Download a PDF copy of Appendix D: VAGO's maturity model for server security.

Download a PDF copy of Appendix C: Audit scope and method.

Download a PDF copy of Appendix B: Abbreviations, acronyms and glossary.

Download a PDF copy of Appendix A: Submissions and comments.

All agencies can improve the technical security controls applied to their known servers.

Based on our assessment against established industry benchmarks, the maturity level of technical security controls applied by all agencies to their known servers is low. 

Most known servers are running operating systems that are not receiving mainstream support. 

These factors increase the risk that agencies will not detect server vulnerabilities.

No audited agency has a complete and accurate server inventory. 

Automated asset discovery tools used by agencies do not capture all servers, and few agencies use reconciliations to crosscheck their server inventory. All agencies provided us with server inventory information that had either incomplete or duplicate entries.

If agencies are not accurately tracking all their servers, they do not have all the information they need to protect their IT infrastructure.

Covered in this section:

We made 3 recommendations to address our findings. The relevant agencies have accepted the recommendations in full or in principle.

What we examined

Our audit followed 2 lines of enquiry:

1. Do agencies track all their servers and apply foundational security controls to them? 

2. Do agencies monitor their server security and strengthen it in response to threats?

To answer these questions, we examined:

Download a PDF copy of Appendix C: Audit scope and method.