The Auditor General of Western Australia has labelled the security controls in place within one system administered by the Department of Justice as “so concerning they were not tabled as part of the office’s annual information systems report in May 2019 as planned”.
The auditor’s 11th annual Information Systems Audit Report was tabled in May 2019 and contained the results of the 2018 annual cycle of information systems audits.
In addition to those that were published at the time, the audit was also performed on the Western Australian Registry System, used by the Registry of Births, Deaths and Marriages, which is a division of the WA Department of Justice.
“The results of the audit were so concerning that, in a highly unusual step and in accordance with sections 7(6) and 25(1) of the Auditor General Act 2006, I decided not to include the results of this application controls audit in the May 2019 report to Parliament,” Auditor General Caroline Spencer wrote in a report [PDF] published Thursday.
“I considered that publishing the significant findings at that time, when the system vulnerabilities still existed, would not be in the public interest.”
Spencer said it’s a frequent occurrence for her office to find weaknesses in public sector entities’ systems, but said the nature of the data in the Western Australian Registry System, and what it can potentially be used for, rendered the findings in her report “particularly concerning”.
The system contains valuable records that are used to confirm people’s identity. It registers all adoptions, births, deaths, marriages, and change of name events in the state. In 2019, it was found the system was not adequately protecting the confidentiality and integrity of that information housed within it.
“Highly confidential and foundational information was at risk of unauthorised access, alteration, and disclosure due to inadequate database controls, security vulnerabilities, and insufficient monitoring of changes to critical information,” the report said.
It added that insufficient disaster recovery planning also meant the system was at risk of not being recovered in a timely manner in the event of a disruptive incident.
The audit in 2019 found the department did not appropriately monitor access to information, nor changes made. There was also 11 third-party vendor staff that had full access to the database and could make changes to information, such as names and life events.
“The registry would not know if vendor staff had inappropriately accessed or changed information as there was no logging or auditing of the database,” the report said.
“Our follow-up audit in 2020 identified that the department has reduced the number of staff with full access to the database and developed a process to monitor key changes made to information in the database.”
The security of electronic records needed improvement, the Auditor General said. The report said the confidential information within the system is not protected through encryption, nor is it masked in test environments.
Security weaknesses identified in 2019 included insecure databases, weak passwords, and unprotected personal information, which allowed for replication.
“Our 2019 audit found that the system was not adequately protected from the threat of cyberattacks,” the report noted, adding the department has since undertaken significant work to improve its vulnerability management capabilities.
The Auditor General made a handful of recommendations, with four to be completed by June 2021, another by December 2021, and the final one, regarding the actual change of name process, is awaiting legislation to pass before it can be implemented.
“Significant work has been undertaken to improve the department’s vulnerability management capabilities and database security controls have been incorporated into the ICT Governance Framework to ensure ongoing review and enhancement,” Justice wrote in response.
It said it has also developed an audit process to monitor key changes made to information in the database.