Information Systems
Audit Report
Report 2: March 2010
Western Australian Auditor General’s Report
2 Information Systems Audit Report l Western Australian Auditor General
The PresidenT The sPeaker
LegisLaTive CounCiL LegisLaTive assembLy
inFormaTion sysTems audiT rePorT
I submit to Parliament my Information Systems Audit Report under the provisions of sections 24 and 25
of the Auditor General Act 2006.
GLEN CLARKE
ACTING AUDITOR GENERAL
24 March 2010
Western Australian Auditor General l Information Systems Audit Report 3
Contents
Auditor General’s Overview 4
IS Compliance Audit: Security of Laptop and Portable Storage Devices 5
Application and General Computer Controls Audits 17
Application Controls 20
General Computer Controls and Capability Assessments for Agenices 24
4 Information Systems Audit Report l Western Australian Auditor General
This is the second annual Information Systems Audit Report tabled by this Office. Following the inaugural
2009 report, I have been encouraged by feedback that the reported results provide an important
performance benchmark for agencies.
This report has two sections covering three items:
• Information systems compliance audit
m Security of laptop and portable storage devices.
• Application and general computer controls audits
m Application controls
m General computer controls and capability assessments of agencies.
The first item of the report, ‘Security of laptop and portable storage devices’, rounds out a four year focus
on various aspects of Information Systems security. This year’s audit looked at how agencies manage
the physical security of laptops, mobile phones, media players and flash drives and at the security of
information stored on those devices.
Laptops and other portable storage devices offer benefits through allowing flexible work arrangements
and easy access, storage and transfer of large amounts of data. However their portability also places
them at greater risk of being lost or stolen. Information stored on portable devices also needs to
be adequately protected. None of the seven agencies we reviewed had adequately considered or
addressed these risks.
Our audit of four key business applications at four agencies, found weaknesses in security and data
processing controls that could potentially impact delivery of key services to the public. Our general
computer control audits involved assessing 52 agencies and benchmarking 42 against good practice for
IS management. Forty-five per cent of agencies failed to meet the benchmark.
While we have seen some good practice and some signs of improvement, too many agencies continue to
ignore the risks from not effectively managing their information systems. The standards and frameworks
we audit against do not place unrealistic expectations on agencies and are generally accepted across
all industries. I strongly urge senior management of agencies to act on the recommendations of this
report.
Auditor General’s Overview
Western Australian Auditor General l Information Systems Audit Report 5
Overview
Western Australian Government agencies own and use large numbers of laptop computers and other
portable storage devices (PSDs) – including flash drives, portable hard drives and mobile phones. These
devices can hold large volumes of information. The portability of laptops and PSDs allow flexible work
arrangements and easy transfer of information. However, their portability also increases the risk that
they will be lost or stolen. On average about 250 laptops are reported stolen by agencies each year.
Without adequate safeguards in place these losses can easily result in unauthorised access to sensitive
information.
Agencies therefore have a responsibility to manage these items effectively. This includes protecting the
physical assets and ensuring appropriate security for the information stored on them. The challenge
facing agencies is to meet security needs without restricting the benefits that portable devices offer.
This is the fourth and last in a series of information systems compliance audits we have carried out
since 2007 that has focused on information security. The previous examinations were: Protection of
personal and sensitive information held in databases (Report 2, 2009); Information security: disposal of
government hard drives (Report 1, 2008); and Security of wireless local area networks in government
(Report 3, 2007).
This examination assessed whether seven government agencies were effectively managing their
laptops and PSDs to reduce the risk of loss or theft and subsequent access to sensitive information. The
agencies were:
• Curriculum Council
• Department of Commerce
• Department of Education (Central Office)
• Department of Water
• Royal Perth Hospital
• Western Australia Police
• WorkCover WA
Conclusion
All seven agencies lacked comprehensive management, technical and physical controls over their
laptops and PSDs to minimise the risk of them being lost or stolen and of sensitive information being
accessed. More serious weaknesses included:
• not knowing the number of laptops or PSDs owned, who had them, or where they were located
• ineffective controls to prevent information being accessed if a laptop was lost or stolen
• basic security weaknesses including inadequate access controls and failure to implement vendor
security patches to fix known security flaws
• gaps in relevant policies and procedures including action to be taken in the event of a laptop or
PSD being lost or stolen.
IS Compliance Audit: Security of Laptop and Portable
Storage Devices
6 Information Systems Audit Report l Western Australian Auditor General
Key Findings
• The Department of Commerce and Royal Perth Hospital did not have up-to-date registers to track
laptops and so did not know how many laptops they owned. The lack of this information increases
the risk that laptops and information stored on them will be lost without agencies knowing. It also
limits effective asset planning and replacement.
• None of the agencies had complete knowledge of the number of PSDs they owned or the potential
security risks of their PSDs. Only two agencies – Western Australia Police (WAP) and WorkCover WA
– had registers to track portable hard drives.
• WAP was the only agency that had addressed the risks associated with flash drives. Staff are only
allowed to use the encrypted devices they are issued.
• All agencies used systems logons on their laptops. However, all agencies had weaknesses in other
fundamental access controls:
m Five agencies had not ensured that boot passwords were systematically used on laptops.
Department of Commerce and Royal Perth Hospital had activated ‘boot’ passwords on some
individual and unit/branch computers. When activated, boot passwords protect information
on computer hard drives from being accessed by unauthorised users, even if the hard drive is
removed from the computer. All laptops have this capability.
m Four agencies – the Curriculum Council, the Department of Water, Royal Perth Hospital and
the Department of Education (Central Office) – did not use screen lock-outs. These require a
password to unlock a computer if it is not used for a set period of time.
• Six agencies had not used basic security controls on laptops to protect them from dangers
associated with connecting to external networks. This increased the risk of unauthorised access to
sensitive data on the laptops and/or on networks systems.
m Only WorkCover had enabled local firewalls on its laptops. Local firewalls are necessary to protect
laptops from external threats from the internet when they are connected outside their home
networks. Only WorkCover and WAP had controls in place to prohibit users from connecting
their laptops to external networks.
m Four agencies – the Curriculum Council, the Department of Water, the Department of Commerce
and WAP had not updated software patches on their laptops. While the Department of
Commerce did have an automated patch update program, it was not working. Product vendors
release software patches regularly to fix critical security flaws.
• Only WAP had comprehensive polices and procedures, including those dealing with the use and
security of PSDs. The Curriculum Council had weaknesses in all policy and procedure areas.
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Western Australian Auditor General l Information Systems Audit Report 7
What Should Be Done
• All agencies should ensure that they have adequate information about their portable IT assets. In
particular:
m they should maintain comprehensive registers for their laptops
m they should consider the best way to record information about PSDs.
• All agencies should ensure that basic access controls - ‘boot’ passwords and screen lock-outs – are
activated as standard.
• Agencies should ensure that their external security controls and practices – including updating
patches, and firewall strategies – meet their security needs.
• All agencies should assess the threats and vulnerabilities to their laptops and PSDs and implement
policies, procedures and practices to mitigate those risks. This will likely include deciding about:
m accessing external networks
m different rules for different types of information and devices
m the need for laptops and PSDs.
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Agency Responses
Curriculum Council – An Information and Communications Technologies security policy and
procedures plan is being developed covering laptops, portable storage devices, security of data and
physical security of equipment.
Progress is being made for all laptops on:
• boot passwords and BIOS passwords
• removal of local administrator rights
department of Commerce – The Department agrees with the findings and has:
• implemented an IT Asset Management module to provide a single register for laptop information
and to emulate the physical stocktake process
• updated software patches on all laptops which connect to the Department’s network
Other actions in progress are:
• development of policy and procedures dealing with PSDs, external network connections and
missing assets
• risk assessment to determine information classification levels and the appropriateness of local
firewalls and boot passwords.
department of education – The Department of Education will consider the findings of the audit
and the recommendations of the Auditor General to determine the appropriate action to be taken.
Improvements in our security procedures for all portable storage devices are continually sought to
ensure the security of the stored information.
department of Water – The Department of Water has taken steps to address the issues and will continue
to implement changes to improve security for laptops
department of health – The Department of Health, on behalf of Royal Perth Hospital (RPH), accepts
the findings and implications set out in the OAG’s report of its examination. Steps to address the
most important of the examination’s recommendations have already been taken. Action in relation
to the other recommendations is being assessed by RPH management and other areas of WA Health,
particularly the Health Information Network, and will form part of WA Health’s ongoing endeavours to
improve its information and communication technology governance framework.
WorkCover Wa – WorkCover WA is actively working towards addressing the areas of concern identified
in the audit. A comprehensive Portable Storage Device Policy that covers all aspects of use of PSDs
is in the final stages of management approval. WorkCover WA will also be implementing the use of
encrypted flash drives throughout the agency.
8 Information Systems Audit Report l Western Australian Auditor General
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Western Australian Auditor General l Information Systems Audit Report 9
Background
Most agencies have an increasing number of laptops and use a variety of PSDs. PSDs include mobile
phones with storage, USB memory sticks (flash drives), media players, CDs, DVDs and portable hard
drives. Their portability assists with information access and sharing and can make working life easier
and more effective. However, their size and portability increases the risk of them being lost or stolen.
In the last two years there have been a number of high profile incidents in the United Kingdom where the
loss or theft of laptops and PSDs has led to serious data breaches. There have also been cases reported
in Australia where laptops containing personal and sensitive information have been lost or stolen.
Fifty-six State Government agencies reported 750 laptops stolen or lost with a total value of $828 030
in the three years to 2009. In addition to the loss of the asset, many of these devices are likely to have
contained sensitive data. This creates a significant risk of data breaches through unauthorised access to
the information stored on the devices.
To mitigate these risks, agencies should have two basic types of controls in place. The first are physical
tracking and security controls to minimise the risk that laptops or PSDs will be lost or stolen. The second
are information security controls to prevent access to information stored on these devices if they are
lost or stolen.
Physical tracking and security controls include keeping good records of assets. These should include
listing where the assets are, who has them and if the assets have up-to-date patches and software
licences.
Information security controls include good lock-out measures – including differing levels of passwords
and encryption. These help limit opportunities for unauthorised people to access information on
devices. Figure 1 illustrates the types of devices and the controls that can be used.
Figure 1: Types of portable storage devices
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Information Security Controls:
• Appropriate data policies
• System and logon passwords
• Keypad locks
• Encryption
• External device controls
Physical tracking and security
controls:
• Asset registers
• Safe storage and handling
to minimise risk of loss or
theft
10 Information Systems Audit Report l Western Australian Auditor General
What Did We Do?
We examined seven agencies that have reported theft and loss of laptops. These agencies maintain
various types of sensitive information including financial, medical, legal and educational records.
Having suffered these losses, we expected that these agencies would have acted to put good controls
in place. The agencies were:
• Curriculum Council
• Department of Commerce
• Department of Education (Central Office)
• Department of Water
• Royal Perth Hospital
• Western Australia Police
• WorkCover
The Department of Education reported 561 laptops lost or stolen from its total of more than 26 000.
This is 75 per cent of all those reported lost or stolen in this period. The Curriculum Council lost the next
largest number – 24 – but 22 of those were lost in one break-in to their offices. Only two other agencies
reported double figures – 10 and 11 lost in the period. The agencies in our examination represent 81
per cent of losses in this period. Table 1 shows the agencies we examined and the numbers and value
of laptops they have reported lost.
Agency Total number of
laptops in 2009
Number laptops
reported lost/
stolen 2006-09
Insured value
of lost/stolen
laptops
Curriculum Council 100 24** $31 036
Department of Commerce * 5 $7 166
Department of Education 26 278 561 $580 434
Department of Water 289 5 $7 464
Royal Perth Hospital * 4 $4 200
Western Australia Police 1 443 4 $9 509
WorkCover 40 5 $1 325
Total 28 150 608 $641 134
Table 1: Laptops reported lost
All agencies had reported some lost laptops in the past three years.
* Figures not available for these agencies (see below for detail).
** 22 laptops were lost in a single break-in to one Curriculum Council building.
Source: Insurance Commission of WA and OAG
IS Compliance Audit: Security of Laptop and Portable Storage Devices
Western Australian Auditor General l Information Systems Audit Report 11
Our objective was to determine whether agencies have implemented appropriate management,
technical and physical controls over laptops and portable storage devices to reduce the risk of them
being lost or stolen and of sensitive information being accessed.
Specifically we examined whether agencies had:
• appropriate policies and procedures
m defining the use and security of laptops and PSDs
m in the event of laptops and PSDs being lost or stolen
m covering sensitive or personal information stored on laptops and PSDs.
• accurate registers detailing agency laptops and PSDs – information about how many assets they
had, and who had them
• appropriate guidelines and controls to physically secure equipment inside and outside of the
agency
• adequate controls in place to prevent unauthorised access to and removal of any sensitive or
personal information stored on the equipment.
We tested a sample of laptops and PSDs in each agency. This involved testing whether they were subject
to logical and physical controls to restrict access by authorised users and to maintain the confidentiality
of the data stored on them. We also examined the accuracy of asset records for these devices.
At the Department of Education and WAP we tested policies generally, but only tested laptops and PSDs
at head office. We tested Royal Perth Hospital devices and policies, but included general Department of
Health policies, procedures and guidance where relevant.
We conducted the audit in accordance with Australian Auditing Standards.
What Did We Find?
Physical controls
We expected the agencies to have clear knowledge of their portable IT assets, particularly laptops. We
found that five of the agencies had reasonable registers of laptops, but only one had such knowledge
across PSDs.
Two agencies did not have accurate records of laptops
A basic requirement of good asset management is to have a clear understanding of the numbers and
age of assets. Without this, agencies are limited in their ability to protect the assets, and to plan for their
replacement and maintenance. Computer assets also need to be tracked for other reasons:
• to ensure software updates and patches are in place, and software licences are current
• to recognise and take appropriate action in the event of them being lost or stolen
• to comply with the intent of Treasurer’s Instruction 410. This requires that all portable or attractive
assets should be appropriately managed, and suggests that such assets should be on a register.
IS Compliance Audit: Security of Laptop and Portable Storage Devices
12 Information Systems Audit Report l Western Australian Auditor General
We found appropriate registers of laptops at five agencies, although three of the registers had some
inaccuracies. Each of these agencies had conducted stocktakes to test the registers.
Neither Royal Perth Hospital (RPH) nor the Department of Commerce (DoC) had accurate records of
their laptops. RPH had two lists recording the numbers of laptops. One listed 601 laptops while the
other listed 324. Further, RPH had not conducted stocktakes and did not have an ongoing process
to update laptop information. As a result, RPH could not provide any assurance on the number of its
laptops, where they were, or who had them.
DoC also had an inadequate recordkeeping system for its IT equipment including lapto