An investigation by Tasmanian Auditor General Mike Blake has found that five state government departments have failed to implement information security mitigation strategies recommended by the Australian Signals Directorate (ASD).
The ASD strategies assessed by the audit included application whitelisting, patching applications and operating systems and minimising administrative privileges.
A recent report by the Australian National Audit Office found similar failures to implement the ASD's recommended mitigation strategies at federal government agencies.
Two other common areas of weakness in the state government departments were lack of testing of backups and access permissions, the Tasmanian audit found.
The audit assessed Treasury and Finance, Primary Industries, Parks, Water and Environment (DPIPWE), Health and Human Services (DHHS), Premier and Cabinet (DPAC) and Police and Emergency Management (DPEM) .
The audit found there was a widespread failure of departments to take a strategic approach to ICT security. For example, only the DPEM had a security plan. However, all the departments had a security governance committee.
The audit found that the departments had reasonable physical security for most of their facilities, infrastructure and services, but common problems in the departments included lack of policy on physical security and limited CCTV coverage.
The gaps identified were not evidence "that the departments audited are not taking ICT security seriously," Blake stated in report's foreword.
"Evident from this report, and from submissions made by Secretaries, is that, generally, departments had reasonable security over most of their facilities, infrastructure and servers and I, and the community, should be confident that data is, or that steps are being taken to ensure, appropriately secure."
Publication of the report was delayed to give departments time to fix vulnerabilities identified during the audit.
The audit recommended that all the departments fully implement the ASD’s Top 4 mitigation strategies.
Treasury should develop a specific ICT security plan and update its ICT security risk review, the report stated. Treasury should also enforce password standards and controls over use of unauthorised media.
DPIPW should consider the use of firewalls for workstations throughout the department and disable local admin accounts.
The audit also recommended that DHHS develop a policy to ensure that access to confidential information is valid and that no unused accounts exist that can be wrongfully used.
DPAC should make greater use of inbuilt IT features such as timeouts on PCs, enforcing password standards, controls over unauthorised media and software.
Finally, the report recommended that DPEM specify in its ICT security plan that risk reviews take place regularly and implement an IT security incident management system.
Follow Hamish Barwick on Twitter: @HamishBarwick