Victorian Auditor-General slams public sector privacy
Tim Lohman reports:
The confidentiality of personal information collected and used by the public sector can be, and has been, easily compromised, a Victorian Auditor-General report has found.
The Maintaining the Integrity and Confidentiality of Personal Information report, which examined information security in three Victorian government departments, found that the ability to penetrate databases, the consistency of its findings and the lack of effective oversight and coordination of information security practices strongly indicate that this phenomenon is widespread.
“This situation has arisen partly because information security policy, standards and guidance for the sector are incomplete and too narrowly focused on ICT security,” the report reads.
Read more on Computerworld (AU).
The full report can be found here (pdf). From the audit summary:
Databases that stored personal information could be accessed by unauthorised people, quickly and easily. This was because the information was not appropriately classified and the necessary controls were either missing, or were not operating as required.
Departments could not be sure their systems had not previously been breached and personal information accessed by unauthorised parties or stolen, because logs of access and changes were either not maintained or not reviewed on a timely basis.
Since the audit the departments have acted to improve security over the databases examined.
Data was transmitted from the three departments by emails in formats that were easily read. This means they could be accessed by someone other than the intended recipient.
Personal information was stored on portable storage devices, CDs and DVDs that are vulnerable to loss, in easily-read formats. Personal information was exchanged via personal email accounts, some of which were particularly vulnerable to unauthorised access. Extracts or whole copies of personal information from the selected databases were stored in unsecured shared drives on departmental networks accessible by unauthorised staff. Compliance by staff with information security requirements was not monitored by any of the three departments.
All three departments provide personal information to third parties—organisations that provide services on their behalf; that provide ICT services; or that host their information systems. Departments did not require independent certification, or carry out their own assessment, that the security third parties had in place met the required public sector security standards. There was little assurance that information was adequately
protected by third parties to whom the information was legitimately provided.