Electronic Information Security
The Auditor-General, Peter Achterstraat, today called on the NSW Government to make sure its agencies properly safeguard people's sensitive private information.
“The Government is not able to assure the people of NSW that all its agencies are properly safeguarding sensitive private information,” said Mr Achterstraat.
This is the main conclusion of his report, Electronic Information security‟ released today.
“People often have no choice but to entrust their sensitive personal data to government. Government needs to ensure this information is secure, otherwise it could be stolen, records changed, privacy breached,” said Mr Achterstraat.
In 2007 the Government directed all agencies to comply with the international Information Security Management System standard ISO/IEC 27001. This policy has not been well implemented.
“Agencies were told to get certified to the international standard, but there was no deadline, no effective monitoring, and no consequences if they didn't,” said Mr Achterstraat.
The NSW Government does not know whether or not its agencies have adequate safeguards in place. The limited information which does exist suggests at least two thirds of agencies have not complied with the Government's policy.
This is not a new problem. The government has been issuing edicts to agencies about electronic information security for a decade. And if anything, IT security is going to get harder not easier.
“However, it is pleasing that the government is committed to reforming the management of information security. They are working on a new whole of government ICT strategy and reviewing governance arrangements,” said Mr Achterstraat.
Mr Achterstraat outlined three key solutions to improve information security across Government. The Government needs to:
-
establish minimum standards
-
hold people accountable to meet these standards
-
report annually to Parliament on the state of information security, including breaches.
In summing up Mr Achterstraat said: “The people of NSW have a fundamental right to expect their families‟ private details are secure, regardless of which agency holds them. The Government must demonstrate this. Currently, it can't.”
Please contact Barry Underwood, Executive Officer on 9275 7220 or 0403 073 664 or by email barry.underwood@audit.nsw.gov.au