Government agencies lashed for USB insecurity

ATO praised.
Two Australia Government departments are set for a security overhaul next year after the federal Auditor-General found device management proceses lacking.

The audit report [pdf] found gaping holes in the management by agencies Insolvency and Trustee Service Australia (ITSA) and Hearing Australia of portable devices like phones and USB sticks used to carry corporate data.

The agencies had outdated policies for use of the devices, lacked processes to track corporate USB flash drives and did not use encryption on any portable device, the audit found.

Hearing Australia reported encryption could cause some of its medical equipment to stop functioning.

One staffer at ITSA said “USBs had become the norm” to transport large corporate documents because shared devices were not available.

At that agency, policy for handling storage was at least five years old and staff training was typically only done on an informal basis when employees were hired.

Neither of the two agencies had a mechanism to track a file's movement from the corporate network to portable devices.

The auditor said that the use of personal smart phones including BlackBerrys and iPhones on the agencies' corporate networks was less concerning because of in-built security controls.

Both agencies pledged to begin security revamps next year and will replace portable devices with corporate-issued, tracked and encrypted devices.

Both also promised to install infrastructure to manage devices and refresh training and policy.

ATO praised

The ATO, by contrast, was thoroughly praised for its efforts to secure devices.

All 2500 corporate USB flash drives used at the agency were encrypted, required biometric fingerprint authentication and restricted to a single brand.

Staff were forced to go through an approval process before they could be issued with a device and even then were restricted in the types of documents that could be transferred onto the devices.

The report praised the ATO after “only” 44 of 322 responding agency staff said they had not had training in portable device security in the last year.

Government agencies have until July 31 next year to comply with new device security standards detailed under the Protective Security Policy Framework.