Queensland Government security audit

Writing in the Courier Mail, journalist Mike O'Connor takes a particularly cynical view of  the Auditor-General's latest official report into information systems governance and security at the Queensland Government:

"IF YOU ran a business that spent $1.5 billon a year on information technology systems that contained highly sensitive, confidential data, then you would very likely take care that you were getting your money's worth.  You might also ensure the best-practice security systems were in place and that your staff knew what to do and how to do it.  The Queensland Government, however, takes a more relaxed approach to the value it gets for its $1.5 billion, one best characterised by those two delightful Australian synonyms for incompetence and ineptitude, "She'll be right'' and "No worries''."

 The audit report identified issues such as:

• Weaknesses in the overall governance of IT;
  
  
• No clear business owners for whole-of-government IT programmes;
  
  
• Persistent weaknesses in network security (despite this having been raised in previous audits);
  
  
• Out of date or untested IT DR plans, with some agencies having not even identified their critical business processes as yet and particular concerns around the shared IT infrastructure. 

The inter-departmental issues are disappointing given the strategy announced in 2009 "to achieve efficiencies by enabling the Queensland Government to perform successfully as a single enterprise".  At one point, the report says:

"The CEO Leadership Team Services Sub-committee was assigned the responsibility for being accountable for the delivery of benefits and outcomes of the Toward Q2 through ICT strategy and projects. This responsibility was communicated to Cabinet through a progress report on the portfolio. However, the terms of reference for the CEO Leadership Team Services Sub-committee did not reflect this role.  ... Between December 2009 and December 2010, 13 meetings of the Services Sub-committee were held but no material decisions relating to the Toward Q2 through ICT portfolio were made by the Sub-committee during that time. The Services Sub-committee did not have the necessary powers to exercise effective governance over the portfolio such as changing the progress or discontinuing initiatives in response to an assessment of their capacity to deliver benefits to the operations of the Queensland Government."

If you are familiar with the BBC satire (documentary!) "Yes, Minister", it's not hard to imagine the internal politics associated with driving, and particularly funding, cross-governmental security initiatives in this cost-cutting environment.