The article appears to relate to the ACT Auditor-General's annual financial report [PDF].
The CT states that -
An investigation by the ACT Auditor-General's office found delays in the installation of critical security upgrades to the Rego ACT site were not undertaken in a timely manner, creating the risk of ''unauthorised access'', although the Government has not disclosed any security breaches.After the usual flannel a spokesperson for the ACT government is reported as conceding that there was a need to improve confidence in the system and that 'documentation "has now been improved".
The system, used by many of the city's 200,000 motorists to pay their registration fees by credit card, was left vulnerable many times over several years, the auditor's report found. The delays in installing security ''patches'', provided by the system's manufacturer, was part of a litany of weaknesses and gaps in government computer security systems, uncovered during the Auditor-General's annual financial audit process. The report found that password controls on government systems were weak and that security patches not being installed on time was a problem across the ACT Public Service
... the auditors were critical of the performance of both departments in managing the vital system after finding that the problem with the patches had existed for years.
''As in previous years, this system was not being promptly updated for security 'patches' that are regularly provided by the supplier of the system,'' the auditors wrote.
''This presents a higher risk that unauthorised users may exploit any known weaknesses in the system.''
The auditor's office identified security weaknesses across the Government's systems with password management emerging as a problem. ''These control weaknesses result in a higher risk of undetected unauthorised and possibly fraudulent access to the ACT Government network, firewalls, applications and data,'' the report says.
''The ACT Government's password complexity requirements were not fully enforced, some passwords were not 'forced' to be regularly changed, user access levels were not regularly monitored, and some critical 'patches' were not applied.
''This increases the risk of unauthorised, inappropriate and undetected access to the ACT Government network, firewalls, applications and data.''
The ACT Government's password complexity requirements were not fully enforced, some passwords were not 'forced' to be regularly changed, user access levels were not regularly monitored, and some critical 'patches' were not applied.
This increases the risk of unauthorised, inappropriate and undetected access to the ACT Government network, firewalls, applications and data.
