Privacy Law and Policy Reporter
John MorisonIn recent years, unauthorised release of government information has been the subject of media coverage and inquiry. As a result the Privacy Commissioner was concerned about the level of protection of personal information held on computer systems in the Federal and ACT government administrations. In order to address that concern, an audit with a focus on Information Privacy Principle 4 (which requires agencies to adopt reasonable security safeguards) was conducted on computer security. The audit, in the form of a detailed survey questionnaire which was sent to 152 agencies, commenced in May 1994. Some of the smaller agencies did not hold personal information on computer systems and were subsequently excluded from the audit. A total of 137 responses to the questionnaire formed the survey population.
A number of significant findings were identified in terms of policy, staff awareness and training, portable computing equipment, security classifications, outsourcing, access controls, Defence Signals Directorate liaison, network and communication links, physical security, audit trail controls and audit programs. Some of these findings are summarised in this article.
Overall, these results were disappointing. While the existence of a CSP does not automatically guarantee a secure IT environment, the formulation and maintenance of a CSP should focus agencies' attention on the exposure of its systems to potential threat.
These results were also disappointing. If agencies are to maintain an effective security culture, all systems users need to be aware of computer security issues and access to the CSP is one method of raising awareness.
These results are indicative of the significant amount of personal information now held on portable computers and the trend towards `teleworkers' or `home-based work'. The Melham Committee report (`In Confidence' -- A report of the inquiry into the protection personal and commercial information held by the Commonwealth, June 1995 -- (see 2 PLPR 101) also commented on the increasing use of portables in the public sector and recommended that security manuals specifically address the process required to authorise work taken out of the office and the security features of portable computers.
The risks associated with the use of portables containing personal information may be minimised by agencies through incorporation of security controls on portables and institution of security procedures to ensure adequacy of safeguards over information held on portables at the normal work-site and in other locations. Computer security policies should address these issues.
There is a risk that agencies which overly rely on formal security classifications for protection of personal information may overlook the existence of unclassified material and fail to take adequate protective measures.
However, only 26 per cent of agencies which contract out their computing services had specific reference to the provisions of the Privacy Act 1988 in written contracts with these service providers. Many agencies used standard federal government contract clauses requiring confidentiality, but since contractors are generally not covered by the provisions of the Privacy Act, the confidentiality provisions do not adequately protect an individual's privacy `rights' in the event of a breach.
The Privacy Commissioner and the Melham Committee have recommended that the Act be amended to make a contractor to a federal agency primarily liable for compliance with the Information Privacy Principles as if the contractor were an agency. Meanwhile, agencies should include in any contract, clauses which impose on contractors the same obligations that agencies are subject to, in respect of the Information Privacy Principles. The Privacy Commissioner has issued Outsourcing and Privacy for agencies considering contracting out (outsourcing) information technology and other functions.
Seventy-four per cent of agencies used software which has a facility to disable terminals after a period of user inactivity, however, only 62 per cent of this group of agencies had the facility activated. Twenty-eight per cent of the survey population use time-based access restrictions which may restrict use to a specified timeframe such as normal working hours. Eighty-eight per cent use access restrictions based on the function, position number or location of the user. Staff access to systems is automatically revoked after a period of non-use in 38 per cent of agencies and 55 per cent of all agencies prevent the running of concurrent sessions through two or more terminals.
These results are encouraging. Access control software is widely used in the survey population and these controls are effective in preventing or limiting unauthorised access to information held on agency systems.
Provide advice on request to government departments and authorities in relation to other sensitive official information unrelated to national security but which for privacy, financial or other reasons requires protection form unauthorised disclosure.Cabinet also directed that as part of its operating guidelines:
DSD shall maintain direct contact with appropriate Commonwealth government departments and authorities and the Defence Force as regards communications security and computer security matters.Only 31 per cent of agencies have consulted with the DSD on communications security and only 16 per cent have sought advice from communications consultants other than DSD on this issue. There is a generally low level of consultation with DSD. This may relate to another finding that only 39 per cent of agencies have CSPs which are designed to conform to the Protective Security Manual (PSM), issued by the Attorney-General's department, which includes a chapter on `computer and communication security' and information on the consultancy role of the DSD.
Only 28 per cent of agencies use authentication identifiers which conform to standards contained in instructions issued by the DSD. Twenty-six per cent of agencies did not answer this question on identifiers or indicated that they didn't know whether their authentication identifiers conformed with the standard.
Less than 15 per cent of agencies have adopted communications security standards provided by DSD and a mere nine per cent have consulted with DSD on audit trail documentation.
In this context, it is interesting to note that a recommendation in the House of Representatives standing committee on legal and constitutional affairs report In Confidence also addresses this issue. Recommendation 12 states that:
All agencies adopt adequate standards for computer security. Guidelines should be developed after incorporating advice from existing government agencies with expertise in computer security.In summary, the survey results clearly show a low level of consultation with DSD and a lack of awareness of DSDs role. Also, few agencies have adopted the standards embodied in DSD instructions, relating to authentication identifiers and communications security.
These results indicate the proliferation of the use of networks and the relatively low use of encryption to protect transmitted personal information. The low level of consultation with DSD on communication security matters has already been commented on. DSD instructions cover communications and require the use of encryption when national security, in-confidence, protected or highly-protected material is transmitted over electromagnetic communications systems.
The advantages offered by network technology are obvious but the risks they pose to security of personal information are perhaps less so. DSD instructions state in part:
Communications pathways outside an agency's control may be subject to interception, diversion, and interruption. Even pathways within the agency's control may be bugged. It can thus be seen that without special communications security measures few agencies would be able to guarantee to maintain the security of their processing ...While most personal information held by the agencies would not be classified at a level higher than in-confidence, it is clear that DSD considers that such material should be protected by encryption when transmitted over networks, even within a discrete, self-contained LAN. In this context the survey result that less than one in 20 agencies that use LANs or WANs which involve communications across local or state offices encrypt the personal information transmitted, is of considerable concern.
There is no substitute for encryption in preventing unauthorised disclosure of information passed over communications lines ...
It's (encryption) effectiveness means it will normally be found to be better than it's alternatives even by those agencies whose information is not required to be encrypted for reasons of national security or sensitivity.
Some agencies may consider that the risk of unauthorised disclosure of information transmitted on networks is low. Those agencies which have not consulted DSD or other experts on these matters may not be aware of the risks. It is unlikely that agencies would be aware if the information transmitted on their networks was intercepted. The greatest advantage of encryption is that even if encrypted information is intercepted, it cannot be decrypted without the appropriate key or decryption algorithm.
It may be argued that depending on the amount and sensitivity of personal information on these systems, encryption may or may not be cost effective when assessed against the risks. The greater availability and lower cost of encryption will strengthen the case for its use.
But as many agencies failed to provide a risk, threat or vulnerability assessment of unauthorised access and/or disclosure of personal information for such systems, the low level of such protection across all agencies is an issue which must be addressed.
Although these results appear reasonably satisfactory, the survey was not designed to assess the adequacy of these measures or their quality. Agencies should have a system of regular review of the adequacy of physical security arrangements.
Similarly, 61 per cent of agencies record user session times for mainframes, but only 37 per cent do so for LAN/WANs. For mainframes, 39 per cent record for each user any access, whether successful or not, and identify the data file or client record for mainframes, but only 20 per cent do so for LAN/WANs.
Forty-one per cent of agencies record the program or process used for each user in respect to mainframes and only 15 per cent do so for LAN/WANs. Thirty-one per cent of agencies record, for each user, each file or data set opened and what type of access is requested (Read, Write, Append, Execute etc), but only 15 per cent do so for LAN/WANs. Twenty-five per cent of agencies record, for each user, each attempt (whether successful or not) to use a resource (file, directory, printer etc) for mainframes but only 13 per cent do so for LAN/WANS.
Fifty-three per cent of agencies can archive their audit trail in machine readable form and 39 per cent have systems which make an immediate report of apparent attempts of unauthorised access to the system. Sixty-four per cent of agencies have the facility to enable security personnel or other designated officers to search audit trails for a specified event and 46 per cent of agencies have the responsibility for security and audit functions separated.
These results confirm that audit trail controls are more prevalent in mainframe based systems than in networks. Given the finding that 80 per cent of agencies use LANs and 55 per cent use WANs, the relative lack of audit trail controls on networks is of some concern.
These results indicate that over half of the survey population had not conducted internal computer security or access audits since 1 July 1992 and 47 per cent of agencies have not included such audits in their audit plan for 1993/1995. This is of considerable concern.
The Privacy Commissioner has taken the view that the privacy auditing is an educative process and compliance with the Privacy Act coincides with best management practices. Agencies were therefore encouraged to consider those areas of computer security identified in the survey where some improvement may be achieved in the protection of personal information.
Audits and investigations conducted by the Privacy Commissioner will continue to focus on security of personal information held on computer systems and networks. The survey results will be used in the selection process of agencies for audit and resolution of complaints where computer security is a factor.
The survey found that 46 per cent of agencies `exchange' personal information on-line with other agencies or external organisations, other than information covered by data matching pursuant to the Data Matching (Assistance and Tax) Act 1990. It is apparent from some agency comments that they may have counted the routine transmission of pay and personnel-related data which is common to all agencies, but there is still a significant exchange of other personal information online between many agencies and to some non-government organisations.
There is no doubt that the use and size of networks will expand. As an example, a number of Commonwealth agencies now routinely use the Internet as an information source and as a means of disseminating material to interested users. Security against loss of data and unauthorised access to systems is a major issue and protection against possible hacking, viruses and computer crime via the Internet will require additional security measures such as encryption or `firewalls' or by using isolated PCs not connected to the agency network or system.
Networks within the federal administration and interfaces between contractors and various agencies are bound to increase as processing tasks are outsourced; as greater use is made of bureaux for the handling of common functions and as service delivery to remote sites is improved through advances in technology. Security of personal information within these new environments will need to keep pace with technological change.
The probable future proliferation of the uses of smart cards may include their use in the authentication of electronic financial transactions and of user identification for access control purposes. Smart cards utilising a variety of different technologies are being promoted by financial institutions and numerous concerns arise in respect to the privacy of smart card mediated transactions. However, smart card technology also has the potential to provide more secure access controls on computer systems than current password based systems (see also the Privacy Commissioner's information paper No 4, `Smart cards: implications for privacy').
John Morison, Director, Privacy Compliance, Office of the Australian Privacy Commissioner.