❓ WA Parliament Question on Notice reveals which government departments and agencies engaged consultants for penetration testing and social engineering exercises on their systems and websites between March 2017 and August 2018.
AnsweredQoN 3799Legislative Assembly
Asked
14 August 2018
Member
Portfolio
Treasurer; Minister for Finance; Energy; Aboriginal Affairs
QuestionView source ↗
For all departments, agencies, government trading enterprises or boards within the Minister’s portfolio responsibilities, I ask since 11 March 2017: (a) Have any independent consultants or companies been engaged to run penetration or 'White Hat' tests on any internal or external network systems: (i) If so, what consultant or company was engaged and on what date; (ii) If so, did it include any social engineering or phishing tests; and (iii) If not, why not; and (b) Have any independent consultants or companies been engaged to run penetration or 'White Hat' tests on any websites: (i) If so, what consultant or company was engaged and on what date; and (ii) If so, what website (domain only) was tested?
AnswerView source ↗
Answered
18 September 2018
Response time
9 days
Department of Treasury
(a) Yes (via the Department of Finance).
(i) ES2 – 1 February 2018 and Hivint – 28 June 2018.
(ii) Yes.
(iii) Not applicable.
(b) Yes.
(i) ES2 – 13 and 29 March 2018.
(ii) treasury.wa.gov.au/SIMS www.ourstatebudget.wa.gov.au
Department of Finance
(a) Yes
(i) ES2 on 1 February 2018; and Hivint on 29 June 2018
(ii) Yes
(iii) Not applicable
(b) Yes
(i) ES2 on 1 February 2018
(ii) Websites included in the scope of testing were:
· www.finance.wa.gov.au
· rol.osr.wa.gov.au
· www.tenders.wa.gov.au
· portal.bmw.wa.gov.au
Western Australia Treasury Corporation
(a) Yes
(i) KPMG August 2017 and Asterisk September 2017
(ii) KPMG No and Asterisk Yes
(iii) Not applicable
(b) Yes
(i) Asterisk September 2017
(ii) www.watc.wa.gov.au
Economic Regulation Authority
(a-b) No
Department of Planning, Lands and Heritage
Former Department of Aboriginal Affairs (11 March – 30 June 2017)
(a-b) No
Department of Planning, Lands and Heritage (1 July 2017 – 14 August 2018)
(a-b) Please refer to Legislative Assembly question on notice 3802.
Aboriginal Policy and Coordination Unit
(a-b) Please refer to Legislative Assembly question on notice 3789.
Western Power
(a) Yes
(i) Western Power regularly runs penetration tests to confirm its security posture; the latest penetration test was conducted in June 2018 by *Asterisk Information Security.
(ii) Western Power also performs phishing and social engineering tests with the latest being a USB drop user education exercise in July 2018 by *Asterisk Information Security.
(iii) Not applicable
(b) Yes
(i) The latest penetration test on a website was conducted by *Asterisk Information Security in March 2018.
(ii) https://westernpower.transactcentral.com
Synergy
(a) Yes
(i) PwC
(ii) Yes
(iii) Not applicable
(b) Yes
(i) PwC between 2 – 27 July 2018
(ii) Synergy.net.au
Horizon Power
(a) Yes
(i) Triskele Labs on the 3/5/2017, 29/8/2017 and 25/6/2018. Telstra Security Services on the 22/11/2016
(ii) Yes
(iii) Not Applicable
(b) Yes
(i) Triskele Labs 29/8/2017
(ii) Horizonpower.com.au
Government Employees Superannuation Board
(a-b) Please refer to the Department of Finance’s response to this question as GESB’s internal network systems are controlled and managed by the Department of Finance.
Fire and Emergency Services Superannuation Fund
(a) Yes
(i) Ernst and Young, engaged October 2017
(ii) Yes
(iii) Not applicable
(b) Yes
(i) Ernst and Young, engaged October 2017
(ii) www.fessuper.com.au
Insurance Commission of Western Australia
(a) Yes.
(i) KPMG – July 2017 and May 2018.
(ii) No.
(iii) Social engineering and phishing tests were conducted in 2016 and will be conducted again in Q2 of 2019 financial year 2018.
(b) Yes.
(i) KPMG – August 2017.
(ii) Domains tested included:
Office of the Auditor General
(a) No
(i-ii) Not applicable
(iii) In February 2017 the Office's own Information Systems Audit staff performed cyber security tests on its external email, website and file sharing systems hosted on the 'audit.wa.gov.au' domain. A vulnerability scan on key internal network systems was also performed at the same time.
(b) No
(i-ii) Not applicable
(a) Yes (via the Department of Finance).
(i) ES2 – 1 February 2018 and Hivint – 28 June 2018.
(ii) Yes.
(iii) Not applicable.
(b) Yes.
(i) ES2 – 13 and 29 March 2018.
(ii) treasury.wa.gov.au/SIMS www.ourstatebudget.wa.gov.au
Department of Finance
(a) Yes
(i) ES2 on 1 February 2018; and Hivint on 29 June 2018
(ii) Yes
(iii) Not applicable
(b) Yes
(i) ES2 on 1 February 2018
(ii) Websites included in the scope of testing were:
· www.finance.wa.gov.au
· rol.osr.wa.gov.au
· www.tenders.wa.gov.au
· portal.bmw.wa.gov.au
Western Australia Treasury Corporation
(a) Yes
(i) KPMG August 2017 and Asterisk September 2017
(ii) KPMG No and Asterisk Yes
(iii) Not applicable
(b) Yes
(i) Asterisk September 2017
(ii) www.watc.wa.gov.au
Economic Regulation Authority
(a-b) No
Department of Planning, Lands and Heritage
Former Department of Aboriginal Affairs (11 March – 30 June 2017)
(a-b) No
Department of Planning, Lands and Heritage (1 July 2017 – 14 August 2018)
(a-b) Please refer to Legislative Assembly question on notice 3802.
Aboriginal Policy and Coordination Unit
(a-b) Please refer to Legislative Assembly question on notice 3789.
Western Power
(a) Yes
(i) Western Power regularly runs penetration tests to confirm its security posture; the latest penetration test was conducted in June 2018 by *Asterisk Information Security.
(ii) Western Power also performs phishing and social engineering tests with the latest being a USB drop user education exercise in July 2018 by *Asterisk Information Security.
(iii) Not applicable
(b) Yes
(i) The latest penetration test on a website was conducted by *Asterisk Information Security in March 2018.
(ii) https://westernpower.transactcentral.com
Synergy
(a) Yes
(i) PwC
(ii) Yes
(iii) Not applicable
(b) Yes
(i) PwC between 2 – 27 July 2018
(ii) Synergy.net.au
Horizon Power
(a) Yes
(i) Triskele Labs on the 3/5/2017, 29/8/2017 and 25/6/2018. Telstra Security Services on the 22/11/2016
(ii) Yes
(iii) Not Applicable
(b) Yes
(i) Triskele Labs 29/8/2017
(ii) Horizonpower.com.au
Government Employees Superannuation Board
(a-b) Please refer to the Department of Finance’s response to this question as GESB’s internal network systems are controlled and managed by the Department of Finance.
Fire and Emergency Services Superannuation Fund
(a) Yes
(i) Ernst and Young, engaged October 2017
(ii) Yes
(iii) Not applicable
(b) Yes
(i) Ernst and Young, engaged October 2017
(ii) www.fessuper.com.au
Insurance Commission of Western Australia
(a) Yes.
(i) KPMG – July 2017 and May 2018.
(ii) No.
(iii) Social engineering and phishing tests were conducted in 2016 and will be conducted again in Q2 of 2019 financial year 2018.
(b) Yes.
(i) KPMG – August 2017.
(ii) Domains tested included:
Office of the Auditor General
(a) No
(i-ii) Not applicable
(iii) In February 2017 the Office's own Information Systems Audit staff performed cyber security tests on its external email, website and file sharing systems hosted on the 'audit.wa.gov.au' domain. A vulnerability scan on key internal network systems was also performed at the same time.
(b) No
(i-ii) Not applicable
Explore WA Government Data
Search the full archive in the free dashboard, or query programmatically via API.
Explore more
Government Gazette
Appointments, regulatory notices, planning changes.
Hansard
Debates, questions, speeches and sentiment.
Tabled Papers
Reports and documents tabled in Parliament.
Committees
Committee profiles and recent reports.
Regulations
Subsidiary legislation with filters and summaries.
Bills
Proposed laws and parliamentary progress.
Acts
Current WA legislation and summaries.
Explanatory Memoranda
Bills with EMs (text/PDF) available.
Members
MP profiles, party breakdown and rankings.
Pollie Rankings
Data-driven rankings across 19 categories.
Amendment Chains
Track how schemes and regulations evolve over time.