New South Wales Audit Office
New South Wales Auditor-General Peter Achterstraat
New South Wales Auditor-General Releases His Report
Electronic Information Security
Victor P Taffa
The Auditor-General, Peter Achterstraat, today called on the New South Wales (NSW) Government to make sure its agencies properly safeguard people’s sensitive Private Information.
“The Government is not able to assure the people of NSW that all its agencies are properly safeguarding sensitive Private Information.” Mr. Achterstraat said.
This is the main conclusion of his report ‘Electronic Information Security’ released today.
“People often have no choice but to entrust their sensitive personal data to Government. Government needs to ensure this information is secure, otherwise it could be stolen, records changed, privacy breached.” Mr. Achterstraat said.
In 2007 the Government directed all agencies to comply with the international Information Security Management System standard ISO/IEC 27001. This policy has not been well implemented.
“Agencies were told to get certified to the international standard, but there was no deadline, no effective monitoring, and no consequences if they didn’t.” Mr. Achterstraat said.
The NSW Government does not know whether or not its agencies have adequate safeguards in place. The limited information which does exist suggests at least two thirds of agencies have not complied with the Government’s policy.
This is not a new problem. The Government has been issuing edicts to agencies about electronic information security for a decade. And if anything, IT security is going to get harder not easier.
“However, it is pleasing that the Government is committed to reforming the management of information security. They are working on a new whole of government ICT strategy and reviewing governance arrangements.” Mr. Achterstraat said.
Mr Achterstraat outlined three key solutions to improve information security across Government. The Government needs to:
- Establish minimum standards;
- Hold people accountable to meet these standards;
- Report annually to Parliament on the state of information security, including breaches.
“The people of NSW have a fundamental right to expect their families’ private details are secure, regardless of which agency holds them. The Government must demonstrate this. Currently, it can’t.” Mr Achterstraat said.
Exhibit 7: Key results of 2007 GCIO survey
|Ninety-seven agencies responded to the 2007 GCIO survey. Of these agencies:|
In 2007, one more agency was certified (that is, 27 in total) but did not complete the GCIO survey.
|Source: GCIO 2009|