VIC Auditor flushes out hundreds of government IT security holes


By Paul Hemsley and Julian Bajkowski

A new report from the Victorian Auditor-General’s Office (VAGO) has revealed the trigger for the Napthine government’s sweeping government-wide IT security strategy overhaul after 11 government agencies were found to be highly vulnerable to potential cyber-attacks because of “inadequate” security measures.

The Victoria government last week officially signed onto the creation of a holistic IT security plan that will be rolled out across all government agencies in 2014, an effort that will be initially led by the Australian Federal Police’s former top cyber Cop Alastair MacGibbon.

It’s not hard to see why.

Victorian Auditor-General John Doyle’s report on the Whole of Victorian Government Information Security Management Framework has detailed a laundry list of inadequacies within public sector agencies and their management of their ICT systems.

One of the key findings was that agencies are “generally unaware” of how their systems would perform if subjected to a cyber-attack, a scenario that has gone from theory to reality in recent weeks in the midst of regional tensions over electronic espionage.

The Victorian Auditor General’s sweep to flush out vulnerabilities included technical testing of a range of selected ICT systems and subsequently identified “well over 100 serious breaches and lapses” in information security.

The agencies the Auditor examined included CenITex, Department of Human Services, Department of Justice, Department of Premier and Cabinet, Department of State Development, Business and Innovation, Department of Treasury and Finance, State Revenue Office, Transport Accident Commission, Treasury Corporation of Victoria, Victorian Funds Management Corporation, and WorkSafe Victoria.

Mr Doyle said there were no “cohesive arrangements” in place in Victoria to brief ministers if a major cyber threat was to affect the public sector’s ability to continue to deliver services.

Saying that he is “pleased” that a number of the more “critical findings” have already been addressed by some agencies, Mr Doyle has written to each of the agencies subject to the audit and sought their “urgent attention” to rectify the issues.

According to VAGO, the government has recently acted to address these “deficiencies” by introducing the Emergency Management Bill 2013 in late October and creating a new Cyber Security Strategy in the Victorian public sector.

This Strategy is a major overhaul of the state’s cyber policy to bolster its digital defences and was claimed by Minister of Technology Gordon Rich-Phillips as the first of its kind to be formally developed by an Australian state government.

It is expected to be completed in 2014 and means to spell out clear lines of responsibility and demarcation for dealing with cyber threats and issues.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required