Government defence falls short says report

SENSITIVE financial data controlled by federal government agencies could be vulnerable to foul play, a report by the national auditor reveals.

The Australian National Audit Office inspected financial information management practices in 23 major federal agencies and found that the majority had sound IT security against external threats, but internal policies were leaving data at risk of privacy breaches and misuse.

A third of agencies did not monitor activities of staff with privileged access to information.

It also found that in a quarter of agencies staff given access to financial data had "conflicting functions" that could expose government records to inadvertent or fraudulent "mis-statement".

The ANAO report included the tax office, defence, the Department of Employment Education and Workplace Relations, the Department of Finance and the Attorney General's portfolio.

The findings follow widely publicised privacy problems in government agencies dating back almost half a decade.

In August 2006 Centrelink had recorded 790 instances privacy breaches by staff since 2004, which led to disciplinary action against more than 400 staff, including sackings and salary deductions.

Around the same time the tax office took action against 27 staff members for spying on clients.

Federal Privacy Commissioner Karen Curtis said: "My office will be examining the ANAO interim report and considering matters it raises about information security."

The ANAO report indicates that privacy breaches by staff in government agencies may still be going undetected because of inadequate monitoring of system administrators and employees with privileged access.

"Such users have greater access to the FMIS than other staff, and hence have privileged access that, if used inappropriately, can affect the integrity of financial information," the ANAO report says.

Government agencies were not following policy procedures to ensure employees are not placed in positions that gave them the means and motive to falsify government financial records.

"Not adhering to this practice exposes an agency to the possibility of financial misstatement, either inadvertently or through fraud," the report finds.

Overall, only two of the 23 agencies included in report needed better network and information security, but a quarter were found to have inadequate IT governance policies.

"ANAO testing indicated almost a quarter of agencies did not have a complete or current System Security Plan for all IT systems.

"As these plans form the basis for all security processes and procedures in an agency, this situation creates a risk that security policy is not implemented in accordance with expectations.

"This could result in data integrity threats not being appropriately identified and mitigated."