❓ WA Parliamentary Question on Notice regarding penetration testing of government agencies' network systems and websites since March 2017. Most agencies report no external penetration testing, relying on internal testing or risk assessments.
AnsweredQoN 3792Legislative Assembly
QuestionView source ↗
For all departments, agencies, government trading enterprises or boards within the Minister’s portfolio responsibilities, I ask since 11 March 2017: (a) Have any independent consultants or companies been engaged to run penetration or 'White Hat' tests on any internal or external network systems: (i) If so, what consultant or company was engaged and on what date; (ii) If so, did it include any social engineering or phishing tests; and (iii) If not, why not; and (b) Have any independent consultants or companies been engaged to run penetration or 'White Hat' tests on any websites: (i) If so, what consultant or company was engaged and on what date; and (ii) If so, what website (domain only) was tested?
AnswerView source ↗
Answered
19 September 2018
Responded by
Minister representing the Minister for Environment; Disability Services
Response time
10 days
For the Department of Biodiversity, Conservation and Attractions
(a) No.
(a)(i)-(ii) Not applicable.
(a)(iii) Independent penetration testing is performed in accordance with the Department of Biodiversity, Conservation and Attractions’ (DBCA) strategic audit plan. In addition to the independent testing, DBCA’s security team conducts regular in-house penetration testing on both internal and external network systems.
(b) No.
(b)(i)-(ii) Not applicable.
For the former Department of Parks and Wildlife
(a) No.
(a)(i)-(ii) Not applicable.
(a)(iii) Independent penetration testing is performed in accordance with the Department of Parks and Wildlife’s strategic audit plan. In addition to the independent testing, the department’s security team conducted regular in-house penetration testing on both internal and external network systems.
(b) No.
(b)(i)-(ii) Not applicable.
For the Botanic Gardens and Parks Authority
(a) No.
(a)(i)-(ii) Not applicable.
(a)(iii) Considered low risk.
(b) No.
(b)(i)-(ii) Not applicable.
For the Zoological Parks Authority
(a) No.
(a)(i)-(ii) Not applicable.
(a)(iii) Considered low risk.
(b) No.
(b)(i)-(ii) Not applicable.
Department of Environment Regulation
(a) No
(a)(i)-(ii) Not applicable.
(a)(iii) Automated vulnerability and penetration testing was run across IT systems.
(b) No.
(b)(i)-(ii) Not applicable.
Office of the Environmental Protection Authority
(a) No
(a)(i)-(ii) Not applicable.
(iii) The Office of the Environmental Protection Authority did not have any external facing servers.
(b) No.
(b)(i)-(ii) Not applicable.
For the Department of Water and Environmental Regulation
Please refer to Legislative Assembly Question on Notice 3805.
For the Department of Communities; Disability Services
Please refer to Legislative Assembly Question on Notice 3804.
(a) No.
(a)(i)-(ii) Not applicable.
(a)(iii) Independent penetration testing is performed in accordance with the Department of Biodiversity, Conservation and Attractions’ (DBCA) strategic audit plan. In addition to the independent testing, DBCA’s security team conducts regular in-house penetration testing on both internal and external network systems.
(b) No.
(b)(i)-(ii) Not applicable.
For the former Department of Parks and Wildlife
(a) No.
(a)(i)-(ii) Not applicable.
(a)(iii) Independent penetration testing is performed in accordance with the Department of Parks and Wildlife’s strategic audit plan. In addition to the independent testing, the department’s security team conducted regular in-house penetration testing on both internal and external network systems.
(b) No.
(b)(i)-(ii) Not applicable.
For the Botanic Gardens and Parks Authority
(a) No.
(a)(i)-(ii) Not applicable.
(a)(iii) Considered low risk.
(b) No.
(b)(i)-(ii) Not applicable.
For the Zoological Parks Authority
(a) No.
(a)(i)-(ii) Not applicable.
(a)(iii) Considered low risk.
(b) No.
(b)(i)-(ii) Not applicable.
Department of Environment Regulation
(a) No
(a)(i)-(ii) Not applicable.
(a)(iii) Automated vulnerability and penetration testing was run across IT systems.
(b) No.
(b)(i)-(ii) Not applicable.
Office of the Environmental Protection Authority
(a) No
(a)(i)-(ii) Not applicable.
(iii) The Office of the Environmental Protection Authority did not have any external facing servers.
(b) No.
(b)(i)-(ii) Not applicable.
For the Department of Water and Environmental Regulation
Please refer to Legislative Assembly Question on Notice 3805.
For the Department of Communities; Disability Services
Please refer to Legislative Assembly Question on Notice 3804.
Explore WA Government Data
Search the full archive in the free dashboard, or query programmatically via API.
Explore more
Government Gazette
Appointments, regulatory notices, planning changes.
Hansard
Debates, questions, speeches and sentiment.
Tabled Papers
Reports and documents tabled in Parliament.
Committees
Committee profiles and recent reports.
Regulations
Subsidiary legislation with filters and summaries.
Bills
Proposed laws and parliamentary progress.
Acts
Current WA legislation and summaries.
Explanatory Memoranda
Bills with EMs (text/PDF) available.
Members
MP profiles, party breakdown and rankings.
Pollie Rankings
Data-driven rankings across 19 categories.
Amendment Chains
Track how schemes and regulations evolve over time.