Audits find some SA councils have lax security

Audits of three South Australian councils conducted by the state’s Auditor General has found significant deficiencies in the councils’ ICT security standards.

The audits of the Port Adelaide Enfield, Prospect and Port Augusta city councils all uncovered evidence of lax security standards causing unnecessary cyber risk.

In the case of all three councils “important internal control elements to mitigate cyber security and technology risks were not operating effectively,” the auditor general’s department said in its summaries of the audits.

The audits found that most of the main ICT systems of the Port Augusta and Port Adelaide Enfield councils are internally hosted but supported by external contractors. The former has just four staff on its ICT team while the latter has 16.

Meanwhile, the Prospect council outsources its help desk and local infrastructure support and has service agreements in place for its ERM, database admin and other services. The company has two staff on its IT team.

The Prospect and Augusta councils were found in the audits to have gaps in cybersecurity policies, procedures and standards, while Port Adelaide Enfield had insufficient coverage with these policies, procedures and standards.

All three councils also had weaknesses in password controls and change management controls, and were running unsupported software, the audits found.

Other common security gaps between the three councils include insufficient management of risks and contracts over third-party service providers, a lack of a standard ICT risk register and reporting, and insufficient user access management.

Each council’s web application was also found to be using vulnerable software libraries with exposed administrative portals, and some documents within the applications had inadequate security applied.

The Port Augusta City Council was meanwhile found not to even have a backup policy and procedure or disaster recovery plan, or to have established any information security incident response plans. The council was also found to be still using unsupported legacy servers.

The three audits outline a series of recommendations tailored to each council, requiring improvements in areas including security governance, system security, change management, backup and recovery, and vulnerability assessments.

Each council has been urged to formalise an information security user awareness program, establish or formalise an ICT risk register, and implement changes to their password settings and policies.

The audits also recommend councils establish and follow a formal patch management policy, and to implement procedures to evaluate and track all system changes and patches released by vendors using a separate test environment.

In their respective responses to the audits, the three councils generally accepted the findings and said steps are already underway to address the deficiencies uncovered during the investigations.

But the Prospect and Augusta councils also highlighted the challenges involved with the current lack of an agreed ICT control framework in local government, and noted that a standard compliance framework should take into account the size of the council, the available resources and level of risk involved.

Image credit: ©stock.adobe.com/au/Charlie's