Defence fights outsource issue
Defence is struggling to deal with its outsourced IT service providers making undocumented changes.
The issue emerged in an Australian National Audit Office (ANAO) report in 2015.
“The ANAO identified that unauthorised changes were made by the external organisation to applications and IT systems and that Defence was not aware of the proposed changes prior to implementation,” it said at the time.
“These weaknesses increase the risk of Defence’s business processes being compromised, network performance being impeded and unauthorised access to data.”
The following year, the ANAO said “controls were implemented to address these weaknesses, resulting in closure at 2015–16 year end”.
However, the controls had “not been sustained” in 2016-17, forcing the issue to return the following year.
Now, the department says change management is still an issue.
The ANAO’s report (available here in PDF form) says authorities tested a sample of “infrastructure changes executed by the service provider” and “identified continuing weaknesses in the IT infrastructure change management process.”
“These weaknesses included one instance where no evidence or supporting documentation could be provided that appropriate testing occurred prior to the implementation of a change; and three instances where no evidence or supporting documentation could be provided of a post-implementation review being undertaken as required by Defence,” the auditor said.
But the auditor did find that Defence is now assuming far greater oversight of system access privileges.
Most of the issues from previous years, like failure to monitor privileged user access and not revoking unneeded privileges, have now been addressed.
In the past year, Defence “reviewed and rationalised the number of individuals with privileged access, commenced a review of generic accounts with privileged access, and rationalised the number of users with access to change management tools”, the auditors said.
“From January 2018, Defence ICT security commenced obtaining appropriate reports from the service provider to confirm privileged users’ access that was no longer required was promptly removed,” the auditor added.