The Australian National Audit Office makes the claims in a comprehensive report into 21 Commonwealth bodies' control systems for 2002/03, tabled at the end of the financial year yesterday. The report covers control issues for the first nine months of 2002/03.
The ANAO, which identified "internal control difficulties" in the information security and business continuity management of several bodies in its 2001/2002 report, said the issue still remained -- although the bodies involved were not necessarily the same.
The ANAO also said many bodies had not maintained current business continuity management plans since the Y2K crisis passed.
The report indicated this was at least partly due to the structure of the cluster-based outsourcing arrangements undertaken by government bodies. These, the ANAO said, had "hindered the maturity" of business continuity management.
"Given the responsibility for business continuity resides in the [government] entity, the outsourcers' focus is on the information technology disaster recovery planning," the ANAO argues.
"However, the outsource providers generally do not have sufficient knowledge of the entity's business requirements and risk and often have no contractual obligation to do so.
"Audit findings indicate that, in some instances, outsourcers have developed disaster recovery plans without reference to the entity's unique business requirements, risks and business systems".
The ANAO said government bodies needed to "maintain the responsibility for disaster recovery and establish more clearly defined relationships with their outsourcers to ensure they are both aware of the business continuity risks".
"Furthermore, many contract agreements reviewed do not clearly articulate what is required in the disaster recovery plan, hence explaining the lack of detail found in some disaster recovery plans.
"As well, they do not specify the entities' specific risk and agreed service levels for business continuity management".
The report -- which encompasses information technology governance, process methodology, information security, business continuity management and change management -- identified some significant gaps in security controls in outsourcing contracts.
"While most entities' outsourcing contracts adequately defined information security requirements, some contracts do not specify security governing outsourced equipment, agreed service level for security service provision and protection from malicious software," the ANAO said.
"In some of the smaller entities, contracts negotiated directly with third-party suppliers of financial management, human resources management or infrastructure services do not adequately specify security requirements.
"These entities also tend to rely solely on the third-party provider to ensure appropriate security practices are protecting their business data".
The ANAO turned a particularly critical eye on the Health Insurance Commission (HIC), describing its security policies as "outdated" and updating them as a "time-consuming task".
At the time of the report, no defined procedures existed for the HIC to monitor security incidents.
