backup needs.

A business continuity plan details the response strategy of an organisation in order to continue operations and minimise the impact in the event of a disaster. An IT disaster recovery plan is a documented process to assist in the recovery of an organisation's IT infrastructure in the event of a disaster.

Weaknesses in backup management, business continuity and IT disaster recovery planning may adversely impact the ability of an organisation to recover its critical systems and transactions in a complete and timely manner.

Audit findings

Collectively, backup management, business continuity and IT disaster recovery planning accounted for 46 audit findings, which is 10 per cent of the total findings—up from the 36 findings in 2014–15. Weaknesses in this category represent 4 per cent of our high-risk findings.

Figure 2M

Backup management, business continuity and IT disaster recovery audit findings

Source: VAGO.

Consistent with the prior-year results, Figure 2M shows the absence of or limitations in disaster recovery planning, accounting for 55 per cent of our findings, compared to 58 per cent in 2014–15. Fewer backup management findings are raised, indicating this is better managed by entities, and this can act as a compensating control.

Disaster recovery planning was highlighted as a theme in the ICT Controls Report 2013–14 and, although we have not reported it as a key theme in the prior year or this report, it is disappointing this has not been addressed. There continues to be no requirement or oversight to ensure IT service providers that support multiple government entities or systems create prioritisation frameworks and plans for the recovery of financial and non-financial systems in the event of a disaster. This is of particular concern as there may be resource challenges and differing views on priorities if such an event were to occur.

If departments and agencies, and their IT service providers, are unable to react and respond appropriately, services to the community could be interrupted, resulting in reputational damage to the state and the entities involved.

Our Financial Systems Controls Report: Information Technology 2014–15 recommended that the Department of Premier & Cabinet (DPC) monitor and report on the status of the implementation of disaster recovery frameworks and plans by shared services boards. Limited progress has been made by DPC to address recommendations relating to disaster recovery planning.

2.4.7 Other IT general controls

All the remaining IT audit findings have been included in the category 'other'. These findings include:

• IT systems at their end-of-life—cases where the system vendor has, or is intending to stop or limit support for its product in the near future
• controls at outsourced IT environments—the assurance that third-party service providers are designing and operating appropriate controls over outsourced financial systems
• software licensing—controls implemented to manage the purchasing and deployment of software and ongoing compliance throughout its use
• governance—entity-level controls including overarching frameworks, policies and standards
• physical and environmental controls—physical access to the IT infrastructure and environment controls, such as appropriate temperature and humidity controls, and continuity of power supply
• malware protection—protection of network and computer systems from malicious software designed to cause disruption or damage to systems, including application whitelisting findings resulting from our assessment of ASD Top 4 Strategies compliance as part of the 2015–16 focus areas
• identity and access management—the provision to users of an appropriate level of access to data and information, and reduction of inappropriate access
• security and architecture—vulnerabilities or limitations in the organisation's network security configuration or management framework, including wireless network security findings resulting from our assessment as part of the 2015–16 focus areas
• penetration testing—the process and outcomes of a technical evaluation of the internal and external vulnerabilities of IT systems.

Audit findings

Collectively, 'other' control weaknesses accounted for 143 audit findings, which is 31 per cent of the total number of findings and represents 31 per cent of high-risk findings—up from the 112 findings in 2014–15. The increase in audit findings from 2014–15 is mainly attributable to our focus areas—wireless security, included within the 'Security and architecture' category and the ASD Top 4 Strategies, included within the 'Malware protection' category due to the number of application whitelisting findings, as discussed in Parts 3 and 4 of this report.

Figure 2N

'Other' IT general controls audit findings

Source: VAGO.

Notably, audit findings relating to controls at outsourced IT environments and system end-of-life continue to dominate our attention and therefore have been expanded upon below. Eighty per cent of the high-risk findings in this category relate to these two audit findings.

Management of controls at outsourced IT environments

When a public sector entity relies on an outsourced provider or cloud service providers to operate and maintain their IT environment, management needs to obtain assurance that the controls implemented and managed by the outsourced provider are operating effectively. Typically, cloud service providers provide their services to the organisation—in the form of software, infrastructure and platform—over the internet. By using an outsourced IT arrangement, the entity's management does not forgo its duty to ensure that controls are adequate and that the entity's data and information is protected.

The effectiveness of controls at these outsourced IT environments is typically reported to a public sector entity through a service assurance report such as Assurance Reports on Controls at a Service Organisation (ASAE 3402) or Assurance Engagements on Controls (ASAE 3150)—the ASAE 3150 standard replaces the existing Special Purpose Reports on the Effectiveness of Control Procedures report (AUS 810). Public sector entities need to request that the outsourced IT provider engage an auditor to perform this work and report back to them.

As in prior years, we noted a continued upward trend in the number of service assurance reports being obtained by public sector entities. Public sector entities rely on these reports to attest to the overall strength of the external provider's control environment and we generally also rely upon these for our financial audits.

In 2015–16, we were provided with 21 assurance reports for the IT general controls at outsourced IT environments. This compares to 13 in 2014–15, 10 in 2013–14, four in 2012–13 and one in 2011–12. This trend is shown in Figure 2O.

Figure 2O

Number of assurance reports received

Note: When multiple service assurance reports are prepared for a shared service IT provider, this is counted as one report.

Source: VAGO.

Despite this increase in the number of assurance reports, we continue to find entities who do not receive any assurance that the controls implemented and managed by their outsourced providers are operating effectively. In a number of instances this is a direct result of the entity and the vendor not including a section in the contract enabling third parties to assess the controls of outsourced IT environments.

With the release of the Information Technology Strategy for the Victorian Government 2016–2020 and underlying 'statements of direction' concerning moving services to shared or cloud services, it is critical for entities to consider the 'right to audit' during contract negotiations and where relevant, obtain a service assurance report. With these considerations being made upfront, entities will be able to gain comfort about the overall strength of the external providers' controls environment.

Potential cost savings can be achieved through exploring joint service assurance arrangements when multiple government entities use shared cloud platforms from the same providers.

The Financial Management Act 1994 and the Standing Directions of the Minister for Finance require an entity's management to maintain an effective internal control environment.

The revised Standing Directions of the Minister for Finance 2016 now include mandatory instructions for managing shared services and outsourcing arrangements. They state that 'the Accountable Officer must ensure that the Agency's shared services and outsourcing arrangements, related to financial management, are effectively managed by ensuring the following:

• prior to sharing or outsourcing functions either in full or part, the costs and benefits are analysed and the decision is approved by the Responsible Body
• the services to be provided are detailed in a contract, service level agreement or equivalent, together with performance indicators and measures
• performance is regularly monitored and reviewed, including a review (at least annually) by the Accountable Officer or delegate, with the results of the review reported to the Responsible Body
• appropriate assurance is obtained, and the level of assurance is documented, annually
• the arrangements are subject to internal and external audit scrutiny.'

By complying with these Standing Directions requirements, agencies will improve their oversight and governance of outsourced IT services and their providers.

End-of-life IT systems

Public sector entities must ensure that their IT systems have appropriate vendor support. 'End-of-life' generally describes a piece of IT software or application that a vendor intends to stop marketing or supporting. For example, the extended support for a 2003 server ended in July 2015. Vendors typically notify their customers in advance when such support arrangements will cease, to enable a smooth transition to current software.

Since 2011–12, as part of our audits, we have reported to in-scope entities which of their financial systems are either approaching end-of-life or are past their end-of-life. We inform the entities of the risks posed by continuing to use these applications, such as new security weaknesses not being fixed by the vendor. Due to the length of time required to implement large-scale IT systems, our approach has always been to flag these issues early and to encourage management awareness and proactive remediation activities.

The limited progress entities have made in upgrading end-of-life systems since we first began flagging this issue over four years ago is of particular concern. In 2015–16 we reported 31 audit findings relating to IT systems past their end-of-life at 42 per cent of our in-scope entities. The majority of the end-of-life audit findings raised related to key financial systems.

Findings also related to infrastructure supporting systems, as well as software on users' desktop computers, although we have noted an overall improvement in entities upgrading their desktop software.

Our Financial Systems Controls Report: Information Technology 2014–15 recommended DPC monitor and report the status of risks of IT obsolescence at departments and public service agencies. DPC has made limited progress to address recommendations on software obsolescence.

As a result of the November 2014 change of government and subsequent January 2015 machinery-of-government changes, a project to review and implement a whole-of-government enterprise resource planning (ERP) system was suspended. Many entities were awaiting the release of the Information Technology Strategy for the Victorian Government 2016–2020 (discussed in Appendix F of this report) to provide guidance on the direction entities should take regarding their ERP systems. This strategy is outlined in the 'statements of direction' and details a 'Share, Cloud, Buy, Build' approach to ICT investment.

Due to the high costs involved in upgrading or implementing to new ERP systems, entities are likely to use this measured approach by having a pilot department or agency trial the strategy. As an interim measure, a number of public sector entities have entered into customised contractual arrangements with vendors for the support of obsolete IT software. These arrangements typically come at a significant cost, and some vendors increase the cost over time as the use of the program declines globally. Figure 2P details a case study demonstrating the impact of end-of-life issues on a public sector entity.

Figure 2P

Case study: End-of-life exposure

2.5 Maturity assessment

One of the objectives of this report is to use the results of our IT audits to assess the maturity of in-scope entities' controls. Maturity models allow us to assess how well developed and capable the established IT general controls are, and measure this against an objective baseline.

2.5.1 How did we assess maturity?

Our assessment of entities' IT maturity is based on the audit findings by IT general controls category and by risk rating. When an entity relies on external agencies or outsourced parties to manage elements of its IT operations, we have incorporated these in order to present a holistic maturity assessment of the entire environment.

To assess the maturity of IT controls at the audited entities, we adopted the maturity definitions and scores from the Capability Maturity Model Integration, tailored to our specific circumstances. The outcomes of the IT control maturity assessment was communicated to senior management of in-scope entities during the 2015–16 audits.

Figure 2Q

Maturity level definitions

Source: VAGO.

When determining the level of desired IT control maturity, we expect entities to strike an appropriate balance between managing risks and the level of controls required. A desired maturity score of 5—an optimised process—may not be cost effective. Over time, an entity's improvements to processes should bring the maturity of controls to the desired level.

If no audit findings were noted as part of our audit, we would generally score an entity's IT general controls category as having a maturity score of 4. This represents the maturity level we believe public sector entities should be aiming for.

2.5.2 Maturity assessment results

Overall IT controls maturity assessment by category

Figure 2R shows our maturity assessment scores by IT general controls category for the selected 38 entities. The overall maturity assessment score is derived by averaging the aggregated maturity scores of the entities, as listed in Appendix C.

Figure 2R

Overall IT controls maturity assessment for audited entities

Source: VAGO.

The overall IT maturity scores for 2015–16 show some improvement from the prior year across most of the IT general controls categories, with the exception of Authentication and Patch management controls, which show minor deterioration.

The category with the most improvement is Backup management, business continuity and IT disaster recovery planning—the 2015–16 whole-of-government average maturity score is 3.0, compared to 2.6 in 2014–15.

Three categories had low maturity scores, around level 2, meaning controls across IT systems may be inconsistent, despite some sustainable and repeatable practices and procedures.

IT controls maturity scores by sector are included within Appendix E.

3.1 Conclusion

Wireless security is generally well controlled, however, opportunities exist to improve wireless security policies and monitoring.

3.2 Findings

Figure 3A summarises the results of our analysis of wireless security at the 43 surveyed entities.

Figure 3A

Wireless security focus area results

Source: VAGO.

Wireless security policies and procedures

Over half of the 43 entities have fit-for-purpose wireless network security policies or procedures. Thirteen do not have any policies or procedures covering wireless network security. The remaining entities need to update their policies and procedures, include absent controls and ensure alignment to the ISM.

Risk assessment and design of wireless networks

The design of wireless network security controls is driven by a number of considerations, usually a combination of better practice guidance and internal risk assessments.

Fourteen of the 43 entities have completed a risk assessment, classified the information which could be communicated over the wireless network and are effectively managing their wireless network. The remaining entities have completed some elements or have not completed them at all.

Just under half of the 43 entities did not have a risk assessment available over their wireless network and 16 entities have not classified the information that can be communicated over the wireless network.

Authentication methods and controls

The majority of the 43 entities are using appropriate authentication controls in alignment with the ISM. However, two entities are using shared passwords to authenticate access to the wireless network and are using authentication methods that do not comply with the ISM.

Encryption

Most of the 43 entities are using approved cryptographic algorithms to maintain the confidentiality of information communicated over the network in alignment with the ISM. However, there are two entities using encryption methods that do not comply with the ISM.

Ongoing monitoring

Forty-two per cent of the entities have processes in place to regularly:

• review their wireless network security framework, policy and standards at periodic intervals
• monitor their wireless network for compliance with its framework, policy and standards, including monitoring security incidents and events on the network.

Eighteen of the 43 entities do not review their wireless security framework, policy and standards at regular intervals and four entities do not perform regular monitoring of the wireless network to confirm compliance.

3.3 Sector analysis

Departments and central agencies

Figure 3B summarises our assessment at nine departments and central agencies.

Figure 3B

Wireless security in departments and central agencies

Source: VAGO.

Wireless security controls in these entities are mostly established but underlying policies and processes still need improvement.

Six of the nine entities have ongoing monitoring controls that require improvement. This is largely due to a shared service arrangement with a common IT service provider. Improvements to this shared service provider's controls would have a positive impact across all of these entities.

One entity has established controls and mature processes across all wireless security sub-areas, while another entity in this sector does not have a wireless network.

Two entities are missing key controls and systematic processes across specific wireless security sub-areas.

Environment and water

Figure 3C summarises our assessment at seven environment and water entities.

Figure 3C

Wireless security in the environment and water sector

Source: VAGO.

Consistent with the maturity assessment in Appendix E of this report, environment and water entities perform well when compared to other sectors. Most wireless security sub-areas are assessed as having no or minimal gaps.

Areas requiring the most improvement in this sector relate to performance of a risk assessment of the wireless network and classification of the information that can be communicated over the wireless network.

Three entities had established controls and mature processes across all wireless security sub-areas.

One entity is missing key controls and systematic processes across the wireless security sub-area of Risk assessment and design.

Health and human services

Figure 3D summarises our assessment at seven health and human services entities.

Figure 3D

Wireless security in the health and human services sector

Source: VAGO.

Wireless security controls within the health and human services sector are generally established but underlying policies, performance of a risk assessment of the wireless network and ongoing monitoring processes require improvement across multiple entities.

Two entities have established controls and mature processes across all wireless security sub-areas.

One entity is missing key controls and systematic processes across specific wireless security sub-areas.

Justice

Figure 3E summarises our assessment at six justice entities.

Figure 3E

Wireless security in the justice sector

Source: VAGO.

Consistent with the maturity assessment in Appendix E of this report, justice entities perform relatively poorly when compared to other sectors.

Areas requiring the most improvement in this sector relate to policies and their alignment with the ISM, performance of a risk assessment of the wireless network and ensuring that authentication and encryption methods are aligned to the ISM.

One entity had established controls and mature processes across all wireless security sub-areas, one entity requires improvement across all areas while another entity does not have a wireless network.

Economic development and transport

Figure 3F summarises our assessment at five economic development and transport entities.

Figure 3F

Wireless security in the economic development and transport sector

Source: VAGO.

Wireless security controls within the economic development and transport sector are generally established but underlying policies, performance of a risk assessment of the wireless network and ongoing monitoring processes require improvement across multiple entities.

One entity requires improvement across all areas, while another entity has established controls and mature processes across all wireless security sub-areas.

Local government

Figure 3G summarises our assessment at five local governments.

Figure 3G

Wireless security in the local government sector

Source: VAGO.

The entities within the local government sector are reasonably similar, with opportunities for improvement in the categories of Risk assessment and design and Ongoing monitoring over wireless networks.

Universities

Figure 3H summarises our assessment at four universities.

Figure 3H

Wireless security in the university sector

Source: VAGO.

Wireless security controls within the university sector are mixed, and all sub-areas require improvement at three of the four in-scope entities.

One entity has established controls and mature processes across all wireless security sub-areas, while another was missing key controls and systematic processes across specific sub-areas of Policies and procedures and Ongoing monitoring.

^[1] Application whitelisting is a security technique in which only a limited set of approved programs are allowed to run on an entity's computer systems, while all other programs are blocked.

4.1 Conclusion

Entities need to significantly improve their adherence to the ASD Top 4 Strategies, particularly in the area of application whitelisting.

4.2 Findings

Figure 4A summarises the results of our analysis of ASD Top 4 Strategies at the 43 surveyed entities.

Figure 4A ASD Top 4 Strategies focus area results

Source: VAGO.

Policies and procedures

Sixteen of the 43 surveyed entities have formalised and documented policies and procedures covering all of the ASD Top 4 Strategies—restricted privileged access, application whitelisting and patch management for applications and operating systems. The remaining 27 entities have implemented varied documented policies and procedures relating to the ASD Top 4 Strategies, however, none of these entities has policies covering the most effective application whitelisting control.

Implementation of measures to address ASD Top 4 Strategies

Forty of the 43 entities require improvements in their implementation of controls and processes to address the ASD Top 4 Strategies.

Thirty eight entities have not implemented strategies and tools associated with application whitelisting. Use of unauthorised applications can introduce unknown and unacceptable security risks. This may lead to breaches in the confidentiality, integrity and availability of systems and data, as well as reputational and financial losses.

Patch management and privileged user access are included within the scope of information technology (IT) audits, and therefore are also reported in Part 2 of this report.

The majority of the 43 entities have not effectively implemented patch management controls and privileged user access controls:

• Thirty had audit findings relating to patch management controls. When patches are not promptly applied, an entity's systems remain exposed to security vulnerabilities.
• Thirty four had audit findings relating to management of privileged user access. Unauthorised or erroneous transactions can occur in systems with inappropriate and excessive privileges.

Reporting and ongoing monitoring

Twenty five of the 43 entities are not performing ongoing monitoring to review and assess the effectiveness of their activities relating to the ASD Top 4 Strategies, thereby allowing gaps in IT security controls to remain undetected and un-remediated.

4.3 Sector analysis

Departments and central agencies

Figure 4B summarises our assessment at nine departments and central agencies.

Figure 4B

ASD Top 4 Strategies in departments and central agencies

Source: VAGO.

The assessment of ASD Top 4 Strategies controls across departments and central agencies is more mature than within other sectors. This is expected given that implementation of the ASD Top 4 Strategies was mandatory for this sector during the period of audit. The area requiring the most improvement relates to policies on application whitelisting, implementation and ongoing monitoring.

Seven of the nine entities require improvement in aspects of the implementation of controls to address the ASD Top 4 Strategies. This is in part due to a shared service arrangement with a common IT service provider. Improvements to this shared service provider's controls across the areas of restricted privileged access, application whitelisting and patch management would have a positive impact on most of these entities.

Two entities have established controls and mature processes across all ASD Top 4 Strategies sub-areas.

Environment and water

Figure 4C summarises our assessment at seven environment and water entities.

Figure 4C

ASD Top 4 Strategies in the environment and water sector

Source: VAGO.

The assessment of ASD Top 4 Strategies controls across the environment and water sector is varied, with areas for improvement noted across all sub-areas.

The area requiring the most improvement relates to the implementation of application whitelisting strategies and tools, and one entity is missing key controls and systematic processes to address all the ASD Top 4 Strategies of restricting privileged access, application whitelisting and patching of applications and operating systems.

Health and human services

Figure 4D summarises our assessment at seven health and human services entities.

Figure 4D

ASD Top 4 Strategies in the health and human services sector

Source: VAGO.

Only one in-scope health and human services entity has comprehensive policies covering all of the ASD Top 4 Strategies.

Consistent with the other sectors, opportunities for improvement exist in the development of application whitelisting policies, implementation of whitelisting tools and ongoing monitoring.

Justice

Figure 4E summarises our assessment at six justice entities.

Figure 4E

ASD Top 4 Strategies in the justice sector

Source: VAGO.

Only one justice sector entity has effective coverage of all the ASD Top 4 Strategies sub-areas.

Consistent with the other sectors, opportunities for improvement exist in the development of application whitelisting policies, implementation of whitelisting tools and ongoing monitoring of the ASD Top 4 Strategies.

Multiple IT audit findings were identified within the sector relating to privileged user access and patch management, which also require improvement.

One entity had significant gaps across all aspects of the ASD Top 4 Strategies sub‑areas, from policies and procedures through implementation and monitoring.

Economic development and transport

Figure 4F summarises our assessment at five economic development and transport entities.

Figure 4F

ASD Top 4 Strategies in the economic development and transport sector

Source: VAGO.

One economic development and transport entity has comprehensive policies covering all of the ASD Top 4 Strategies.

Opportunities for improvement exist in the development of application whitelisting policies, implementation of whitelisting tools as well as patch management and ongoing monitoring.

Local government

Figure 4G summarises our assessment of the ASD Top 4 Strategies at the five local government entities.

Figure 4G

ASD Top 4 Strategies in local government sector

Source: VAGO.

The assessment of ASD Top 4 Strategies controls across the local government sector is varied, and areas for improvement were noted across all sub-areas. The area requiring the most improvement relates to the implementation of measures to address the ASD Top 4 Strategies.

Multiple IT audit findings were identified within the sector relating to privileged user access and patch management, which also require improvement.

Universities

Figure 4H summarises our assessment at four universities.

Figure 4H

ASD Top 4 Strategies in the university sector

Source: VAGO.

Figure 4H shows that across all entities within the university sector, opportunities for improvement exist in all sub-areas, with only one of the four entities having established key controls and mature processes covering policies and procedures, and reporting and ongoing monitoring.

All entities in this sector have IT audit findings relating to privileged user access, while all except one have findings relating to patch management identified through the financial audit.

RESPONSE provided by the Secretary, Department of Premier & Cabinet

RESPONSE provided by the Secretary, Department of Treasury & Finance

RESPONSE provided by the Secretary, Department of Environment, Land, Water & Planning

RESPONSE provided by the Commissioner for Privacy and Data Protection