Victorian government agencies are unclear about their roles and responsibilities under shared service arrangements with the state-owned enterprise set up to deliver their essential ICT services – which is raising their cyber security risk.
Cenitex was created in 2008 to deliver services including identity and network management, security and cloud services, and was instrumental in enabling remote work during the pandemic.
It manages a suite of Microsoft 365 products that are used and shared by numerous government agencies.
However, Auditor General Andrew Greaves found that “agencies are not clear about their security roles and responsibilities under their shared service arrangement with Cenitex”.
“If Cenitex and its clients are unclear on who is responsible for determining, implementing and overseeing controls, agencies may not be able to adequately manage their cybersecurity risks,” he adds.
The finding is one of three key insights contained in his latest report, which looked at Cybersecurity threats facing the state’s public service.
Threat ‘real and growing’
The report says these threats are “real and growing” and that successful attacks on government agencies have seriously disrupted critical services, with 90 per cent of Victorian government agencies experiencing a cybersecurity incident over the last year.
The audit considered a range of agencies including government departments, a local council, a water authority and a health service.
It found that not all agencies properly understand or oversee cybersecurity services delivered by third-party providers, including Cenitex.
It also found shortfalls in the way the audited agencies were using Microsoft 365 cloud based identitiy and device controls.
“Agencies haven’t set up effective Microsoft 365 cloud-based identity and device controls. None of the audited agencies have fully set up all the controls we assessed, which leaves gaps in their cybersecurity,” the report says.
Need for whole-of-government approach
Mr Greaves says the state’s 3,000 service-delivery entities are failing to leverage the public sector’s size and economy of scale to address cybersecurity issues in a coordinated way, highlighting the need for a whole of government approach.
“Without a coordinated approach, many agencies are duplicating their efforts and not using the public sector’s economy of scale to efficiently manage cybersecurity risks,” he says.
The report advocates the use of centralised security operation centres (SOCs), an approach outlined in the state’s 2021 Cyber Strategy, as a good model for detecting and responding to cyber threats.
A SOC is an in-house or outsourced team of IT security specialists set up to monitor an agency’s IT infrastructure around the clock and detect and respond to cyber attacks.
However, the report says the current SOC arrangements don’t provide services for agencies to protect against cyber attacks.
“This means that individual agencies are delivering this function independently,” it says.
The report maks a range of recommendations including that the Department of Government Services and Office of the Victorian Information Commissioner lead a whole-of-government approach to improve cyber security in the public sector.
Leave a Reply