The audit examined 11 public sector agencies and found that the policy, standards and protection mechanisms for the security of the state’s information and communications technology (ICT) systems and data have not been effectively applied. Agencies undertake only limited monitoring of suspicious internal network activity, and they do not have a capability to detect an intrusion into sensitive public sector systems.
The audit also found that if there was an external cyber attack or a cyber alert issued by an Australian Government national security agency, there would be no coordinated understanding of the threat or its impact across the state’s public sector ICT systems, because central agencies do not conduct follow up actions after a cyber alert is disseminated.
The audit further identified a number of critical- and medium-level risks related to individual agency systems that have been raised with each of those agencies through individual management letters. Agreement has been reached with each agency about what actions will be implemented and a proposed time frame for implementation.