The ACT Government’s Community Services Directorate (CSD), which assumes a broad remit of client services for the Territory’s human services functions, lacks adequate protections for data used across its front-line services, warns ACT Auditor-General Michael Harris.

The concerns were highlighted in a just-released ACT Auditor–General’s Report – Data Security, which urged the CSD and related agencies to ensure greater diligence in managing the receipt, storage, transmission, and destruction of data.

The 2019-2020 audit report, tabled by Auditor-General Harris, said that despite an established governance framework and access to ICT Shared Services (introduced to improve running cost efficiency and reduce duplication), the Community Services Directorate and its agencies were deemed to have not sufficiently secured their stored data. Moreover, it said, they remain bound to siloed, legacy systems.

The CSD oversees a wide range of community services within the Territory, including management of client services for the ACT’s multicultural and Aboriginal affairs, public and community housing services, community recovery, women, children, youth and family support services portfolios, among others.

The CSD’s constituent agencies thus hold vast repositories of administrative and client service data that, in many cases, still resides within legacy systems. With such a broad and socially sensitive remit, the Directorate was urged to improve diligence around data access and management arrangements that could expose client data.

The ACT’s data security guidelines have been enshrined in the CSD’s Protective Security Policy Framework and ICT Security Policy.

These frameworks require agencies to comply with ICT security policies and develop clear guidelines to manage data securely.

Despite their implementation, relevant entities had, according to the Auditor-General’s report, failed to fulfil their data security management obligations.

It added that several agencies had not implemented “effective governance and administrative arrangements that comply with the ICT Security Policy and the ACT Protective Security Policy Framework.”

Though no specific cases were cited in the report, this oversight, it said, may have exposed sensitive data to potential breaches. Moreover, concerns were raised about how the data was being used, shared, and managed by the agencies.

In December 2019, the ACT’s Digital Service Governance Committee, referenced within the audit, was made aware of 68 critical Directorate ICT systems that did not have system design documentation – a prerequisite for any ICT project undertaken.

The design documents for the other 147 systems were unknown, the audit said.

The Directorate’s ICT services are managed under the ACT Government’s Shared Services regime.

Shared Services include access to HR, financial management, and ICT services, including technology infrastructure, designated cloud services, and end-user apps. Since 2007, the entity has been tasked with delivering services to the Directorate and its constituent agencies.

While the audit recognised that Shared Services “has effective tools and processes to help agencies manage data security risks”, it said agencies had not fully tackled the security of their systems, making it difficult for Shared Services to address the backlog of security assessments.

“Shared Services and agencies are not presently well placed to address gaps in data security risk management promptly,” the report noted.

Only one agency reviewed in the audit had documented its system security risk; most agencies did not have similar assessments in place.

Downloading unsecured cloud apps

The use of cloud-based systems and services presented a risk to ACT government agencies’ data security, the audit said, as non-sanctioned apps were being readily accessed by agency staff, further heightening breach risk for agencies’ data repositories.

Without adequate staff supervision, agencies faced problems with adding further controls for non-approved cloud services – “many of these services relate to image and document conversion software,” it said – not available through Shared Services.

Using non-sanctioned cloud services may have exposed agency data to further risk, particularly those involving cloud‐based service providers with “unknown data security protections, as well as licencing and legislative compliance risks.”

Taking advantage of cloud services – outside Shared Services arrangements – required “sound contract management arrangements”, marked by assurances from vendors about the protection of data, the audit said.

Data breach response plans 

A clearly defined and whole-of-government data security action plan appeared to be lacking within the CSD, with the audit noting that more work was needed for agencies to develop a coordinated, cross-agency plan to effectively address data security gaps.

Agencies, the audit found, lacked a “whole-of-government data breach response plan” that could effectively coordinate resources in the event of a major data breach.

In 2018, the Security and Emergency Management Senior Officials Group sought to improve the government’s capability by reviewing the roles and responsibilities for cybersecurity across the ACT Government network.

This collaboration was designed to respond to security events, with the group developing a coordinated security management action plan to be rolled out by July 2020.

The audit found individual agencies poorly equipped to respond to a data breach incidents or unplanned system downtime, with the Auditor General urging agencies to “invest more effort in documenting and testing how to restore the functionality of critical business systems.”

The preponderance of legacy systems was also highlighted as a concern, with “more work… needed to realise the benefits of these initiatives, including decommissioning old systems when new ones are implemented”.

Managing system security risk management plans at a “system‐by‐system level” meant the data was siloed across ACT Government agencies and systems, the audit added.

“Being able to operate in such a controlled environment is not always the case for legacy systems and, given the large number of legacy applications in the ACT Government ICT network, this is one of the most significant areas of data security risk.”

Additionally, there was insufficient user education on the secure use of data within the agency.

“A lack of awareness has been demonstrated in a lack of understanding of how to share data securely, as well as to recognise when a data breach has occurred and needs to be reported.”

This education would draw on guidelines shared by the Australian Signals Directorate, among these, designing a program that raised awareness levels, offered refresher training, and encouraged regular communication between the IT security and other staff.