❓ Question on Notice regarding the Auditor General's report on information security, highlighting the deterioration under the previous government and outlining the current government's efforts to improve cybersecurity across the public sector.
AnsweredQoN 587Legislative Assembly
QuestionView source ↗
INFORMATION SECURITY —
AUDITOR GENERAL'S REPORT
587. Mr R.R. WHITBY to the Minister for Innovation and ICT:
I refer to the Auditor General's
latest ''Information Systems Audit Report 2018'' that outlines
how management of information security across the public sector had
deteriorated between 2011 and 2016. Can the minister update the house on how
this government is addressing the neglect of cybersecurity by the Liberal–National
government and improving information security across the public sector?
AUDITOR GENERAL'S REPORT
587. Mr R.R. WHITBY to the Minister for Innovation and ICT:
I refer to the Auditor General's
latest ''Information Systems Audit Report 2018'' that outlines
how management of information security across the public sector had
deteriorated between 2011 and 2016. Can the minister update the house on how
this government is addressing the neglect of cybersecurity by the Liberal–National
government and improving information security across the public sector?
AnswerView source ↗
I thank the member for the question. We all know that we are
in an environment in which cybersecurity threats are ever-growing. It is with
interest, then, that members should read the Auditor General's report that
came out yesterday, the ''Information Systems Audit Report 2018''.
It catalogues a history of the previous government's failure to ensure
agencies are managing their information systems. This is the Auditor General's
tenth report on this issue and each year, with the exception of this latest
report, it has been a really dismal performance. The Auditor General manages
agencies' management of information systems across six categories. Two
of those categories have been consistently abysmal: information security and
business continuity.
Mr Z.R.F. Kirkup interjected.
Mr D.J. KELLY : The member for Dawesville will know
that his constituents would expect that when the government collects their
personal data, it will be held securely. Regarding information security under
the previous government, since 2011, the Auditor General found the performance
of agencies had continually declined to the point at which last year, the
previous report stated that only 39 per cent of agencies surveyed met the basic
requirements for information security. The performance of agencies in the
public sector had been declining since 2011. The good news in the Auditor General's
report that came out yesterday is that, for the first time in five years, the
percentage of agencies now meeting that basic requirement has increased from 39
per cent to 50 per cent. So for the first time in five years, there has been an
upswing in that performance measure. Business continuity is the basic measure
of whether an agency can continue to function if there is a significant
cybersecurity incident.
In 2016, the public sector got down to only 27 per cent of
agencies meeting the basic standards for business continuity outlined by the
Auditor General. The report from yesterday said that that has gone up to 37 per
cent—a green shoot in respect of business continuity. On those two
vital measures that, under the previous government, Auditor General's
report after Auditor General's report said that the situation was
getting worse, for the first time there has now been an improvement. I am not
saying the job is done, when only 50 per cent of agencies meet the basic
requirement for securing data. The job is not done, certainly by no means is it
done, but the fact that we now have some improvement in those two important
indices is testament to the emphasis that the McGowan Labor government has put
on this issue. For the first time, the Office of Digital Government will have a
dedicated cybersecurity team, so for the first time there will be dedicated
resources in the Office of Digital Government that will have specific
responsibility for overseeing this area across the public sector. It will not
replace what individual agencies do in this area, but for the first time there
will be a central agency with an overall view of what is happening across the
public sector. That is the first time that that has happened.
We have updated a whole-of-government cybersecurity policy to
make it clear to agencies what is required, and from my understanding it is the
first time in many years that directors general and chief executive officers
together were told that cybersecurity was their responsibility. It is not the
responsibility of people in the information technology department, it is the
responsibility of the directors general and chief executive officers. Do
members know what? That is exactly what the Auditor General's report,
released yesterday, said we should do.
There is much to do in this area and the work is by no means
all done. In the area of cybersecurity, attacks are getting more sophisticated,
frequent and challenging, but under this government we are taking this issue
seriously and I am pleased to say the first Auditor General's report
reflecting the influence we have had on the system is for the first time
showing some improvement.
in an environment in which cybersecurity threats are ever-growing. It is with
interest, then, that members should read the Auditor General's report that
came out yesterday, the ''Information Systems Audit Report 2018''.
It catalogues a history of the previous government's failure to ensure
agencies are managing their information systems. This is the Auditor General's
tenth report on this issue and each year, with the exception of this latest
report, it has been a really dismal performance. The Auditor General manages
agencies' management of information systems across six categories. Two
of those categories have been consistently abysmal: information security and
business continuity.
Mr Z.R.F. Kirkup interjected.
Mr D.J. KELLY : The member for Dawesville will know
that his constituents would expect that when the government collects their
personal data, it will be held securely. Regarding information security under
the previous government, since 2011, the Auditor General found the performance
of agencies had continually declined to the point at which last year, the
previous report stated that only 39 per cent of agencies surveyed met the basic
requirements for information security. The performance of agencies in the
public sector had been declining since 2011. The good news in the Auditor General's
report that came out yesterday is that, for the first time in five years, the
percentage of agencies now meeting that basic requirement has increased from 39
per cent to 50 per cent. So for the first time in five years, there has been an
upswing in that performance measure. Business continuity is the basic measure
of whether an agency can continue to function if there is a significant
cybersecurity incident.
In 2016, the public sector got down to only 27 per cent of
agencies meeting the basic standards for business continuity outlined by the
Auditor General. The report from yesterday said that that has gone up to 37 per
cent—a green shoot in respect of business continuity. On those two
vital measures that, under the previous government, Auditor General's
report after Auditor General's report said that the situation was
getting worse, for the first time there has now been an improvement. I am not
saying the job is done, when only 50 per cent of agencies meet the basic
requirement for securing data. The job is not done, certainly by no means is it
done, but the fact that we now have some improvement in those two important
indices is testament to the emphasis that the McGowan Labor government has put
on this issue. For the first time, the Office of Digital Government will have a
dedicated cybersecurity team, so for the first time there will be dedicated
resources in the Office of Digital Government that will have specific
responsibility for overseeing this area across the public sector. It will not
replace what individual agencies do in this area, but for the first time there
will be a central agency with an overall view of what is happening across the
public sector. That is the first time that that has happened.
We have updated a whole-of-government cybersecurity policy to
make it clear to agencies what is required, and from my understanding it is the
first time in many years that directors general and chief executive officers
together were told that cybersecurity was their responsibility. It is not the
responsibility of people in the information technology department, it is the
responsibility of the directors general and chief executive officers. Do
members know what? That is exactly what the Auditor General's report,
released yesterday, said we should do.
There is much to do in this area and the work is by no means
all done. In the area of cybersecurity, attacks are getting more sophisticated,
frequent and challenging, but under this government we are taking this issue
seriously and I am pleased to say the first Auditor General's report
reflecting the influence we have had on the system is for the first time
showing some improvement.
Explore WA Government Data
Search the full archive in the free dashboard, or query programmatically via API.
Explore more
Government Gazette
Appointments, regulatory notices, planning changes.
Hansard
Debates, questions, speeches and sentiment.
Tabled Papers
Reports and documents tabled in Parliament.
Committees
Committee profiles and recent reports.
Regulations
Subsidiary legislation with filters and summaries.
Bills
Proposed laws and parliamentary progress.
Acts
Current WA legislation and summaries.
Explanatory Memoranda
Bills with EMs (text/PDF) available.
Members
MP profiles, party breakdown and rankings.
Pollie Rankings
Data-driven rankings across 19 categories.
Amendment Chains
Track how schemes and regulations evolve over time.