Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Auditor-General Audit reports for 2005-2006 No. 23 Protective security audit IT security management


Download PDF Download PDF

AA u s tra lia n N a tio n a l Audit OfficeProtective S ecurity A udit

IT Security Management

Jdit Report No.23 2005-2006

T h e A u d i t o r - G e n e r a l

Audit Report No.23 2005-06 Protective Security Audit

IT Security Management

A u s t r a l i a n N a t i o n a l A u d i t O f f i c e

© C om m onw ealth of A ustralia 2005

ISSN 1036-7632

ISBN 0 642 80882 1

COPYRIGHT INFORMATION

This w ork is copyright. A part from any use as perm itted u n d er the Copyright Act 1968, no p art m ay be reproduced by any process w ithout p rior w ritten perm ission from the C om m onw ealth.

Requests and inquiries concerning reproduction and rights should be addressed to the C om m onw ealth C opyright A dm inistration, A ttorney-G eneral's D epartm ent,

Robert G arran Offices, N ational Circuit Canberra ACT 2600

http://www.ag.gov.au/cca

ΑΝΑΟ Audit Report No.23 2005-06 IT Security Management

A ustralian National

Audit Office

Canberra ACT 22 December 2005

Dear Mr President Dear Mr Speaker

The Australian National Audit Office has undertaken a protective security audit across agencies in accordance with the authority contained in the Auditor-General Act 1997. Pursuant to Senate Standing Order 166 relating to the presentation of documents when the Senate is not sitting, I present the

report of this audit and the accompanying brochure. The report is titled IT Security Management.

Following its presentation and receipt, the report will be placed on the Australian National Audit Office’s Homepage— http://www.anao.gov.au.

Yours sincerely

Ian McPhee Auditor-General

The Honourable the President of the Senate The Honourable the Speaker of the House of Representatives Parliament House Canberra ACT

ANAO Audit Report No.23 2005-06 IT Security Management

AUDITING FOR AUSTRALIA

The A uditor-G eneral is head of the A ustralian N ational A udit Office. The A N A O assists the A uditor-G eneral to carry ou t his duties u n d er the Auditor-General Act 1997 to undertake

perform ance audits and financial statem ent audits of C om m onw ealth public sector bodies an d to provide independent reports and advice for the Parliam ent, the G overnm ent and the com m unity. The aim is to im prove C om m onw ealth public sector adm inistration and accountability.

For further inform ation contact: The Publications Manager Australian National A udit Office GPO Box 707 Canberra ACT 2601

Telephone: (02) 6203 7505 Fax: (02) 6203 7519

Email: webmaster@anao.gov.au

AN AO audit reports and inform ation about the A N A O are available at our internet address:

http: / / www.anao.gov.au

A udit Team Greg M azzone M artin Simon D eborah H ope Terena Lepper

Kristen Foster W ayne Jones

ANAO Audit Report No.23 2005-06 IT Security Management

4

Contents Abbreviations.........................................................................................................................6

Glossary..........................................................................................................................................7

Summary and Recommendations.......................... 11

Summary...................... ...13

Background............................................................................................................... 13

Audit scope and objective........................................................................................13

Selected agencies................................................................... 14

Audit conclusion........................................................................................................14

Recommendations ................ 15

Agencies’ comments................................................................................................ 15

Recommendations...................................................................... 16

Audit Findings and Conclusions...... ..................................................... 19

1. Introduction............................................................... 21

Information security.................................................................................................. 21

Contemporary IT security issues.............. 23

Audit objective, scope and criteria............................................................ 23

2. IT Security Control Framework...................................................................................... 26

IT security control framework.............................................................. 26

IT security policy........................................ 29

Compliance with internal and external requirements............................................31

IT security organisation structure............................................................................34

3. IT Operational Security Controls................................................................ 36

IT operational security controls.......................... 36

Personnel security................................................ 37

IT equipment security.............. 38

Network security management................................................................................39

Logical access management.......................................................................... 42

Appendices........................................................... 45

Appendix 1: Agencies’ responses to the audit report...................................................... 47

Appendix 2: Reference to ANAO audits........................... 52

Appendix 3: Audit objectives and scope................. 53

Index.....................................................................................................................................55

Series Titles.... ............................................................................................................. -.....57

Better Practice Guides............... 59

ANAO Audit Report No.23 2005-06 IT Security Management

Abbreviations ACSI33

AGD

AGIMO

ANAO

DSD

IT

ICT

PSM

Australian Government Information and Communications Technology Security Manual (DSD)

Attorney-GeneraTs Department

Australian Government Information Management Office

Australian National Audit Office

Department of Defence - Defence Signals Directorate

Information Technology

Information and Communications Technology

Protective Security Manual (Australian Government-AGD)

ANAO Audit Report No.23 2005-06 IT Security Management

6

Glossary Access Control

Agencies

Agency Security Plan

Audit criteria

Availability

Better practice

Business process controls

The process of allowing authorised usage of resources and disallowing unauthorised access.

...includes all Australian Government departments, authorities, agencies or other bodies established in relation to public purposes, including departments and authorities staffed under the Public Service Act 1999 (PSM 2005).

Also known as an agency protective security plan.

It is a document that contains the plan of action that the agency intends to use to address its security risks based on the context in which the agency operates and a thorough risk review (PSM 2005).

Normative or desirable controls or processes (that are at reasonable and attainable standards) against which the subject matter under review is assessed.

Information systems are available and usable when required, and can appropriately resist attacks and recover from failures.

Ensuring that authorised users have access to information and associated resources when required (AS/NZS ISO/IEC 17799:2001).

... the desired state that allows authorised users to access defined information for authorised purposes at the time they need to do so (PSM 2005).

Business practice(s) that if adopted would strengthen the internal control framework and lead to improved operational effectiveness and efficiency.

Policies and procedures that help ensure that the necessary actions are taken to manage risks, so that an organisation can achieve its objectives.

ANAO Audit Report No.23 2005-06 IT Security Management

Confidentiality

Data

Electronic mail (email) filtering

Information

Information security

Integrity

Information is observed by or disclosed to only those who have a right to know.

Ensuring that information is accessible only to those authorised to have access (AS/NZS ISO/IEC 17799:2001).

... the limiting of official information to authorised users for approved purposes. The confidentiality requirement is determined by reference to the likely consequences of unauthorised disclosure of official information. The Australian Government security classification system has been developed to help agencies identify information that has confidentiality requirements (PSM 2005).

Representation of facts, concepts or instructions in a formalised manner suitable for communication, interpretation or processing by humans or by automatic means.

The objective of email filtering is to eliminate the sending and/or receipt of unsolicited mail and computer viruses that are often attached to emails.

In the context of protective security, the PSM defines information as including: documents and papers; electronic data; the software or systems and networks on which the information is stored, processed or communicated; the intellectual information (knowledge) acquired by individuals; and physical items from which information regarding design, components or use could be derived (PSM 2005).

Preservation of confidentiality, integrity and availability of information (AS/NZS 7799.2:2003).

The assurance that information has been created, amended or deleted only by the intended authorised means (PSM 2005).

ANAO Audit Report No.23 2005-06 IT Security Management

IT system

Protective security

Security-in­ depth principle

A related set of hardware and software used for the communication, processing or storage of information and the administrative framework in which it operates (ACSI 33, 2005).

A broad concept covering information, personnel, physical and information technology and telecommunication security.

A system of multiple layers, in which security

countermeasures are combined to support and complement each other (PSM 2005).

ANAO Audit Report No.23 2005-06 IT Security Management

ANAO Audit Report No.23 2005-06 IT Security Management

10

Summary and Recommendations

ANAO Audit Report No.23 2005-06 IT Security Management

ANAO Audit Report No.23 2005-06 IT Security Management

12

Summary

Background 1. Information technology (IT) security management is an essential part of agencies' protective security environments. The management of IT security is a key responsibility of Australian Government agencies1, and is necessary to protect the confidentiality, integrity, and availability of information systems and the information they hold2 * . Effective IT security management requires the development and implementation of an IT security control framework' designed to minimise the risk of harm to acceptable levels. Given the increasing reliance on the interconnectivity of Australian Government information systems, agencies have an additional responsibility to consider how their IT security environment may impact other government agencies as well as other parties with whom they share information.

2. The Australian Government Protective Security Manual (PSM) establishes the framework of policies, practices and procedures designed for Australian Government agencies to use in protecting Australian Government functions and official resources from sources of harm4 that would weaken, compromise or destroy them. The PSM, which was re-issued in October 2005, identifies current standards for protective security, and specifies minimum requirements for the protection of Australian Government resources.

Audit scope and objective 3. This audit is a part of the ANAO’s protective security audit coverage." The objective of this audit was to determine whether agencies audited had

developed and implemented sound IT security management principles and practices supported by an IT security control framework, in accordance with Australian Government policies and guidelines.

For the purposes of this report, the ANAO has used the definition of ‘agency’ as provided by the Protective Security Manual 2005, which defines agency as including ‘all Australian Government departments, authorities, agencies or other bodies established in relation to public purpose, including departments and authorities staffed under the Public Service Act 1999.'

Confidentiality, integrity and availability are considered key objectives of IT security controls for protecting information.

An IT security control framework is the design of management processes and supporting policies and procedures, that together provide assurance that IT security management is operating effectively. Discussed further in chapter 2.

The PSM defines harm as being any negative consequence, such as a compromise of, damage to, or loss incurred by the Australian Government.

Appendix 2 provides an overview of related ANAO audits.

ANAO Audit Report No.23 2005-06 IT Security Management

4. The audit at each agency examined the framework for the effective management and control of IT security, including the management of IT operational security controls and, where applicable, was based on the Australian Government protective security and information and communications technology (ICT) security guidelines that were current at that time.

Selected agencies 5. The eight agencies selected for review were:

• Australian Agency for International Development;

• Australian Office of Financial Management;

• Bureau of Meteorology;

• ComSuper;

• Department of Education, Science and Training;

• Department of the Environment and Heritage;

• Department of Immigration and Multicultural and Indigenous Affairs; and

• Department of Transport and Regional Services.

Audit conclusion 6. Overall, the ANAO concluded that the audited agencies had identified relevant Australian Government policies, practices and procedures for the protection of information. However, most agencies had not implemented structured processes to ensure the effective alignment of the IT security policy objectives with organisational risk management processes and Australian Government policy, practices, and standards for the safeguarding of information resources.

7. The ANAO found that the majority of agencies audited had adequately identified relevant external compliance obligations, and IT personnel interviewed were aware of relevant legislation and the associated compliance requirements. However, only two agencies could demonstrate suitable processes to assess system compliance with their IT security policy and with government requirements, and processes for managing exceptions/variations.

8. The ANAO found that most agencies did not maintain key IT operational procedures and configuration documentation. This was particularly evident of agencies that had contracted to third-party service providers for the provision of IT and/or IT security services.

ANAO Audit Report No.23 2005-06 IT Security Management

Summary

9. The audit identified a number of opportunities for further

improvement in agencies' policies and procedures relating to IT security management practices. These included:

• improving the content and processes for developing and maintaining IT security policy alignment with organisational risk management processes;

• ensuring a regular process exists within the IT security control framework to identify gaps between an agency IT environment and Australian Government expectations. This will assist in determining whether systems are operating at an acceptable level of risk;

• ensuring policies clearly identify the physical and environmental security controls and standards for managing IT equipment;

• ensuring performance reporting of network security practices are designed to ensure that security controls are adequately addressing IT security risks; and

• ensuring standards exist and are applied for the use of audit trails6.

Recommendations 10. The ANAO has made five recommendations based on the audit findings from the agencies reviewed. Given the need for all agencies to effectively implement and manage IT security, these recommendations are likely to have relevance to the operation and management of IT security in all Australian Government agencies.

Agencies’ comments 11. The eight agencies examined in the audit agreed with the

recommendations.

12. In addition, the Attorney-General's Department and the Department of Defence—Defence Signals Directorate, stakeholders in Australian Government IT Security, responded positively to the audit report. DSD specifically noted that the recommendations are consistent with a fundamental requirement of

the Australian Government Information and Communications Technology Security Manual (ACSI 33).

In computer security terms, an audit trail provides a chronological record of system resource usage. It is commonly referred to as logging. This includes user login, file access, other various activities, and whether any actual or attempted security violations occurred.

ANAO Audit Report No.23 2005-06 IT Security Management

Recommendations The following recommendations are based on the findings of fieldwork at the audited agencies. The ANAO considers they are likely to be relevant to all agencies in the Australian Government sector. All entities should therefore assess the benefits of

implementing the recommendations in light of their own circumstances, including the extent to which each recommendation, or part thereof, is addressed by processes and controls already in place.

IT security control fram ew ork

Recommendation

No.1

Para 2.18

IT security policy

The ANAO recommends that agencies incorporate into their information security management framework, an IT security policy that establishes an agency's IT security objectives and scope, and provides reference to supporting IT security plans, procedures and standards. In addition the policy should incorporate requirements of Australian Government policies, standards and guidelines for the safeguarding of information resources.

Recommendation

No.2

Para 2.34

Compliance

The ANAO recommends that agencies strengthen IT security risk processes through the use of documented IT security risk assessments, plans and policies, and conduct periodic reviews to identify gaps between agencies' IT environments, ideal risk profile and relevant government policies, standards and guidelines.

IT operational security controls

Recommendation

No.3

Para 3.17

IT equipment security

The ANAO recommends that agencies improve IT equipment security practices by ensuring that physical and environmental security controls of computing resources are clearly stated as part of their IT security policy, and that responsibilities for protecting information resources are established and documented.

ANAO Audit Report No.23 2005-06 IT Security Management

Recommendations

Recommendation No. 4

Para 3.29

Network security management

The ANAO recommends that agencies, as a part of their IT governance arrangements, monitor the effectiveness of network security practices and controls by establishing performance measures and incorporating periodic reporting against these measures.

Recommendation No. 5

Para. 3.39

Logical access management

The ANAO recommends that agencies, as a part of their system access arrangements, establish standards for the logging of inappropriate or unauthorised activity and introduce routine processes for monitoring and reviewing system audit logs.

A g en cies’ responses to the recom m endations

13. The eight agencies examined in the audit agreed with the

recommendations.

14. Agencies' responses to the recommendations are shown following each recommendation in chapters 2 and 3. Other general comments provided by the agencies are shown at Appendix 1.

ANAO Audit Report No.23 2005-06 IT Security Management

17

ANAO Audit Report No.23 2005-06 IT Security Management

18

Audit Findings and Conclusions

ANAO Audit Report No.23 2005-06 IT Security Management

ANAO Audit Report No.23 2005-06 IT Security Management

20

1. Introduction This chapter provides background information about the audit scope and objective, and provides an overview of the Australian Government protective security framework and its requirement for information security. The role of IT security controls and processes for safeguarding of information is also discussed.

Information security 1.1 Information security is the protection of information and information systems and encompasses all infrastructure that facilitate its use - processes, systems, services, and technology. It relates to the security of any information that is stored, processed or transmitted in electronic or similar form/ and is also defined as the preservation of confidentiality, integrity and availability of information.8 Definitions of these terms are provided in Table 1.1 below.

Table 1.1

Information Security Objectives

C o n fid e n tia lity

In fo rm a tio n is o b s e rv e d by, o r d is c lo s e d to, o n ly th o s e w h o h a ve a rig h t a n d n eed to know .

In te g rity

A s s u ra n c e th a t in fo rm a tio n has b een c re a te d , a m e n d e d o r d e le te d o n ly

b y th e in te n d e d a u th o ris e d m e a ns.

A v a ila b ility

In fo rm a tio n s y s te m s a re a v a ila b le a n d u sa b le w h e n re q uired , a nd ca n a p p ro p ria te ly re s is t a tta c k s a nd re c o v e r fro m fa ilu re s.

Source: Adapted from the PSM (2005) and 7799.2:2003 - Information Security Management Part 2: Specification for information security management systems, Standards Australia/Standards New Zealand, 2003.

IT security

1.2 IT security is a subset of information security and is concerned with the security of electronic systems, including computers, voice and data networks. It is also concerned with providing a system to establish, maintain, manage and monitor business and operational controls surrounding IT resources, in accordance with organisational information management requirements.

, accessed 13 October 2005.

AS/NZS 7799.2:2003-Information Security Management Part 2: Specification for information security management systems, Standards Australia/Standards New Zealand, 2002, p. 3.

ANAO Audit Report No.23 2005-06 IT Security Management

1.3 Effective implementation and management of IT security requires both an IT security control framework and the implementation of IT operational security controls. These are defined in Table 1.2 below. The control framework provides a management structure designed to ensure that agencies take the necessary action to manage IT security risks. Operational security controls support implementation of the control framework through addressing objectives of confidentiality, availability and integrity of information or data stored or transmitted.

Table 1.2

Security controls

IT s e c u rity co n tro l fra m e w o rk P o licie s a n d p ro c e d u re s th a t help e n s u re th e n e c e s s a ry a c tio n s a re ta ke n to m a n a g e risks, so an a g e n c y can a c h ie v e its o b je c tiv e s .

IT o p e ra tio n a l s e c u rity c o n tro ls P ro c e s s e s and s u p p o rtin g te c h n o lo g ie s th a t e n s u re the c o n fid e n tia lity , in te g rity a nd a v a ila b ility o f an o rg a n is a tio n ’s in fo rm a tio n p ro c e s s in g e n viro n m e n t.

Source: ANAO.

1.4 The Protective Security Manual requires Australian Government agencies to protect information resources, including ICT systems, from compromise and misuse/ In addition to providing policies, practices and procedures for safeguarding government resources, the PSM directs government agencies to refer to the Australian Government Information and Communications Technology Security Manual (ACSI 33) for ICT security topics.1 0 * ACSI 331 J outlines a combination of physical, personnel, information, IT and communications measures to assist agencies to implement IT security controls that satisfy the minimum standards required to protect information stored or transmitted via electronic means.1 2

1.5 Sound information security controls are important to enhance agencies' confidence that their recorded business transactions are valid, accurate and complete, and sufficiently mitigate the risk of information being exposed to unauthorised access.1 3

Attorney-General’s Department (2005), Protective Security Manual 2005, Part A, para 2.4.

Attorney-General’s Department (2005), op. cit, Part C, para. 7.23.

Defence Signals Directorate (DSD), Australian Government Information and Communications Technology Security Manual (ACSI 33), The current version of the Manual was released in September 2005.

Additionally a number of Australian standards are useful to agencies in determining better practice requirements when developing and managing IT Security. A listing of these is included at Table 1.3.

Australian National Audit Office (2005), Interim Phase of the Audit of Financial Statements of General Government Sector Agencies for the Year Ending 30 June 2005, Audit Report No. 56 2004-05, p. 52.

ANAO Audit Report No.23 2005-06 IT Security Management

Introduction

Contemporary IT security issues 1.6 Management of IT security matters has received considerable attention in the Parliament, the media and among the general public in recent years. The Joint Committee of Public Accounts and Audit (JCPAA) has also drawn

attention to a number of IT security issues and concerns, including:

• a lack of physical security of computing resources, in particular mobile computing resources such as laptops, personal electronic devices and backup tapes;

• the need to pursue better practice with the making and management of security contracts between agencies and external service providers; and

• a lack of knowledge of appropriate reporting requirements in the event of a security breach.14

1.7 A current trend in the government sector is for operations and service delivery to extend beyond traditional agency boundaries, requiring government agencies to share information and business processes with each other and, at times, with private enterprise and the general community. In order to interoperate, in a trusted and cost-effective way, it is important for agencies to use agreed technical protocols and standards1".

Audit objective, scope and criteria

O bjective and scope

1.8 This audit is a part of the ANAO's protective security audit coverage.1 1 ' The objective of this audit was to determine whether agencies had developed and implemented appropriate IT security management principles and practices, in accordance with Australian Government expectations. It specifically considered the IT security control framework and IT operational security controls.1'

1.9 The audit did not review agencies' policies or standards for business continuity or system development practices. The ANAO provides coverage of these controls and practices in its performance audit reports. "

JCPAA, Report No. 399 Inquiry into the Management and Integrity of Electronic Information in the Commonwealth, 2004, Foreword, from page vii.

This is known as interoperability, which is defined as: the ability to transfer and use information in a uniform and efficient manner across multiple organisations and information technology systems. See Australian Government Technical Interoperability Framework, Foreword accessed on 14 October 2005 at:

.

Appendix 2 provides an overview of related ANAO audits.

Appendix 3 provides an overview of the audit objectives and scope.

ANAO reports are available from the ANAO’s website, .

ANAO Audit Report No.23 2005-06 IT Security Management

23

Audit criteria

1.10 The performance of each agency was assessed against a set of desirable controls or better practice principles (hereafter described as the audit criteria). The audit criteria, which were developed by the AN AO, reflect the policies, standards and guidelines contained in Australian Government guidance documents (provided in the table below). In addition, the ANAO also included elements from Australian and International Standards such as the AS/NZS ISO/IEC 17799:2001 Information Technology - Code of practice for information security management, Standards Australia & Standards New Zealand, 2001.

Relevant documents

1.11 Table 1.3 details the relevant Australian Government guidance documents and Australian standards for managing and implementing information and IT security. The ANAO also referred to these documents when preparing the audit criteria and test program for this audit.

Table 1.3 Relevant guidance documents and standards__________________________

Government guidance documents

Australian Government Protective Security Manual, Attorney-General's Department, 2005'9.

Australian Government Information and Communications Technology Security Manual (ACSI 33), Defence Signals Directorate, June 2004.1 9 20

Standards

AS/NZS ISO/IEC 17799:2001 Information Technology - Code of practice for information security management, Standards Australia & Standards New Zealand. 2 0 0 1 . ________ _________________ ______________________________ __

AS/NZS 7799:2003 Information Security Management Part 2: Specification for information security management systems, Standards Australia & Standards New Zealand, 2003._________________________________________________________

AS/NZS 4360:1999 Risk Management, Standards Australia & Standards New Zealand, 1999.

H 6231:2000 Information security risk management guidelines, Standards Australia & Standards New Zealand, 2004.

13335:2003 Information Technology - Guidelines for the management of IT Security, Standards Australia & Standards New Zealand, 2003.___________________________________________________________________________________________

AS 8015 - 2004 Corporate Governance of Information & Communication Technology, Standards Australia & Standards New Zealand. 2005.___________________________________________________________________________________________

Source: ANAO

19 Unless stated, this audit report refers to the 2000 version of the Protective Security Manual (PSM 2000). The Attorney-General’s Department have released a revised version of the PSM, titled Protective Security Manual 2005, in October 2005. The Foreword states: ‘The revised Manual details the minimum standards for the protection of Australian Government resources...that agencies must meet in their operations’.

20 This audit criteria references ACSI 33 as issued in June 2004, however, references in this audit report to policies, standards or practices refer to the current version of the Manual, which was released in September 2005.

ANAO Audit Report No.23 2005-06 IT Security Management

24

Introduction

Selected agencies

1.12 The following agencies were selected for review:

• Australian Agency for International Development;

• Australian Office of Financial Management;

• Bureau of Meteorology;

• ComSuper;

• Department of Education, Science and Training;

• Department of the Environment and Heritage;

• Department of Immigration and Multicultural and Indigenous Affairs; and

• Department of Transport and Regional Services.

Audit M ethodology

1.13 The audit methodology involved interviewing selected officers, reviewing policy and procedural documents, and examining documentation relating to the agencies' IT security management.

1.14 The audit was undertaken in accordance with the ANAO's Auditing Standards and was completed at a cost of approximately $333 211.

Audit Findings

1.15 The ANAO provided each agency with a discussion paper detailing the audit findings, recommendations for improvement and conclusions arising from the fieldwork specific to them.

1.16 The Attorney-General's Department and the Defence Signals Directorate were also provided with draft copies of this report prior to its finalisation, given their stakeholder responsibilities for IT security.

1.17 The audit findings are presented in chapters 2 and 3 of this report.

ANAO Audit Report No.23 2005-06 IT Security Management

2. IT Security Control Framework This chapter describes elements required for an IT security control framework and provides references to relevant Australian Government policies, practices and procedures. The chapter also discusses the audit findings in relation to the framework for the effective management and control of IT security.

IT security control framework 2.1 An IT security control framework supports management controls with the aim of ensuring IT security adequately protects information resources in accordance with agencies' information security objectives. The ANAO considers that in order to effectively manage IT security controls, agencies should:

• identify and assess the risks to information resources;

• develop an IT security policy;

• treat the identified risks;

• periodically review risks and risk treatments; and

• monitor the operation and effectiveness of the security policy.

2.2 For agencies that have responsibility for Australian Government information resources, an IT security policy and security risk assessments are considered to be mandatory requirements in order to comply with the PSM and other Australian Government guidance documents.2 1

2.3 An IT security policy is an integral component of the IT security control framework. It supports the overall agency security plan by providing a link between the agency's risk management framework and information security policy objectives. An IT security policy provides the direction and support for the implementation and monitoring of suitable IT security controls. These elements are illustrated in Figure 2.1.

See for example, Defence Signal Directorate (September 2005), para 2.2.4 and 2.2.5 describes mandatory security documentation requirements. PSM (2005) Part C para 7.23 states that ‘ICT systems that process, store or communicate official information must comply with ACSI 33’.

ANAO Audit Report No.23 2005-06 IT Security Management

Figure 2.1

IT security control framework

IT Security Control Framework

-·Îœ · " s­ O φ E E LL 'C

< D E o c 0) G ) «

Λ V

Agency security plan

7 \

A V

information security framework

Information security risk management plan

\ z

Information security policy

A

A ΧΓ

IT security control framework

IT security risk management plan

< z

IT security policy A Xr

Supporting IT security documentation

IT systems IT systems IT security IT security

security plans security plans standards guidelines <=

External standards and guidelines

RSM 2005 ACSI 33

AS/NZS 4350:1999 KB 231:2004 AS/NZS

1799:2001 AS/NZS 7799:2003 AS 1334:2003

Source: ANAO adapted from government guidelines.22

2.4 A range of IT security documentation supports the IT security policy and is important for effective operation and administration of IT security. An overview of supporting documentation is included in Table 2.1.

22 Adapted from: 13335:2003 Information Technology-Guidelines for the management of IT Security, Standards Australia & Standards New Zealand, 2003. Attorney-General’s Department (2005), The Protective Security Manual, and Australian Government Information and Communications Technology Security Manual (ACSI 33), Defence Signals Directorate, September 2005.

ANAO Audit Report No.23 2005-06 IT Security Management

27

Table 2.1

IT security documentation overview

Information security policy To address at the agency level, the issues of security awareness, responsibility, behaviour and deterrence. This is a component of an agency’s security plan2d.

IT security policy To provide a high-level policy objective and is a component of an agency’s information security policy.

IT security risk management plan To identify controls needed to meet agency protective security policy. The plan has two parts: an IT risk assessment and an IT risk treatment plan.

IT system security plan To define actions or standards for implementing an agency’s risk management plan.

IT security procedures and standards

To provide instructions to system users, administrators and managers to enable compliance with an agency’s system security plan.

Source: ANAO, adapted from The Protective Security Manual (2005) and the ACSI 33 Manual (September 2005).

2.5 The audit criteria, against which the adequacy of the audited agencies' IT security framework were assessed, are detailed in Table 2.2 below.

Table 2.2 IT security control framework - audit criteria IT s e c u rity co n tro l fra m e w o rk

T h e a g e n c y h a s e s ta b lis h e d a fra m e w o rk th a t re fle c ts m a n a g e m e n t’s c o m m itm e n t an d a ttitu d e to th e im ple m e n ta tio n

an d m a in te n a n c e of e ffe c tiv e IT s e c u rity controls, a n d a lig n s p o lic ie s , p ro c e d u re s and d a y -to -d a y w o rk p ra c tic e s with

ove ra ll a g e n c y o b je c tiv e s fo r th e s e c u re m a n a g e m e n t and c o n tro l o f e a c h part o f th e IT system s.

T h e c o m p o n e n ts in th e s c o p e o f th is a u d it, and e le m e n ts a s s e s s e d w ith in each o f th e s e , are listed b elo w .

IT s e c u rity p olicy

A n IT s e c u rity p o lic y is d o c u m e n te d and

p ro v id e s a high-level o b je ctive. T h e p olicy

re fe re n c e s existin g g o v e rn m e n t policy,

s ta n d a rd s and g u id e lin e s, a s s ig n s

re s p o n s ib ilitie s to pe rso n n e l fo r the

m a n a g e m e n t of IT s e cu rity, and re fe re n ce s

o th e r IT s e c u rity p la n s o r s ta n d a rd s.

■ P olicy c o n te n t

■ A lig n m e n t w ith IT secu rity risk

a s s e s s m e n t

■ R eview pro ce ss

C o m p lia n c e w ith internal

and e x te rn a l re q u ire m e n ts

R e le va n t crim in a l and civil law, and

sta tu to ry, re g u la to ry o r c o n tra c tu a l

o b lig a tio n s, and s e c u rity re q u ire m e n ts are

id e n tified a n d d o cu m e n te d .

■ C o m p lia n ce w ith external

req u ire m e n ts

■ C o m p lia n ce w ith th e P rotective

S e cu rity M a n u a l w a iv e r p ro ce ss

■ T e c h n ic a l and c o m p lia n ce

review s

IT s e c u rity o rg a n isa tio n

stru ctu re

A n a p p ro p ria te o rg a n is a tio n a l s tru c tu re is

e s ta b lis h e d to m a in ta in s e c u rity o ve r

in fo rm a tio n assets.

■ IT s e c u rity m a n a g e m e n t stru ctu re

■ A cc o u n ta b ility fo r inform ation

resources

Source: ANAO

23 Attorney-General’s Department (2005), op. cit., Part C, Section 4.

ANAO Audit Report No.23 2005-06 IT Security Management

28

IT Security Control Framework

2.6 These components and the respective audit findings are discussed in turn below.

IT security policy 2.7 The purpose of an IT security policy is to articulate an agency's objective and purpose for establishing and maintaining IT security controls, and to align agency information security objectives with day-to-day work practices. The ANAO reviewed the extent to which audited agencies had addressed the following elements:

• policy content

• alignment with IT security risk assessment; and

• review process.

Policy content

2.8 The ANAO expected that an entity's IT security policy24 would include an overview of the agency's high-level IT security objectives and scope, and provide reference to other agency IT security plans or standards.

2.9 In addition, the ANAO assessed whether agencies' IT security policy was communicated to all employees, and that management from business areas were aware of their responsibility to monitor and contribute to updates should business security objectives change.

A lignm ent with IT security risk assessm ent

2.10 Australian Government guidance suggests agencies should develop a risk management plan to manage organisational risks. The ANAO considers that such a plan is important in order for agencies to identify the risk for each information asset within the scope of the IT security policy, and then determine appropriate controls for each assessed risk.

2.11 The ANAO assessed whether agencies audited undertook an IT security risk assessment for IT resources considered as essential for conducting business. In addition, the ANAO evaluated whether a clear link existed between agencies' IT security policy and IT security risk assessment. The ANAO considers that it is important for agencies to provide assurance that

controls implemented to treat risks to the IT resources are based on the risk profile established through a risk assessment process, and approved by management.

The current version of ACSI 33 (September 2005) refers to an IT Security Policy as an ‘Information and Communications Security Policy'.

ANAO Audit Report No.23 2005-06 IT Security Management

Review process

2.12 Regular reviews of policies and procedures assist agencies to ensure that IT security policy continues to meet organisational needs.2" In addition, the ANAO considers that this is facilitated by defining in the IT security policy, a review process, assigning responsibilities for maintaining and reviewing the IT security policy, and specifying a timeframe for review.

Audit findings

2.13 The content of the IT security policy of approximately half of the entities assessed met the criteria for content of an IT security policy. Issues identified during the course of the audit were:

• one agency did not have a current IT security policy and one agency had an IT security policy in draft for a considerable period of time, without management endorsement; and

• three agencies' IT security policies did not incorporate reference to agency plans or standards concerning acceptable IT operational controls, such as network management or monitoring of electronic mail.

2.14 The ANAO found that most agencies had not implemented structured processes to ensure the effective alignment of the IT security policy objectives with organisational risk management processes.

2.15 The ANAO also found that while the majority of agencies specified that a periodic review of the policy was required, seven agencies did not define a review period.

2.16 The ANAO concluded that agencies' management of IT security would improve by ensuring that IT security policy adequately addresses minimum government requirements for the protection of information resources. In addition, more clearly defined linkages between agencies' IT security policy and information security policy would better support overall organisational objectives for information security.

2.17 Security better practice suggests it is important that the development of IT security policies and plans be performed in conjunction with risk assessment and treatments, both at the organisational level and the information system level, so that controls implemented to protect information resources are cost-effective and in accordance with expectations.

See for example: Defence Signals Directorate (2005), op. cit., Part 2 Ch 2 para. 216 and AS/NZS ISO/IEC 17799:2001 clause 3.1.2.

ANAO Audit Report No.23 2005-06 IT Security Management

IT Security Control Framework

Recommendation No.1 2.18 The ANAO recommends that agencies incorporate into their information security management framework, an IT security policy that establishes an agency's IT security objectives and scope, and provides reference to supporting IT security plans, procedures and standards. In addition, where appropriate, the policy should incorporate requirements of Australian Government policies, standards and guidelines for the safeguarding of information resources26.

A g e n c ie s ’ r e s p o n s e s

2.19 All agencies examined in the audit agreed with the recommendation. Specific comments, which were provided by the Department of Education Science and Training and the Department of Immigration and Multicultural and Indigenous Affairs, are recorded in Appendix 1.

2.20 In addition, the Attorney-General's Department and the Defence Signals Directorate agreed with the recommendation. Additionally, DSD noted that this is a fundamental requirement of ACSI 33.

Compliance with internal and external requirements 2.21 Compliance activities are generally accepted as an important component of an effective corporate governance framework. Australian Government agencies are required to identify and comply with security obligations for the protection or disclosure of information under applicable legislation.

2.22 The ANAO reviewed the extent to which audited agencies had established the following elements as a part of their IT security control framework:

• compliance with external requirements;

• compliance with the Protective Security Manual waiver process; and

• technical and compliance reviews.

The need for an IT security policy is currently a PSM minimum standard-Attorney-General’s Department (2005), op. cit,, Part C, para 4.3.

Attorney-General’s Department (2005), op. cit., Part A.

ANAO Audit Report No.23 2005-06 IT Security Management

C om p lian ce with external requ irem en ts

2.23 Australian Government agencies are required to identify and comply with relevant criminal and civil law and statutory, regulatory or contractual obligations with respect to agencies' security requirements.28

2.24 The ANAO assessed whether agencies' IT security policies clearly referenced external compliance requirements, and whether key IT personnel displayed a general awareness of external legislation and compliance requirements.

C om p lian ce with th e P rotective S ecu rity Manual w aiver p r o c e s s

2.25 An important element of compliance is the level of risk an agency is prepared to accept. Where an agency has determined it does not comply with a mandatory PSM requirement and decides to carry that risk, the agency is required to issue a waiver in accordance with PSM requirements.2'

2.26 The ANAO expected agencies to display an understanding of the PSM waiver process and to include a mechanism for recording the waiver decision­ making process.

T ech n ical and c o m p lia n ce review s

2.27 Technical compliance is the process of evaluating and monitoring agencies ongoing compliance with IT security policies and requirements. Reviews that investigate the appropriateness and adequacy of general and system security controls are key elements of agencies' continuous review process.

2.28 The ANAO assessed the extent to which agencies' IT security control frameworks referenced internal standards and requirements, and whether agencies required information systems to undergo certification and compliance ■ 30

reviews.

Audit fin d in gs

2.29 The ANAO found that the majority of agencies audited had adequately identified relevant external compliance obligations in their IT security policy. Additionally, IT personnel interviewed were aware of relevant legislation and the associated compliance requirements.

Attorney-General’s Department (2005), op. cit., Part A. In addition, the recently released PSM states that agencies should maintain a record of any waiver issued. (Part A, para 1.14).

Attorney-General’s Department (2005), op. cit., Part A.

The purpose of certifying IT system security is to assure management that the information system has been secured in accordance with the agency’s requirements. Certification, which involves a comprehensive analysis and evaluation, is a prerequisite for accreditation. Accreditation is a formal acknowledgement by the head of the agency or their authorised delegate that the system operates at an acceptable level of risk.

ANAO Audit Report No.23 2005-06 IT Security Management

IT Security Control Framework

2.30 Only two of the eight agencies audited were found to have established internal processes that identified IT security non-compliance with Australian Government requirements for information security, with only one agency maintaining records of submitted waivers.

2.31 Whilst the remaining six agencies displayed some understanding of the PSM waiver process, it ranged from knowing that a PSM waiver process existed to a full working knowledge. An ability to apply the PSM waiver process was also limited as they did not include in their IT security control framework, a regular process to identify possible gaps between an agency's IT environment and the PSM and/or ACSI 33. This also reduces the ability to determine whether systems were operating at an acceptable level of risk.

2.32 Two agencies had suitable processes in place to assess system compliance with their IT security policy and with government requirements. However, neither agency could demonstrate (at the time of the audit fieldwork) a routine review process as a part of the IT security control framework.

2.33 The ANAO concluded that agencies' management of IT security would benefit from reviewing relevant compliance obligations as a part of the establishment and maintenance of IT security control frameworks. The ANAO considers that agencies should also undertake technical and compliance

reviews for IT security to ensure that IT systems are protecting information as expected.

Recommendation No.2 2.34 The ANAO recommends that agencies strengthen IT security risk processes through the use of documented IT security risk assessments, plans and policies, and implement periodic review processes to identify gaps between agencies' IT environments, ideal risk profile and relevant government

policies, standards and guidelines.

A g e n c ie s ’ r e s p o n s e s

2.35 All agencies examined in the audit agreed with the recommendation. Specific comments, which were provided by the Department of Education Science and Training and the Department of Immigration and Multicultural and Indigenous Affairs, are recorded in Appendix 1.

2.36 In addition, the Attorney-General's Department and the Defence Signals Directorate agreed with the recommendation. Additionally, DSD noted that this is a fundamental requirement of ACSI 33.

ANAO Audit Report No.23 2005-06 IT Security Management

IT security organisation structure 2.37 A defined organisation structure facilitates the ability of agencies to implement, monitor and coordinate its IT security function. The ANAO assessed the extent to which agencies defined in their IT security control frameworks an IT security management structure and established standards for the ownership and accountability of information resources.

IT sec u r ity m an a g em en t structure

2.38 The ANAO assessed whether agencies had an organisational structure in place to develop, implement and maintain IT security policy, plans, standards and procedures in line with agencies' information security requirements. The ANAO considers that clarity of the management structure for IT security is important so as to maintain a coordinated approach to security within the organisation by assigning security responsibilities and accountability for data and systems.

A ccou n tab ility for inform ation r e so u r c e s

2.39 Australian Government agencies are required to use risk assessments and the information security classification system to identify valuable or sensitive information and to allow information to be shared between agencies using an agreed and appropriate level of protective security.1

2.40 The ANAO assessed the extent to which the IT security control framework of the agencies audited addressed ownership of information resources and assigned a classification to information resources that was consistent with the PSM classification system.

Audit fin d in gs

2.41 The ANAO found that three entities had incorporated coordination of IT security management into their organisation structure. Agencies where this was assessed as effective had established a security steering committee that comprised IT and business senior management to oversee security issues, thereby providing a mechanism for IT security requirements to be addressed at a senior level.

Attorney-General’s Department (2005), op. cit., Part C.

ANAO Audit Report No.23 2005-06 IT Security Management

IT Security Control Framework

2.42 The ANAO found that the majority of audited agencies had taken steps to identify key information resources and define ownership consistent with the government classification requirements. Agencies could, however, further improve existing arrangements and practices by:

• maintaining an information asset register of physical, software and data resources; and

• identifying the information classification of all IT systems that store, process or transmit official information (e.g. electronic mail, calendars and phone books).

ANAO Audit Report No.23 2005-06 IT Security Management

3. IT Operational Security Controls This chapter describes the IT operational security controls used to minimise the risk of harm to agencies' computing services through addressing the objectives of confidentiality, integrity and availability. This chapter discusses the findings of audited agencies against operational security controls.

IT operational security controls 3.1 IT operational security controls are the technologies and processes that enable agencies to protect IT resources, while facilitating electronic communications with external parties. Such controls constitute the range of activities that implement the requirements of an IT security control framework and security policy, and provide confidence that the information security objectives of confidentiality, integrity and availability are being achieved.

3.2 The audit criteria against which the ANAO assessed the adequacy of the audited agencies' IT operational security controls are shown in Table 3.1 below.

Table 3.1

IT operational security controls - audit criteria

IT o p e ra tio n a l s e c u rity c o n tro ls

T h e a g e n c y h a s co n s id e re d an d im p le m e n te d IT o p e ra tio n a l s e c u rity c o n tro ls to s u p p o rt th e o rg a n is a tio n a l o b je c tiv e

fo r th e s e c u re m a n a g e m e n t an d c o n tro l o f th e IT s yste m s.

T h e c o m p o n e n ts in th e s c o p e o f th is a u d it, an d e le m e n ts a s s e s s e d w ith in e a c h o f th e s e , are listed b elo w .

P e rs o n n e l s e c u rity

C o n s id e ra tio n is given to th e se le c tio n and

tra in in g o f a g e n c y p e rso n n e l.

■ S e c u rity re s p o n s ib ilitie s

■ U se r s e c u rity a w a re n e s s tra in in g

IT e q u ip m e n t s e c u rity

C o n s id e ra tio n is g iven to im p le m e n tin g

a d e q u a te p h y s ic a l an d e n v iro n m e n ta l

c o n tro ls to re d u c e the risk of o c c u rre n c e of

loss, d a m a g e o r c o m p ro m is e o f a s s e ts an d

in te rru p tio n to b u s in e s s a c tiv itie s .

■ S e c u rity of c o m p u tin g resources

■ S e c u rity of e q u ip m e n t o ff-site

N e tw o rk s e c u rity

m a n a g e m e n t

C o n tro ls to sa fe g u a rd in fo rm a tio n in

in fo rm a tio n s y s te m s an d p ro te c t th e

s u p p o rtin g n e tw o rk in fra s tru c tu re are

e s ta b lis h e d a n d d o cu m e n te d .

■ N e tw o rk s e c u rity m a n a g e m e n t

p ra c tic e s

■ S e c u rity of in fo rm a tio n e xch a n g e s

L o g ical a c c e s s

m a n a g e m e n t

C o n tro ls to p re v e n t an d d e te c t u n a u th o ris e d

a c c e s s to in fo rm a tio n s y s te m s are

e s ta b lis h e d an d d o c u m e n te d .

■ A c c e s s c o n tro l m a n a g e m e n t

■ M o n ito rin g sy s te m a c c e s s and use

Source: ANAO

ANAO Audit Report No.23 2005-06 IT Security Management

IT Operational Security Controls

3.3 These components and the respective audit findings are discussed in turn below.

Personnel security

3.4 In reviewing the adequacy of agencies' personnel security controls, the ANAO assessed the extent to which IT security requirements were included in employee job definitions. In addition, the ANAO considered the effectiveness of agencies' user awareness and training arrangements to inform personnel and information resource users of organisational expectations.

S ecu rity r e sp o n sib ilitie s

3.5 Defining security responsibilities within job descriptions is considered to be an effective way of communicating to employees their legal responsibilities and rights. It is also important for agencies to consider specific IT security skill requirements when filling roles that have IT security functions. The ANAO also expected that general responsibilities for establishing and maintaining agencies' security requirements would be reflected in agencies' IT security policies.32

U ser se c u r ity a w a r e n e s s training

3.6 As discussed in Audit Report No. 41, 2004-0533, the ANAO has emphasised the importance of a program of security awareness activities to support the establishment and maintenance of a strong security culture. The ANAO has previously recommended that agencies develop a formal plan or strategy for managing and delivering security awareness activities.

3.7 In addition to assessing whether agencies had documented

requirements for delivering security awareness activities, the ANAO assessed whether agencies required users to attend IT security induction activities.

Audit fin d in g s

3.8 The ANAO found that generally agencies defined security

responsibilities within employee job descriptions. In addition, the ANAO found that agencies adequately identified IT security skills for roles that performed specific IT security functions.

3.9 While the majority of agencies audited addressed security requirements either as a part of an employee induction process or through messages or

See for example Section 6 Personnel Security, AS/NZS I SO/I EC 17799:2001.

Australian National Audit Office (2005), Administration of Security Incidents, including the Conduct of Security Investigations, Audit Report No. 41, 2004-05, p. 30.

ANAO Audit Report No.23 2005-06 IT Security Management

posters, entities generally did not document requirements for employee attendance at awareness training.

IT equipment security 3.10 Establishing physical and environmental controls for IT resources that address the PSM requirements of confidentiality, integrity and availability of information resources, " reduces the risk of the occurrence of loss, damage or compromise of assets and interruption to business activities.

3.11 The ANAO reviewed the security of computing resources and controls implemented by audited agencies for the purpose of managing the security of computing resources and off-site IT equipment.35

S ecu rity of co m p u tin g r e s o u r c e s

3.12 Computing resources include physical resources such as buildings, computers and paper documents. These resources may contain sensitive or critical information, or may provide access to resources via a computer network.

3.13 The ANAO assessed the business and system controls established in agencies for protecting their computing resources. The ANAO expected agencies to have established a policy or standard that stated physical and environmental security controls of computing resources. Such processes and practices should also include controls for protecting facilities and equipment and other practices that would help protect the integrity of information systems, such as backup processes, uninterruptible power supplies, environment sensors and equipment protection devices.36

S ecu rity of eq u ip m en t o ff-site

3.14 Flexible working arrangements, such as the ability to work from home, can introduce additional IT security risks that require specific treatment. To address such risks, agencies should establish information security standards for all locations where information equipment connects to an organisation's network. In addition, if applicable to business needs, agencies should develop security policy objectives and procedures for remote working arrangements to

Information relating to protecting physical resources is contained in Part E of the PSM and Clause 7 of AS/NZS I SO/I EC 17799:2001. In addition, ACSI 33 provides detailed standards for protecting removable media; servers and communication equipment; server rooms; workstations, physical security incidents; and emergency procedures.

The audit did not assess the suitability of controls such as security perimeters, or physical entry points.

DSD (September 2005), op. cit., Part 1, para. 1.0,23.

ANAO Audit Report No.23 2005-06 IT Security Management

IT Operational Security Controls

ensure that protective measures are consistent with the classification of information stored on the remote IT resource, or accessed by the remote user.

Audit fin d in g s

3.15 The ANAO found that, while all agencies displayed a high level of awareness of the need to protect IT equipment, most IT security policy lacked details of the minimum physical and environmental standards needed to protect information assets. The ANAO considers that, in line with business needs, IT equipment security controls would be improved by ensuring agencies' IT security policies clearly define responsibilities and the minimum organisational standards for protecting computing resources.

3.16 The ANAO also found that, generally, agencies had documented and communicated to users, guidance on the use of off-site computing resources and that such guidance included instructions on storing data and protecting information on off-site standalone computers.

Recommendation No.3 3.17 The ANAO recommends that agencies improve IT equipment security practices by ensuring that physical and environmental security controls of computing resources are clearly stated as part of their IT security policy, and that responsibilities for protecting information resources are established and documented v.

A g e n c ie s ’ r e s p o n s e s

3.18 All agencies examined in the audit agreed with the recommendation. Specific comments, which were provided by the Department of Education Science and Training and the Department of Immigration and Multicultural and Indigenous Affairs, are recorded in Appendix 1.

3.19 In addition, the Attorney-General's Department and the Defence Signals Directorate agreed with the recommendation. Additionally, DSD noted that this is a fundamental requirement of ACSI 33.

Network security management 3.20 Network security management encompasses the deployment, maintenance and monitoring of the effectiveness of network security controls to safeguard information in information systems and protect supporting network infrastructure. Network management practices must balance the

The need for a physical security environment and procedures to ensure that equipment that processes security classified information receives an appropriate degree of protection is a minimum standard in the PSM - Attorney-General’s Department (2005), op. cit., Part E, para 7.11.

ANAO Audit Report No.23 2005-06 IT Security Management

requirement for accessibility of information to both internal and external users, with the requirement to protect information.

3.21 The ANAO assessed the extent to which agencies had implemented network security management practices. In addition, the ANAO reviewed the adequacy of processes for the security of information exchanges through electronic mail and Internet use.

N etw ork sec u r ity m a n a g em e n t p r a c tic e s

3.22 Network security management establishes processes for safeguarding information in networks and protecting supporting IT infrastructure'8. Commonly used network security controls include, deployment of firewalls'0 and implementation of Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS).40 The ANAO considers that the maintenance of network design and configuration documentation strengthens the effectiveness of the deployment of such controls.

3.23 Effective network security management practices require established and documented procedures that provide instructions for system restart and recovery in the event of system failure, error handling arrangements, as well as housekeeping procedures, such as operational change controls and incident management procedures.4 1

3.24 In addition, where agencies rely on third-party service providers to perform IT services and/or IT security functions, it is important that agencies have contractual arrangements in place to allow, as a minimum, access to network configuration and procedural documentation.

S ecu rity of inform ation e x c h a n g e s

3.25 The ANAO considers that agencies should have a policy in place for use of information exchanges through the Internet and electronic mail and that such a policy should, as a minimum, include:

• guidelines on appropriate use;

• employee responsibilities; and

AS/NZS I SO/I EC 17799:2001, Clause 8.5.

A firewall is a network device that filters incoming and outgoing network data, based on a series of rules (as per ACSI 33 Block 3.10.21).

IDSs gather and analyse information from various areas within a network to identify possible security breaches. IPSs protect against threats such as worms and viruses.

ACSI 33 contains guidelines for the contents of operating procedures. See DSD (September 2005), ACSI 33, Part 2, Chapter 6.

ANAO Audit Report No.23 2005-06 IT Security Management

IT Operational Security Controls

• plans and procedures to protect the confidentiality and integrity of information during exchanges.

Audit fin d in g s

3.26 The AN AO found that, while the majority of agencies had installed firewalls to protect their internal networks from external threats, only two agencies had identified and maintained key IT operational procedures and configuration documentation. In addition, the AN AO found that most agencies did not maintain adequate network design documentation. This was particularly evident of agencies that had contracted to third-party service providers for the provision of IT and/or IT security services.

3.27 The ANAO considers that agencies' IT security practices would be improved by including the maintenance of network documentation as a key responsibility of the IT area. For agencies with outsourced IT services, delivery and maintenance of network documentation should be regarded as a key contractual deliverable and be adequately monitored for performance against the contract requirements.

3.28 The majority of agencies audited had documented electronic mail and Internet usage, but the content did not clearly describe agencies' requirements for monitoring of information exchanges. Half of the agencies audited had deployed detection or prevention controls, such as electronic mail filtering, virus scanning and/or attachment scanning, to assist in managing the security risks associated with electronic mail. However, while these agencies deployed appropriate tools, the ANAO found that only two agencies had documented expectations for deploying network monitoring controls, such as, filtering or monitoring electronic exchanges of information using electronic mail or the Internet. The ANAO considers that this reduces the ability of agencies to assess the effectiveness of system controls in place.

Recommendation No.4 3.29 The ANAO recommends that agencies, as a part of their IT governance arrangements, monitor the effectiveness of network security practices and controls by establishing performance measures and incorporating periodic reporting against these measures.

A g e n c ie s ’ r e s p o n s e s

3.30 All agencies examined in the audit agreed with the recommendation. Specific comments, which were provided by the Department of Education Science and Training and the Department of Immigration and Multicultural and Indigenous Affairs, are recorded in Appendix 1.

ANAO Audit Report No.23 2005-06 IT Security Management

3.31 In addition, the Attorney-General's Department and the Defence Signals Directorate agreed with the recommendation. Additionally, DSD noted that this is a fundamental requirement of ACSI 33.

Logical access management 3.32 Logical access controls are used to limit access to information systems and information or data by means of appropriate software that requires the identification and authentication of the user. The ANAO considers that effective management of access to agencies' information or data resources requires a clear policy on access to IT systems, supported by processes to uniquely identify and manage all who use them.

3.33 The ANAO reviewed the extent to which the agencies audited had established policies and standards addressing logical access controls.

A c c e s s con trol m a n a g em e n t

3.34 The ANAO assessed the extent to which agencies had adequately documented and defined business requirements for information system access controls. It was expected that agencies would require users to be uniquely identifiable, state password selection requirements and have a password management policy in accordance with ACSI 33 minimum standards.42 In addition, it was expected that agencies would have documented and communicated access requirements to information users.

M onitoring s y s te m a c c e s s and u s e

3.35 The purpose of monitoring access is to detect any deviation from agencies' access control policy and allow for the review of the effectiveness of controls. The ANAO expected that agencies would have established processes and standards for the logging and monitoring of:

• user activity to key systems and applications, for example, those that contain sensitive information;

• the activity of users that have the ability to enable modification or changes to information stored on information resources; and

• unauthorised access attempts.41

F in d in gs

3.36 The ANAO found that the majority of agencies had established system access policies that defined agency requirements regarding access to

ACSI 33 provides standards and requirements for logical access controls and password selection policy. See DSD (September 2005), op. cit., Part 3, Chapter 6.

AS/NZS ISO/IEC 17799:2001. See for example Clause 9.7.

ANAO Audit Report No.23 2005-06 IT Security Management

IT Operational Security Controls

information systems. Specifically, the ANAO observed that this documentation included guidance regarding the use of passwords, and regular processes to ensure the appropriateness and validity of user access levels across all systems. In addition, the ANAO found agencies' logical access control policies were based on generally accepted standards for password selection.

3.37 The audit also identified that the majority of agencies enabled logging of some key systems. However, this was generally found to be an agency response to a specifically identified requirement, or was implemented at the discretion of the service provider, and not referenced to a specific IT security policy requirement. Seven of the eight agencies lacked documented processes or procedures that included requirements for regular monitoring and review of system access logs. The ANAO considers that this reduced the ability of agencies to monitor and assess the effectiveness of system controls.

3.38 The ANAO considers that agencies' monitoring processes would benefit by taking a risk-based approach to audit logging. Clear specification of standards for audit logging and the inclusion of routine processes for monitoring and reviewing audit logs would enhance management of logical

access to information systems.

Recommendation No.5 3.39 The ANAO recommends that agencies, as a part of their system access arrangements, establish standards for the logging of inappropriate or unauthorised activity, and include routine processes for monitoring and reviewing system audit logs.

A g e n c ie s ’ r e s p o n s e s

3.40 All agencies examined in the audit agreed with the recommendation. Specific comments, which were provided by the Department of Education Science and Training and the Department of Immigration and Multicultural and Indigenous Affairs, are recorded in Appendix 1.

3.41 In addition, the Attorney-General's Department and the Defence Signals Directorate agreed with the recommendation. Additionally, DSD noted that this is a fundamental requirement of ACSI 33.

lanMcPhee Canberra ACT

Auditor-General 22 December 2005

ANAO Audit Report No.23 2005-06 IT Security Management

ANAO Audit Report No.23 2005-06 IT Security Management

44

Appendices

ANAO Audit Report No.23 2005-06 IT Security Management

45

ANAO Audit Report No.23 2005-06 IT Security Management

46

Appendix 1: Agencies’ responses to the audit report

This Appendix contains the general comments received on the audit report, together with any detailed responses to the recommendations that are not shown in the body of the report.

A ustralian A g e n c y for International D ev elo p m en t

The Australian Agency for International Development (AusAID) welcomes and agrees with the recommendations provided in this report.

These recommendations will assist the agency in the ongoing development of its IT Security program.

A ustralian O ffice o f Financial M an agem en t

The Australian Office of Financial Management endorses the

recommendations, noting that the report proposes that agencies should assess the benefits of implementing them in light of their own circumstances. The AOFM considers that in making such assessments, agencies should take into

account the extent and nature of the risk involved, and the resources required, as well as the processes and controls already in place.

The AOFM will continue to develop its IT security control framework subject to operational and budgetary constraints.

B ureau o f M eteo ro lo g y

Thank you for the opportunity to comment on the ANAO Audit of IT Security Management. The report reminds Australian Government agencies, such as the Bureau of Meteorology, of their obligations and responsibilities to protect the confidentiality, integrity and availability of information systems and the information they hold.

We note that the elements of the audit relevant to the Bureau were conducted in an efficient and professional manner and in doing so minimised possible disruption to our operations. The investigation identified some deficiencies in our IT security management, as well as highlighting areas of good practice, particularly in respect of our mission critical operational weather forecasting

systems.

The Bureau of Meteorology supports the Audit's recommendations.

C om S u p er

ComSuper agrees with all of the Recommendations contained within this Report and will use this Report, in conjunction with other Reviews and Audits, to guide its IT Security development into the future.

ANAO Audit Report No.23 2005-06 IT Security Management

D epartm ent of E d u cation , S c ie n c e and Training

The report draws recommendations from a range of Departments at various level of maturity in IT Security management. As DEST has already established a well structured security control framework for internal DEST information and made substantial progress towards a well structured security control framework for the data network and internet gateway, DEST considers it complies with all the recommendations. It should be noted that DEST's data and internet gateway have been insourced since the audit.

Recommendation No.l

Agreed. DEST currently complies with all aspects of Recommendation 1. DEST's IT security policy is endorsed by the Corporate IT Committee and approved by the Secretary. DEST has a comprehensive set of plans and standard operating procedures within its IT Security section to support the department's operations and governance. These policies, plans and procedures incorporate all requirements of Australian Government policies, standards and guidelines for the safeguarding of information resources. There are clear links between the IT security policy, organisational risk management, and IT security risk assessments.

Recommendation 2.

Agreed. DEST complies with all aspects of Recommendation 2. DEST documents IT security risk assessments, plans and policies. Each year DEST commissions a Threat and Risk Assessment to identify any gaps between DEST's IT environment, DEST business risk requirements, and relevant government policies, standards and guidelines. The follow-up action plan for the following 12 months then addresses any gaps based on risk management principles. In addition, no changes may be made to DEST's IT environment

without an assessment against DEST's risk management requirements.

Recommendation 3.

Agreed. DEST complies with all aspects of Recommendation 3. DEST's IT Security policy specifies appropriate security controls of physical and environmental IT resources. DEST has developed standard operating procedures to ensure that the storage, movement or destruction of its IT resources are suitably documented and communicated.

Recommendation 4.

Agreed. DEST has established Internet, network and security automated performance and reporting systems. Ongoing monitoring identifies network availability, intrusion attempts, and compliance with IT security policies at an operating system level. Escalation procedures are detailed in incident response

ANAO Audit Report No.23 2005-06 IT Security Management

48

Appendix 1

and investigations plans. DEST IT Security provides periodic statistical reports on these issues to DEST's Audit and Business Assurance Committee.

Recommendation 5.

Agreed. DEST complies with all aspects of Recommendation 5. DEST has systems in place to log inappropriate or unauthorised activity. These systems are monitored proactively and anomalies are pursued through channels

identified in DEST's IT Security operational procedures.

D epartm ent o f th e E nvironm ent and H eritage

The Department of the Environment and Heritage (DEH) recognises the importance of IT Security Management to its operational activities and statutory responsibilities and agrees with the five recommendations on IT security that are outlined the report.

The Department has already taken actions consistent with the

recommendations in a number of areas and is working towards full implementation in others, in accordance with our particular security profile.

D epartm ent of Im m igration and Multicultural and In d ig en o u s Affairs

The following comments are in response to the five recommendations contained within the audit report of IT Security Management. DIMIA agrees with the findings and recommendations contained within the report and considers itself to be compliant with the intent of the recommendations. DIMIA will strive to further improve its maturity level in relation to the recommendations made.

Recommendation 1

DIMIA has policy in place which combines IT, Personnel and Physical security requirements for the department. DIMIA policy is based on the Australian Government requirements including the Protective Security Manual (PSM) and Australian Government Information Technology Security Manual (ACSI 33).

Recommendation 2

DIMIA has a formal risk assessment, acceptance and documentation process that includes Security Risk Assessments, Security Risk Management Plans and System Security Plans. In 2006 DIMIA will continue to improve this model through the introduction of an assurance capability that tracks risk profiles

throughout the system lifecycle.

Recommendation 3

ANAO Audit Report No.23 2005-06 IT Security Management

DIMIA has security policy in place for maintaining the security of IT equipment. The policy is a joint IT and Protective Security responsibility with clearly defined roles and responsibilities attached to elements of the policy.

Recommendation 4

DIMIA has contract in place with outsourced providers to ensure that network security practices and controls are measured for effectiveness. This includes independent annual reviews of outsourced provider services to obtain assurance that network security is compliant with the Australian Government requirements.

Recommendation 5

DIMIA currently captures extensive system audit logs and has monitoring procedures in place for several systems and platforms. DIMIA will further enhance this capability in 2006 by correlating and reporting on log information.

D epartm ent of T ransport and R egion al S e r v ic e s

The proposed report provides useful and constructive advice and my Department supports all of the reports recommendations.

A ttorn ey-G en eral’s D epartm ent

The Attorney-General's Department welcomes the report. The report's recommendations are consistent with government policy and represent best practice.

As you are aware the revised Australian Government Protective Security Manual 2005 came into effect on 4 October 2005. We note that the general thrust of Recommendations 1 and 3 of the proposed audit report are currently minimum standards in the PSM.

The Department agrees with the report's recommendations and our comments on of these are included below.

Recommendation 1

Agreed. The need for an IT security policy is currently a PSM minimum standard (Part C, paragraph 4.3)

Recommendation 2

Agreed.

Recommendation 3

Agreed. The need for a physical security environment and procedures to ensure that equipment that processes security classified information receives

ANAO Audit Report No.23 2005-06 IT Security Management

an appropriate degree of protection is a minimum standard in the PSM (Part E, para 7.11)

The Protective Security Policy Committee (PSPC), chaired by the Attorney- GeneraPs Department, advises the Government on protective security policy issues including the PSM. The PSPC will take into account this

recommendation in its review of Part C (Information Security) of the PSM.

Recommendation 4

Agreed.

Recommendation 5

Agreed.

D epartm ent of D e fe n c e -D e fe n c e S ig n a ls D irectorate

The Defence Signals Directorate (DSD) is pleased to provide this response to the Australian National Audit Office (ANAO) request, to comment upon its proposed report for the audit titled IT Security Management.

DSD agrees with the five recommendations in the proposed report and notes they are fundamental requirements of ACSI 33.

The five recommendations are representative of key issues that DSD continues to work with agencies on. Moreover, the notion of ICT security governance that appears throughout the proposed report is a reoccurring theme worthy of much greater awareness throughout the Australian Government.

ANAO Audit Report No.23 2005-06 IT Security Management

Appendix 2: Reference to ANAO audits

P ro tectiv e sec u r ity a u d its by th e ANAO

Since 1995, the ANAO has conducted a series of audits addressing aspects of protective security as part of its general performance audit program. This series comprises the following reports:

• Security Preparations for the Sydney Olympics - Audit Report No. 5, 1998­ 99;

• Classification of Information - Audit Report No. 7,1999-2000;

• Internet Security - Audit Report No. 13, 2001-02;

• Security Clearances - Audit Report No. 22, 2001-02;

• Physical Security - Audit Report No. 23, 2002-03;

• Management of Protective Security - Audit Report No. 55, 2003-04;

• Administration of Security Incidents, including the Conduct of Security Investigations - Audit Report No. 41, 2004-05.

Common themes arising from these audits are shortcomings in risk assessments, the completeness and currency of policies and practices surrounding protective security measures, and a lack of rigour with recording and reporting security incidents.

O ther relevant ANAO a u d its

Interim Phase of the Audit of Financial Statements of General Government Sector Agencies for the Year Ending 30 June 2005, Audit Report No. 56, 2004-05.

ANAO Audit Report No.23 2005-06 IT Security Management

52

Appendix 3: Audit objectives and scope

IT security control framework

The agency has established a framework that reflects management’s commitment and attitude to the implementation and maintenance of effective IT security controls and aligns policies, procedures and day-to­ day work practices with overall agency objectives for the secure management and control of each part of the IT systems.

IT security policy

An IT security policy is documented and provides a high-level IT security policy objective. The policy references existing government policy, standards and guidelines, assigns responsibilities to personnel for the management of IT security, and references other IT security plans or standards.

■ Policy content

■ Alignment with IT security risk assessment

■ Review process

Compliance with internal and external requirements

Relevant criminal and civil law, and statutory, regulatory or contractual obligations, and security requirements are identified and documented.

■ Compliance with external requirements

■ Compliance with the Protective Security Manual waiver process

■ Technical and compliance reviews

IT security organisation structure

An appropriate organisational structure is established to maintain security over information assets.

■ IT security management structure

■ Accountability for information resources

ANAO Audit Report No.23 2005-06 IT Security Management

IT operational security controls

The agency has considered and implemented IT operational security controls to support the organisational objective for the secure management and control of the IT systems.

Personnel security

Consideration is given to the selection and training of agency personnel. ■ Security responsibilities ■ User security awareness

training

IT equipment security

Consideration is given to implementing adequate physical and environmental controls to reduce the risk of

occurrence of loss, damage or

compromise of assets and interruption to business activities.

■ Security of computing resources

■ Security of equipment off-site

Network security management

Controls to safeguard information in information systems and protect the supporting network infrastructure are established and documented.

■ Network security management practices

• Security of information exchanges

Logical access management

Controls to prevent and detect

unauthorised access to information systems are established and

documented.

■ Access control management

■ Monitoring system access and use

ANAO Audit Report No,23 2005-06 IT Security Management

54

Index

A

access logical, 42, 43 monitoring, 42 unauthorised, 7, 22, 36, 42, 54

access control, 7, 42 access management, 17, 36, 42, 54 ACSI 33, 6, 9, 22, 24, 26, 27, 28, 29, 33, 38, 40, 42

agency security plan, 7, 26 audit criteria, 7, 24, 28, 36 audit trail, 15 availability, 7, 8, 13, 21,22, 36, 38, 47,

48

B

business process controls, 7 business requirements, 42

C

classification, 8, 34, 35, 39 compliance, 14, 16, 28, 31,32, 33, 48, 53 external, 14, 32

obligation, 14, 28, 31,32, 33, 47, 53 computing resources, 38 confidentiality, 8, 13, 21,22, 36, 38, 41, 47 control framework, 7, 22, 48

E

electronic mail, 8

G

governance, 17, 24, 31 ,41 ,4 8

H

harm, 13, 36

I

information resource, 14, 16, 22, 26, 28, 30, 31,34, 35, 37, 38, 39, 42, 48, 53 infrastructure, 21,36, 39, 40, 54 integrity, 8, 13, 21,22, 23, 36, 38, 41,

47

interconnectivity, 13 intrusion, 40, 48 IT equipment security, 16, 36, 38, 39, 54

L

legislation, 14, 31,32

M

monitor, 21,26, 29, 34, 43 complinace, 32

N

network, 15, 17, 30, 36, 38, 39, 40, 41 48, 54 network security management, 40

O

operational security controls, 14, 16, 22, 23, 36, 54 organisation structure, 28, 34, 53 organisational risk management, 14,

15, 30, 48 ownership, 34, 35

P

personnel security, 37 physical and environmental security controls, 15, 16, 38, 39 protective security, 7, 8, 9, 13, 14, 21,

28, 34, 52 Protective Security Manual, 6, 13, 22, 24, 27, 28, 31, 32, 53

ΑΝΑΟ Audit Report No.23 2005-06 IT Security Management

55

PSM, 6, 7, 8, 9, 13, 22, 24, 26, 32, 33, 34, 38 waiver, 32, 33

R

requirement, 8, 13, 14, 16, 21,22, 23, 26, 28, 31,32, 33, 34, 35, 36, 37, 38, 40, 41,42, 43, 48, 53 external, 28, 31,32, 53 government, 14, 30, 33 responsibilities, 13, 16, 26, 28, 29, 30,

34, 36, 37, 39, 40, 41,47, 49, 53, 54 risk, 7, 13, 15, 16, 22, 24, 26, 28, 29, 30, 32, 33, 34, 36, 38, 43, 47, 48, 52, 53, 54

assessment, 16, 26, 28, 29, 30, 33, 34, 48, 52, 53 organisational, 7, 14, 15, 21,28, 29, 30, 34, 36, 37, 38, 39, 48, 53, 54

profile, 29

s

security control framework, 13, 15, 16, 22, 23, 26, 27, 28, 31,32, 33, 34, 36, 47, 48, 53 security-in-depth principle, 9 steering committee, 34 structured processes, 14, 30

T

third-party service, 14, 40, 41 providers, 14, 40, 41 training, 36, 37, 38, 54

U

user awareness, 37

ANAO Audit Report No.23 2005-06 IT Security Management

56

Series Titles A u d it R e p o rt N o .2 2 P e rfo rm a n c e A u d it Cross Portfolio Audit of Green Office Procurement

A u d it R e p o rt N o .21 F in a n c ia l S ta te m e n t A u d it Audit of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2005

A u d it R e p o rt N o .2 0 P e rfo rm a n c e A u d it Regulation of Private Health Insurance by the Private Health Insurance Administration Council P riv a te H e a lth In s u ra n c e A d m in is tra tio n C o u n c il

A u d it R e p o rt N o .19 P e rfo rm a n c e A u d it Managing for Quarantine Effectiveness-Follow-up D e p a rtm e n t o f A g ric u ltu re , F is h e rie s a n d F o re s try B io s e c u rity A u s tra lia

A u d it R e p o rt N o .18 P e rfo rm a n c e A u d it Customs Compliance Assurance Strategy for International Cargo A u s tra lia n C u s to m s S e rv ic e

A u d it R e p o rt N o .17 P e rfo rm a n c e A u d it Administration of the Superannuation Lost Members Register A u s tra lia n T a x a tio n O ffic e

A u d it R e p o rt N o. 16 P e rfo rm a n c e A u d it The Management and Processing Leave

A u d it R e p o rt N o .15 P e rfo rm a n c e A u d it Administration of the R&D Start Program D e p a rtm e n t o f In d u s try , T o u ris m a n d R e s o u rc e s In d u s try R e s e a rc h a n d D e v e lo p m e n t B o a rd

A u d it R e p o rt N o .1 4 P e rfo rm a n c e A u d it Administration of the Commonwealth State Territory Disability Agreement D e p a rtm e n t o f F a m ily a n d C o m m u n ity S e rv ic e s

A u d it R e p o rt N o .1 3 P e rfo rm a n c e A u d it Administration of Goods and Services Tax Compliance in the Large Business Market Segment A u s tra lia n T a x a tio n O ffic e

A u d it R e p o rt N o .12 P e rfo rm a n c e A u d it Review of the Evaluation Methods and Continuous Improvement Processes for Australia's National Counter-Terrorism Coordination Arrangements A tto rn e y -G e n e ra l’s D e p a rtm e n t T h e D e p a rtm e n t of th e P rim e M in is te r a n d C a b in e t

ANAO Audit Report No.23 2005-06 IT Security Management

A u d it R e p o rt No. 11 B u s in e s s S u p p o rt P ro c e s s A u d it The Senate Order for Departmental and Agency Contracts (Calendar Year 2004 Compliance)

A u d it R e p o rt No. 10 P e rfo rm a n c e A u d it Upgrade of the Orion Maritime Patrol Aircraft Fleet D e p a rtm e n t o f D e fe n ce D e fe n c e M a te rie l O rg a n is a tio n

A u d it R e p o rt N o.9 P e rfo rm a n c e A u d it Provision of Export Assistance to Rural and Regional Australia through the TradeStart Program A u s tra lia n T ra d e C o m m is s io n (A u s tra d e )

A u d it R e p o rt N o.8 P e rfo rm a n c e A u d it Management of the Personnel Management Key Solution (PMKeyS) Implementation Project D e p a rtm e n t o f D e fe n c e

A u d it R e p o rt N o .7 P e rfo rm a n c e A u d it Regulation by the Office of the Gene Technology Regulator O ffic e o f th e G e n e T e c h n o lo g y R e g u la to r

D e p a rtm e n t o f H e a lth a n d A g e in g

A u d it R e p o rt N o .6 P e rfo rm a n c e A u d it Implementation of Job Network Employment Services Contract 3 D e p a rtm e n t o f E m p lo y m e n t a n d W o rk p la c e R e la tio n s

A u d it R e p o rt N o .5 P e rfo rm a n c e A u d it A Financial Management Framework to support Managers in the Department of Health and Ageing

A u d it R e p o rt N o .4 P e rfo rm a n c e A u d it Post Sale Management of Privatised Rail Business Contractual Rights and Obligations

A u d it R e p o rt N o .3 P e rfo rm a n c e A u d it Management of the M 113 Armoured Personnel Carrier Upgrade Project D e p a rtm e n t o f D e fe n c e

A u d it R e p o rt N o .2 P e rfo rm a n c e A u d it Bank Prudential Supervision Follow-up Audit A u s tra lia n P ru d e n tia l R e g u la tio n A u th o rity

A u d it R e p o rt No.1 P e rfo rm a n c e A u d it Management of Detention Centre Contracts— Part B D e p a rtm e n t o f Im m ig ra tio n a n d M u ltic u ltu ra l a n d In d ig e n o u s A ffa irs

ANAO Audit Report No.23 2005-06 IT Security Management

Better Practice Guides Public Sector Audit Committees

Fraud Control in Australian Government Agencies

Security and Control Update for SAP R/3

AMODEL Illustrative Financial Statements 2004

Better Practice in Annual Performance Reporting

Management of Scientific Research and Development Projects in Commonwealth Agencies

Public Sector Governance

Goods and Services Tax (GST) Administration

Managing Parliamentary Workflow

Building Capability—A framework for managing learning and development in the APS

Internal Budgeting

Administration of Grants

Performance Information in Portfolio Budget Statements

Life-Cycle Costing

Some Better Practice Principles for Developing Policy Advice

Rehabilitation: Managing Return to Work

Internet Delivery Decisions

Planning for the Workforce of the Future

Contract Management

Business Continuity Management

Building a Better Financial Management Framework

Building Better Financial Management Support

Managing APS Staff Reductions (in Audit Report No.49 1998-99)

Commonwealth Agency Energy Management

Cash Management

Feb 2005

Aug 2004

June 2004

May 2004

Apr 2004

Dec 2003

July 2003

May 2003

Apr 2003

Apr 2003

Feb 2003

May 2002

May 2002

Dec 2001

Nov 2001

June 2001

Apr 2001

Mar 2001

Feb 2001

Jan 2000

Nov 1999

Nov 1999

June 1999

June 1999

Mar 1999

ANAO Audit Report No.23 2005-06 IT Security Management

Security and Control for SAP R/3 Oct 1998

Selecting Suppliers: Managing the Risk Oct 1998

New Directions in Internal Audit July 1998

Controlling Performance and Outcomes Dec 1997

Management of Accounts Receivable Dec 1997

Protective Security Principles (in Audit Report No.21 1997-98) Dec 1997

Public Sector Travel Dec 1997

Audit Committees July 1997

Management of Corporate Sponsorship Apr 1997

Telephone Call Centres Handbook Dec 1996

Paying Accounts Nov 1996

Asset Management Handbook June 1996

ANAO Audit Report No.23 2005-06 IT Security Management

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

PARLIAMENTARY PAPER No. 23 of 2006 ORDERED TO BE PRINTED

ISSN 0727-4181