Audit+Rp+13

Shueh - Administrator

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

91 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Informations

Publié par	Shueh
Nombre de lectures	11
Langue	English

Extrait

The Auditor General
Audit Report No.13 2001–2002
Performance Audit
Internet Security within
Commonwealth Government Agencies
Australian National Audit Office© Commonwealth
of Australia 2001
ISSN 1036 7632
ISBN 0 642 44271 1
COPYRIGHT INFORMATION
This work is copyright. Apart from
any use as permitted under the
Copyright Act 1968, no part may be
reproduced by any process without
prior written permission from the
Commonwealth, available from
AusInfo. Requests and inquiries
concerning reproduction and rights
should be addressed to:
The Manager,
Legislative Services,
AusInfo
GPO Box 1920
Canberra ACT 2601
or by email:
Cwealthcopyright@finance.gov.au
2 Internet Security within Commonwealth Government AgenciesCanberra ACT
20 September 2001
Dear Madam President
Dear Mr Speaker
The Australian National Audit Office has undertaken a
performance audit across agencies in accordance with the
authority contained in the Auditor General Act 1997. I present
this report of this audit, and the accompanying brochure, to the
Parliament. The report is titled Internet Security within
Commonwealth Government Agencies.
Following its tabling in Parliament, the report will be placed on
the Australian National Audit Office’s Homepage—
http://www.anao.gov.au.
Yours sincerely
Ian McPhee
Acting Auditor General
The Honourable the President of the Senate
The Honourable the Speaker of the House of Representatives
Parliament House
Canberra ACT
3AUDITING FOR AUSTRALIA
The Auditor General is head of the
Australian National Audit Office. The
ANAO assists the Auditor General to
carry out his duties under the Auditor
General Act 1997 to undertake performance
audits and financial statement audits of
Commonwealth public sector bodies and
to provide independent reports and advice
for the Parliament, the Government and
the community. The aim is to improve
Commonwealth public sector
administration and accountability.
Auditor General reports are available from
Government Info Shops. Recent titles are
shown at the back of this report.
For further information contact:
The Publications Manager
Australian National Audit Office
GPO Box 707
Canberra ACT 2601
Telephone (02) 6203 7505
Fax (02) 6203 7519
Email webmaster@anao.gov.au
ANAO audit reports and information
about the ANAO are available at our
internet address:
http://www.anao.gov.au
Audit Team
Dr Paul Nicoll
Michael McFarlane
Belinda Conn
4 Internet Security within Commonwealth Government AgenciesContents
Abbreviations 7
Glossary 8
Summary and Recommendations
Summary 13
Background to the Audit 13
The Audit 14
Key Findings 19
Recommendations 23
Audit Findings and Conclusions
1. Introduction 29
Government Agencies on the Internet 29
Previous ANAO reports 36
Audit objective and scope 37
Audit methodology 39
Structure of this report 40
2. Internet Security Risk Assessments, Policies and Plans 41
Context 41
Description of Internet sites assessed in this audit 44
Risk assessments 47
Internet security policies 49
Internet security plans 51
Business continuity planning 52
Conclusion 55
3. Elements of Internet site management 57
Security features of static and transactional sites 57
Security features of sites dealing with personal or
commercially sensitive information 58
Contract management 60
In house site management 62
Outsourcing Internet site management 65
Conclusion 66
54. Internet Security Outcomes 67
Overall Internet site test results 67
Documentation 68
Perimeter security 68
Server configurations 69
Administration 69
Intrusion detection 70
Virus prevention and content filtering 71
Auditing 72
Websites 72
Conclusion 73
Appendices
Appendix 1: Commonwealth Guidance Material on Internet Security 77
Appendix 2: Standard Access Clauses 81
Index 88
Series Titles 89
Better Practice Guides 90
6 Internet Security within Commonwealth Government AgenciesAbbreviations
ABN–DSC Australian Business Number—Digital Signature
Certificate
ABS Australian Bureau of Statistics
ACCC Australian Competition and Consumer Commission
ACS Australian Customs Service
ACSI 33 Australian Communications Electronic Security
Instruction 33
AEC Australian Electoral Commission
AFFA Department of Agriculture, Fisheries and Forestry
Australia
ANAO Australian National Audit Office
ARPANSA Australian Radiation Protection and Nuclear Safety
Agency
ATO Australian Taxation Office
DEWRSB Department of Employment, Workplace Relations, and
Small Business
DHAC Department of Health and Aged Care
DoS Denial of Service
DSD Defence Signals Directorate
ECI Electronic Commerce Interface
EDI Electronic Data Interchange
ESD Electronic Service Delivery
GPKI Government Public Key Infrastructure
ISP Internet Service Provider
NOIE National Office for the Information Economy
PKI Public Key Infrastructure
PKT Public Key Technology
PSM Protective Security Manual
Treasury Department of the Treasury
7Glossary
e commerce (Electronic Commerce) A method of conducting or
managing business related transactions using computer
and telecommunications technology.
e mail (Electronic mail) A facility to send messages, with or
without documents or other information, electronically.
firewall A firewall is a combination of hardware and software
designed to filter information and control access to
applications and data according to a set of rules.
gateway A secured connection between an internal network and
an external network such as the Internet.
gateway An agency or private sector Internet gateway provider
certification may seek an independent assessment of gateway
security policy, design and management to be conducted
by DSD. If successful, the gateway receives certification
by DSD. A description of the Gateway Certification Guide
may be found at Appendix 1.
Government Announced by the Prime Minister in a December 1997
Online (agenda) policy statement Investing for Growth, Government
Online is an initiative to see all appropriate government
services deliverable via the Internet, by the end of 2001.
Internet A worldwide public communication facility that
provides an electronic pipeline for the transmission of
e mail and information between governments,
businesses and individuals.
Internet A software application which enables users to access
browser the Internet.
Intrusion A combination of hardware and software designed to
Detection monitor activity within the Internet gateway and
System highlight suspicious or unusual access or user activity.
8 Internet Security within Commonwealth Government AgenciesGlossary
Public Key PKT is a form of cryptography that allows two parties
Technology to communicate in such a way that a third party is
(PKT) unable to determine the content of the message
(confidentiality) or alter the message without detection
(integrity). PKT can also provide authentication of
1identity and non repudiation in online transactions.
Public Key PKT is supported by an administrative or trust
Infrastructure framework with standards and rules, collectively called
(PKI) the PKI. This framework includes PKT products, service
facilities, policies, procedures, agreements and
2participants.
router A piece of hardware used to direct Internet traffic into
and out of an Internet gateway. A router might be
considered as the ‘front door’ to an agency’s Internet
gateway.
1 Consultation Paper—Privacy Issues in the Use of Public Key Infrastructure for Individuals, Office
of the Federal Privacy Commissioner, June 2001, paragraph 3.1, p. 30.
2 ibid. paragraph 3.5, p. 32.
910 Internet Security within Commonwealth Government Agencies