Lax password security practices flagged in NAO cyber security report on 10 government entities

Tuesday, 28 February 2017, 19:07 Last update: about 8 years ago

The National Audit Office (NAO) has issued an IT Audit report on cyber security across Government entities, and found a number of issues.

The principal aim of this comprehensive report was to evaluate the level of adoption of selected cyber security controls across ten Government entities, namely: Malita Investments p.l.c.; Malta College of Arts, Science and Technology; Malta Competition and Consumer Affairs Authority; Malta Enterprise Corporation; Malta Freeport Corporation Ltd.; Manoel Theatre; Commission for the Rights of Persons with Disability; Refugee Commission; Regulator for Energy and Water Services; and Wasteserv Malta Ltd.

The aspects of cyber security reviewed by the NAO in the selected audit sites essentially dealt with critical issues such as the management of IT services; confidentiality and integrity of data; cyber security awareness; antivirus protection; business continuity and disaster recovery; IT hardware and software inventories; physical security; server monitoring; and software access control.

The report, a government statement read, found a number of issues. Some such issues include that small Government entities are opting to fully out-source their IT services despite lacking capacity to manage these out-sourced services; that certain entities which do not have internal IT capabilities are opting for cloud hosting without seeking the necessary technical advice; that only one of the 10 audited entities has a data retention and storage policy; that there is a general lack of cyber security awareness amongst users; that non one of the audited entities has a formally written a business continuity and disaster recovery plan; and that 50% of the entities audited do not have a software inventory.

"In most of the selected audit sites, best practices are not being followed in terms of password complexity, password expiry, password history and the need to force the user to change his/her password upon first logon;"

The report also found that in many instances, offline mailboxes are not being duly backed up; and there are inadequate and insecure server environments.

The NAO recommended that all entities which have participated in this audit should review their IT operations with the support of their respective Ministry CIO, with the aim of improving their level of preparedness in the area of cyber security. Indeed, evidence in hand suggests that the recommendations listed in this report may, in some way or other, apply to all Government departments and entities and, thus, it is recommended that all entities follow the best practices listed in this document.

This report may be accessed through the National Audit Office website www.nao.gov.mt or Facebook page www.facebook.com/NAOMalta