Access management practices have been exposed within the WA government, with three departments found to be taking weeks – and even months – to off-board staff from IT systems.
In a staff exit controls audit, the WA auditor found the departments had failed to minimise information security risks as staff access to systems was not always cancelled in a “timely” fashion.
“It took between two and 161 days to deactivate or withdraw access to information systems after staff left the entity,” the report [pdf] released on Thursday said.
“This increases the risk of unauthorised access and can compromise the confidentiality, integrity and availability of the entities’ information.”
The audit sampled 83 staff and contractors who had left the departments of Planning, Lands and Heritage (DPJH); Finance; and Local Government, Sport and Cultural Industries (DLGSC).
Of the three departments, DLGSC was the worst offender, recording “insufficient information to determine when access to IT systems was cancelled for all 30 people in [its] sample”.
“System logs showing the dates of when this occurred were not recorded,” the report said, adding that it was able to determine only one person had accessed the system four days after their exit.
DPLH took between one and 124 days to cancel system access after an individual had left, where information was available.
For the most part, however, the department “did not routinely record specific dates when IT access [was] cancelled”.
“For 10 of our sample, there was no information to determine when access was cancelled,” the report said.
Meanwhile, Finance took an average of seven days to cancel access to systems, though in one case – which related to a secondment where the employee continued to perform work – it took 161 days.
The audit office was unable to determine when another 10 people – representing 38 percent of the people in the sample – had their access cancelled due to “insufficient information”.
Finance policy currently asks that IT access for terminated staff be disabled on the last day of employment, which the audit found was not always the most appropriate target.
“In some cases, this may mean people continue to have access while clearing their remaining leave when they should have no need to access systems,” the report said.
“This increases the risk of unauthorised access and weakens controls over inappropriate use.”
The audit was also unable to verify whether staff had returned all IT assets to the three departments upon their departure due to “insufficient records”.
At the DPLH, 15 people – or more half the 27 staff sampled – had “left with no evidence of laptop return or what was issued”, while at DLGSC there was only evidence for six of the 30 staff sampled.
Finance was able to “demonstrate that 19 of 26 staff in [the] selected sample returned their IT equipment”, though seven did not have adequate documentation.
The auditor has recommended that all three departments ensure access to IT systems is removed or disable immediately when staff leave and clearly record this.
It has also asked that departments maintain a register of all assets issued to staff and ensure assets are returned upon exit.
All three departments have agreed.
