Data security in Australia: US may not be unique

Having wondered aloud yesterday about data security in Australia and what a close look by regulators might discover, I have just come across this performance audit report by the Federal Auditor General “Internet Security in Australian Government Agencies” tabled 13 June. The audit is a follow up on a 2001 report on this topic and a 2005 IT security management audit.

The audit involved examination of the adequacy of the management of internet security in six Federal Government agencies and concluded: “The current level of internet security was insufficient given the risks and problems identified through the audit findings”. In particular none of the audited agencies fully complied with the Australian Government Protective Security Manual 2005 that establishes minimum standards for the protection of Australian Government information and the Australian Government Information and Communications Technology Manual that covers secure information technology.

The Auditor General says that the conclusions are similar to those reached in the 2001 audit but that what has changed since is that government agencies have significantly increased the services delivered by the internet, while risks from within and outside agencies, and the number and sophistication of electronic attacks have grown rapidly. “A major risk to internet security also comes from within agencies, where personnel he the potential to accidentally or deliberately change information”.

The agencies audited included the Australian Federal Police and Medicare Australia both of which would hold large amounts of personal and health information. For obvious reasons the report does not comment on the vulnerability of particular agencies.

This doesn't throw any light on state and local government, or private sector data security.

The question remains “Why isn’t Australia suffering a wave of security breaches”?