	Home \| Databases \| WorldLII \| Search \| Feedback Privacy Law and Policy Reporter

Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

You are here: AustLII >> Databases >> Privacy Law and Policy Reporter >> 1996 >> [1996] PrivLawPRpr 41

Morison, John --- "Compiter security - a survey of 137 Australian agencies" [1996] PrivLawPRpr 41; (1996) 3(4) Privacy Law & Policy Reporter 67

Computer security -- a survey of 137 Australian agencies

In recent years, unauthorised release of government information has been the subject of media coverage and inquiry. As a result the Privacy Commissioner was concerned about the level of protection of personal information held on computer systems in the Federal and ACT government administrations. In order to address that concern, an audit with a focus on Information Privacy Principle 4 (which requires agencies to adopt reasonable security safeguards) was conducted on computer security. The audit, in the form of a detailed survey questionnaire which was sent to 152 agencies, commenced in May 1994. Some of the smaller agencies did not hold personal information on computer systems and were subsequently excluded from the audit. A total of 137 responses to the questionnaire formed the survey population.

Audit's objectives

The objectives of the audit were to:

provide a basis for self-assessment and review for those agencies that had a computer security policy;
enable agencies without a dedicated computer security policy to consider whether there is a need for one;
provide some guidance to those agencies without a policy on the issues that should be addressed if a policy is to be developed;
provide information to agencies on their responses to the questionnaire relative to the other agencies surveyed;
provide the Privacy Commissioner with an overview of computer security and practices across federal and ACT government service agencies, and an indication of action taken by agencies to improve computer security, following release of a number of reports and media criticism of unauthorised release of personal information held by agencies in recent years (see Independent Commission Against Corruption (ICAC) NSW, Report on Unauthorised Release of Government Information, August 1992); and
also provide the commissioner with an indication of those agencies which should be included in future audit programs, either where the specific focus is on computer security, or as part of more general audits which address a number of the Information Privacy Principles.

A number of significant findings were identified in terms of policy, staff awareness and training, portable computing equipment, security classifications, outsourcing, access controls, Defence Signals Directorate liaison, network and communication links, physical security, audit trail controls and audit programs. Some of these findings are summarised in this article.

Computer Security Policy

Only 52 per cent of the survey population had a Computer Security Policy (CSP). Forty-one per cent had a CSP endorsed by senior management and only 29 per cent had a CSP which was last issued on or after 1 July 1992. Forty-six per cent had a CSP which stated system protection in terms of confidentiality and integrity of information (who may access or change information, protection against unauthorised access, and who is responsible for alteration of access levels, system documentation and software). Only 23 per cent had a committee structure which addressed computer security separately from general protective security.

Overall, these results were disappointing. While the existence of a CSP does not automatically guarantee a secure IT environment, the formulation and maintenance of a CSP should focus agencies' attention on the exposure of its systems to potential threat.

Staff awareness and training

Fifty-six per cent of the agencies addressed computer security in training sessions for general users. Only 23 per cent of agencies with a CSP made it generally available to staff.

These results were also disappointing. If agencies are to maintain an effective security culture, all systems users need to be aware of computer security issues and access to the CSP is one method of raising awareness.

Portable computing equipment

Eighteen per cent of agencies kept personal information on portable computers within the agency. Officers in eight per cent of agencies are required to access information held on portables in remote sites and in 22 per cent of agencies, officers are permitted to use portables containing personal information while working at home. Only six per cent of agencies reported that information was held on other portable equipment such as electronic diaries.

These results are indicative of the significant amount of personal information now held on portable computers and the trend towards `teleworkers' or `home-based work'. The Melham Committee report (`In Confidence' -- A report of the inquiry into the protection personal and commercial information held by the Commonwealth, June 1995 -- (see 2 PLPR 101) also commented on the increasing use of portables in the public sector and recommended that security manuals specifically address the process required to authorise work taken out of the office and the security features of portable computers.

The risks associated with the use of portables containing personal information may be minimised by agencies through incorporation of security controls on portables and institution of security procedures to ensure adequacy of safeguards over information held on portables at the normal work-site and in other locations. Computer security policies should address these issues.

Security classifications

Eight per cent of the survey population held `national security' classified personal information on computer systems and 54 per cent of agencies also held personal information with a sensitive material classification on the systems. The Privacy Commissioner's audit program has identified that the most common classification for personal information is `in-confidence', the lowest sensitive material classification. This classification is normally used for personnel files. However, there is a significant volume of personal information which is unclassified.

There is a risk that agencies which overly rely on formal security classifications for protection of personal information may overlook the existence of unclassified material and fail to take adequate protective measures.

Outsourcing

Thirty-seven per cent of agencies employed contractors for the operation of mainframe computer centres or networks. Eighty-two per cent used contractors for programming services. Twenty-five per cent employed contractors for processing of personal information on external computing systems and 92 per cent used contractors for computer repairs and maintenance.

However, only 26 per cent of agencies which contract out their computing services had specific reference to the provisions of the Privacy Act 1988 in written contracts with these service providers. Many agencies used standard federal government contract clauses requiring confidentiality, but since contractors are generally not covered by the provisions of the Privacy Act, the confidentiality provisions do not adequately protect an individual's privacy `rights' in the event of a breach.

The Privacy Commissioner and the Melham Committee have recommended that the Act be amended to make a contractor to a federal agency primarily liable for compliance with the Information Privacy Principles as if the contractor were an agency. Meanwhile, agencies should include in any contract, clauses which impose on contractors the same obligations that agencies are subject to, in respect of the Information Privacy Principles. The Privacy Commissioner has issued Outsourcing and Privacy for agencies considering contracting out (outsourcing) information technology and other functions.

Access controls

Ninety-one per cent of the survey agencies had some form of access control software to protect personal information held on systems. This software can include measures such as access limits, restrictions on alteration of access controls, detection devices and monitoring procedures designed to detect unauthorised access. Eighty-two per cent of agencies used software with an enforced password change facility.

Seventy-four per cent of agencies used software which has a facility to disable terminals after a period of user inactivity, however, only 62 per cent of this group of agencies had the facility activated. Twenty-eight per cent of the survey population use time-based access restrictions which may restrict use to a specified timeframe such as normal working hours. Eighty-eight per cent use access restrictions based on the function, position number or location of the user. Staff access to systems is automatically revoked after a period of non-use in 38 per cent of agencies and 55 per cent of all agencies prevent the running of concurrent sessions through two or more terminals.

These results are encouraging. Access control software is widely used in the survey population and these controls are effective in preventing or limiting unauthorised access to information held on agency systems.

Defence Signals Directorate liaison

In October 1986 Cabinet directed that the Defence Signal Directorate (DSD) shall, in respect of communications and computer security:

Provide advice on request to government departments and authorities in relation to other sensitive official information unrelated to national security but which for privacy, financial or other reasons requires protection form unauthorised disclosure.

Cabinet also directed that as part of its operating guidelines:

DSD shall maintain direct contact with appropriate Commonwealth government departments and authorities and the Defence Force as regards communications security and computer security matters.

Only 31 per cent of agencies have consulted with the DSD on communications security and only 16 per cent have sought advice from communications consultants other than DSD on this issue. There is a generally low level of consultation with DSD. This may relate to another finding that only 39 per cent of agencies have CSPs which are designed to conform to the Protective Security Manual (PSM), issued by the Attorney-General's department, which includes a chapter on `computer and communication security' and information on the consultancy role of the DSD.

Only 28 per cent of agencies use authentication identifiers which conform to standards contained in instructions issued by the DSD. Twenty-six per cent of agencies did not answer this question on identifiers or indicated that they didn't know whether their authentication identifiers conformed with the standard.

Less than 15 per cent of agencies have adopted communications security standards provided by DSD and a mere nine per cent have consulted with DSD on audit trail documentation.

In this context, it is interesting to note that a recommendation in the House of Representatives standing committee on legal and constitutional affairs report In Confidence also addresses this issue. Recommendation 12 states that:

All agencies adopt adequate standards for computer security. Guidelines should be developed after incorporating advice from existing government agencies with expertise in computer security.

In summary, the survey results clearly show a low level of consultation with DSD and a lack of awareness of DSDs role. Also, few agencies have adopted the standards embodied in DSD instructions, relating to authentication identifiers and communications security.

Networks and communication links

Eighty per cent of the survey population use Local Area Networks (LANs) and 55 per cent use Wide Area Networks (WANs) to store or transmit personal information. However, only 12 per cent use encryption on nationally-linked communications paths, only four per cent use encryption on communication paths within regional and state offices and four per cent use encryption on communication paths within their central office.

These results indicate the proliferation of the use of networks and the relatively low use of encryption to protect transmitted personal information. The low level of consultation with DSD on communication security matters has already been commented on. DSD instructions cover communications and require the use of encryption when national security, in-confidence, protected or highly-protected material is transmitted over electromagnetic communications systems.

The advantages offered by network technology are obvious but the risks they pose to security of personal information are perhaps less so. DSD instructions state in part:

Communications pathways outside an agency's control may be subject to interception, diversion, and interruption. Even pathways within the agency's control may be bugged. It can thus be seen that without special communications security measures few agencies would be able to guarantee to maintain the security of their processing ...
There is no substitute for encryption in preventing unauthorised disclosure of information passed over communications lines ...
It's (encryption) effectiveness means it will normally be found to be better than it's alternatives even by those agencies whose information is not required to be encrypted for reasons of national security or sensitivity.

While most personal information held by the agencies would not be classified at a level higher than in-confidence, it is clear that DSD considers that such material should be protected by encryption when transmitted over networks, even within a discrete, self-contained LAN. In this context the survey result that less than one in 20 agencies that use LANs or WANs which involve communications across local or state offices encrypt the personal information transmitted, is of considerable concern.

Some agencies may consider that the risk of unauthorised disclosure of information transmitted on networks is low. Those agencies which have not consulted DSD or other experts on these matters may not be aware of the risks. It is unlikely that agencies would be aware if the information transmitted on their networks was intercepted. The greatest advantage of encryption is that even if encrypted information is intercepted, it cannot be decrypted without the appropriate key or decryption algorithm.

It may be argued that depending on the amount and sensitivity of personal information on these systems, encryption may or may not be cost effective when assessed against the risks. The greater availability and lower cost of encryption will strengthen the case for its use.

But as many agencies failed to provide a risk, threat or vulnerability assessment of unauthorised access and/or disclosure of personal information for such systems, the low level of such protection across all agencies is an issue which must be addressed.

Physical security

Fifty-nine per cent of the agencies have conducted a threat assessment which covers damage to, and theft of, computing equipment. Seventy-four per cent have policies, procedures or standards which address the physical protection of computer hardware and 80 per cent have in place arrangements to control the movement of visitors in areas where personal information is stored or processed.

Although these results appear reasonably satisfactory, the survey was not designed to assess the adequacy of these measures or their quality. Agencies should have a system of regular review of the adequacy of physical security arrangements.

Audit trail controls

Sixty-one per cent of the agencies have controls in place which provide an audit trail to enable detection of unauthorised access, changes, and loss or deletion of personal information on mainframe systems. Thirty-seven per cent of agencies with mainframes have these controls with respect to information stored on LANs or WANs.

Similarly, 61 per cent of agencies record user session times for mainframes, but only 37 per cent do so for LAN/WANs. For mainframes, 39 per cent record for each user any access, whether successful or not, and identify the data file or client record for mainframes, but only 20 per cent do so for LAN/WANs.

Forty-one per cent of agencies record the program or process used for each user in respect to mainframes and only 15 per cent do so for LAN/WANs. Thirty-one per cent of agencies record, for each user, each file or data set opened and what type of access is requested (Read, Write, Append, Execute etc), but only 15 per cent do so for LAN/WANs. Twenty-five per cent of agencies record, for each user, each attempt (whether successful or not) to use a resource (file, directory, printer etc) for mainframes but only 13 per cent do so for LAN/WANS.

Fifty-three per cent of agencies can archive their audit trail in machine readable form and 39 per cent have systems which make an immediate report of apparent attempts of unauthorised access to the system. Sixty-four per cent of agencies have the facility to enable security personnel or other designated officers to search audit trails for a specified event and 46 per cent of agencies have the responsibility for security and audit functions separated.

These results confirm that audit trail controls are more prevalent in mainframe based systems than in networks. Given the finding that 80 per cent of agencies use LANs and 55 per cent use WANs, the relative lack of audit trail controls on networks is of some concern.

Audit programs

Forty-nine per cent of agencies have conducted internal audits of computer security or user access since 1 July 1992 and 42 per cent have conducted audits since 1 July 1992 as part of a regular monitoring program. One per cent have conducted these type of audits since 1 July 1992 in response to specific events in the agency and one per cent have conducted such audits since 1 July 1992 in response to external activity such as hearings, media reports or parliamentary committees. fifty-three per cent have such audits included in their internal audit programs for 1993/1995 and 41 per cent have had such audits conducted by external agencies since 1 July 1992.

These results indicate that over half of the survey population had not conducted internal computer security or access audits since 1 July 1992 and 47 per cent of agencies have not included such audits in their audit plan for 1993/1995. This is of considerable concern.

Outcome

Notification of the proposed survey had the immediate effect, in some agencies, of achieving the important objective of providing an impetus for these agencies to review computer security in respect to compliance with IPP4. In other agencies, the process of completing the survey, coupled with the results, should provide a basis for those agencies to determine whether policy and procedures require development, review or amendment.

The Privacy Commissioner has taken the view that the privacy auditing is an educative process and compliance with the Privacy Act coincides with best management practices. Agencies were therefore encouraged to consider those areas of computer security identified in the survey where some improvement may be achieved in the protection of personal information.

Audits and investigations conducted by the Privacy Commissioner will continue to focus on security of personal information held on computer systems and networks. The survey results will be used in the selection process of agencies for audit and resolution of complaints where computer security is a factor.

Developments and trends

Developments in information technology (IT) and IT security have been accelerating over the past few years and will continue to do so in the foreseeable future. One major area of development, which has been reflected in the findings of the survey, is the proliferation of networks. While the Internet currently dominates media interest, the establishment of initially discrete networks within agencies and organisations has been widespread. Electronic links have also been established between some agencies.

The survey found that 46 per cent of agencies `exchange' personal information on-line with other agencies or external organisations, other than information covered by data matching pursuant to the Data Matching (Assistance and Tax) Act 1990. It is apparent from some agency comments that they may have counted the routine transmission of pay and personnel-related data which is common to all agencies, but there is still a significant exchange of other personal information online between many agencies and to some non-government organisations.

There is no doubt that the use and size of networks will expand. As an example, a number of Commonwealth agencies now routinely use the Internet as an information source and as a means of disseminating material to interested users. Security against loss of data and unauthorised access to systems is a major issue and protection against possible hacking, viruses and computer crime via the Internet will require additional security measures such as encryption or `firewalls' or by using isolated PCs not connected to the agency network or system.

Networks within the federal administration and interfaces between contractors and various agencies are bound to increase as processing tasks are outsourced; as greater use is made of bureaux for the handling of common functions and as service delivery to remote sites is improved through advances in technology. Security of personal information within these new environments will need to keep pace with technological change.

The probable future proliferation of the uses of smart cards may include their use in the authentication of electronic financial transactions and of user identification for access control purposes. Smart cards utilising a variety of different technologies are being promoted by financial institutions and numerous concerns arise in respect to the privacy of smart card mediated transactions. However, smart card technology also has the potential to provide more secure access controls on computer systems than current password based systems (see also the Privacy Commissioner's information paper No 4, `Smart cards: implications for privacy').

John Morison, Director, Privacy Compliance, Office of the Australian Privacy Commissioner.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/1996/41.html