Auditor General publishes findings 18 weeks after the audit has been complete because she feared that the danger was too large to expose the machine at the moment.
The Auditor General of Western Australia has branded the safety controls in place inside a single system handled by the Department of Justice as”so concerning they weren’t tabled as a member of their office’s yearly data systems report in May 2019 as proposed”.
“I believed that publishing the substantial findings at the moment, once the machine vulnerabilities still existed, wouldn’t be in the public interest”
Spencer said it is a common event for her office to discover flaws in public sector entities’ systems, however, stated the essence of the information in the Western Australian Registry System, and also exactly what it could potentially be utilized for, left the findings in her report” especially concerning”.
The machine includes valuable documents that are utilized to validate people’s individuality. It registers all adoptions, deaths, births, marriages, and change of title events from the country.
Back in 2019, it had been discovered the system wasn’t adequately protecting the confidentiality and integrity of the data housed inside.
“Highly confidential and foundational data was vulnerable to unauthorized access, modification, and disclosure because of insufficient database controllers, security vulnerabilities, and inadequate monitoring of modifications to crucial data,” the report stated.
It included that inadequate disaster recovery preparation also meant the system was in danger of not being retrieved in a timely fashion in case of a disruptive event.
The analysis in 2019 discovered the department didn’t appropriately monitor access to data, nor changes created. There was likewise 11 third-party seller staff that had complete access to this database and may make changes to data, like titles and lifestyle events.
“The registry wouldn’t know if seller staff had accessed or altered information because there wasn’t any logging or auditing of this database,” the report stated.
“Our follow-up evaluation in 2020 identified that the section has decreased the amount of personnel with complete access to this database and also developed a procedure to track crucial changes made to data in the database”
The safety of digital records had advancement, the Auditor General stated. The report stated the private data within the system isn’t protected through encryption, nor can it be concealed in test environments.
Security flaws identified in 2019 comprised insecure databases, weak passwords, and unprotected private info, which enabled replication.
“Our 2019 audit discovered that the system wasn’t adequately shielded from the risk of cyberattacks,” the report noted, including that the division has since undertaken considerable work to boost its vulnerability management capacities.
The Auditor-General produced a couple of recommendations with four to be finished by June 2021, yet another by December 2021, and the last one, concerning the true change of title procedure, is anticipating legislation to pass before it could be put into place.
“Substantial work was undertaken to enhance the section vulnerability management capacities and database security controls are integrated into the ICT Governance Framework to ensure ongoing review and improvement,” Justice composed in reaction.
It also said it’s also developed an audit procedure to track crucial changes made to data in the database.