Four IT Applications in Western Australia Are Having Control Weaknesses
Auditor-General Caroline Spencer reported over 70 information security policies and procedures related weaknesses.
Four business applications used by state government entities have been found to contain control weaknesses related mostly to poor information security policies and procedures.
During her latest audit, the WA auditor-general Caroline Spencer tested the Teacher Registration System, handled by the Department of Education, Teacher Registration Board of Western Australia; the Forest Products Commission’s Deliveries and Billing System; the Housing Management System (Habitat) from the Department of Communities; and the TAFE Student Management System, which is under the watch of the Department of Training and Workforce Development.
The entities were tested during 2019-2020, and the report shows that all four applications had control weaknesses and 75 vulnerabilities were found. Nine of them were rated as significant, 57 as moderate, and nine were considered minor.
Department of Education’s Teacher Registration System
The first project analyzed was the Department of Education’s Teacher Registration System, having an infrastructure that combines internally developed and commercial software applications.
The report indicated “a number of significant weaknesses in the system which prevent the [Teacher Registration Board of Western Australia] and the department from efficiently managing public resources and effectively managing information security risks relating to sensitive teacher information.”
“There is also a risk that insufficient disaster recovery planning and ongoing system failures could result in an outage that impacts teacher registration services”
It looks like IT governance, security, and risk management were poorly executed, the report showing a severe lack of IT strategy, limited oversight and no risk management, change management, project management, incident and problem management, cloud management, or continuity management.
Forest Products Commission’s Deliveries and Billing System (DAB)
The second application that went through analysis was the Forest Products Commission’s Deliveries and Billing System (DAB), an organization that generates revenue and payment information from the harvest and sale of timber products.
In this case, the audit showed security weaknesses in the DAB database and the commission’s network that may expose it to malicious attacks and other vulnerabilities.
The Department of Communities’ Housing Authority
Meanwhile, The Department of Communities’ Housing Authority has yet to assess the information security risks for its Habitat program, the auditor-general concluding that the authority didn’t implement the adequate processes to provide oversight of Habitat controls or a disaster recovery plan.
The Student Management System
The Student Management System used by Western Australian TAFE colleges was found to put in danger sensitive student information.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
This vulnerability is rooted in the inadequate monitoring of user activity and poorly executed user access management.
Application controls need to be considered in conjunction with existing organizational processes and IT controls. A holistic approach towards governance, risk management and security are critical for secure and effective operations.
Public-facing applications are prone to cyber threats. It is therefore essential to manage system vulnerabilities and other weaknesses that could expose entities to compromise. We found that all audited entities could improve their controls around user access, vulnerability management, and situational awareness to address cyber risks.