New report highlights value of penetration testing, PCI DSS compliance

March 20, 2013

A new report into Queensland's online service delivery has called on the state's public service sector to improve overall vulnerability management, in order to mitigate the risk of an internet security attack.

According to the Queensland Audit Office (QUA), people are now expecting the same speed, security and responsiveness from public sector online services as they are getting from those services provided by the private sector.

However the report claims that a "lack of strategic leadership" and a "failure to update technology" have meant that online services offered by the Queensland public sector are underperforming and overly expensive.

The QAO also says that many of the departments which it audited – which included the Brisbane City Council, the Departments of Transport and Main Roads, and the Department of Tourism, Major Events, Small Business and the Commonwealth Games – have left themselves vulnerable to increasingly sophisticated and targeted online cyberattacks.

"While risks concerning credit card information have been carefully considered, the non-financial personal information collected through online services by two of the departments was not appropriately secured," reads the report.

The report emphasises that the public sector needs to ensure that any information provided by customers is appropriately secured – particularly when providing online services which "create specific information technology security risks".

In order to achieve this, the QAO recommends that all public sector organisations carefully follow the standards and guidelines provided by the Queensland Government Chief Information Office.

For public sector organisations which accept credit card information, the report also recommends that careful attention be paid to the requirements set out in the Payment Card Industry Data Security Standard (PCI DSS).

The report also stresses the value of penetration testing, an invaluable cybersecurity evaluation technique which the Queensland Government website was not previously employing.

As an example of the importance of penetrating testing, the QAO refers to a penetration test conducted by the Office of State Revenue (OSR) in July 2012 which identified a "large number of security risks" that had to be addressed.

The QAO recommends that entities looking to maintain "a robust security environment for online services" put in place a comprehensive security plan.

This plan should identify any existing and vulnerabilities, as well as the treatments in place to address these potential threats. Furthermore, it should identify any necessary security strategies and recommended controls that need to be put in place in order to achieve a "desired level" of security.

The report – which can be viewed in full here – should serve as a useful asset for both public and private sector organisations across Australia which are providing online services and wish to ensure they are delivering these services in a secure and efficient manner.

Leave a Reply

Your email address will not be published. Required fields are marked *