The Tasmanian Audit Office’s decision to remove from its website a public report on cyber security in government agencies has raised concerns around transparency.
The report in question was a follow-up to a 2015 report from the Auditor-General which audited information security protocols in the state service.
The follow-up report showed that the Health and Human Services Department had not made sufficient progress in terms of implementing the 2015 recommendations and was lagging behind other agencies.
Released last Friday, the report has since been removed from the independent TAO’s website.
“Whilst the [TAO] is independent, there have been concerns raised with the current follow-up report whereby some information contained in the report may lead to a potential risk for some agencies,” a statement on the website explained.
Fairfax Media has obtained a copy of the follow-up report, which found that DHHS had failed to implement all nine recommendations pertaining to it from the 2015 report.
Back in 2015, Auditor-General Mike Blake found that the DHHS had inconsistent levels of physical security for its server rooms, no specific protection for network infrastructure and no up-to-date ICT security plan.
The follow-up report showed the DHHS’ highest completion rate for one of the 2015 recommendations was 33 per cent.
“DHHS advised that its network is undergoing significant change and it is awaiting the formation of the ICT security group which will be developing a security framework and implementation plan before the end of 2018,” the follow-up report read.
The DHHS is the largest government agency in the state and is responsible for more than 400 IT systems across Tasmania.
Health Minister Michael Ferguson denied the suggestion he may have requested the TAO to remove the follow-up report from its website.
“It is an unfortunate fact that cyber security risk can never be fully mitigated but there have been a range of projects undertaken to respond to the issues raised by the 2015 TAO report,” he said.
“This is ongoing and will be worked through progressively.
“The department’s new chief information officer has been tasked with ensuring cyber security is a key focus of the team’s agenda.”
Labor innovation and digital economy spokeswoman Michelle O’Byrne – also a former health minister – said the fact that the TAO had removed the latest report from its website was “quite concerning”.
“Nobody wants to compromise security but the fact that [Mr Ferguson] has chosen to do very little for so long is the biggest compromise to security,” she said.
Sign up for our newsletter to stay up to date.