An audit has found a glaring and unnecessary issue with government information security. 

The Australian National Audit Office (ANAO) has been assessing the implementation of information security rules within government departments.

Among many serious issues, the ANAO has found a lack of proper termination of access for people who no longer work in a department. 

“The ANAO assessed termination controls in place at 144 relevant government entities and found that 53 entities do not have a policy encompassing user access removal or that define the timeframe access should be removed from systems following a user’s departure from the entity,” a recent ANAO report says.

“A lack of policies related to user access removal increases the risk that access will not be removed in a timely manner and may be inappropriately used to access information.”

Dozens of government entities were slammed for potentially easing access to sensitive information. 

“Of the entities reviewed, 35 entities do not allow for the HR systems to enter terminations after cessation,” the report says.

“This was either due to system restrictions, or an assessment by the entity that it does not require backdated cessations as all users are identified and actioned on their last working day.”

By not allowing backdated terminations, government agencies cannot monitor unauthorised access to its systems, which could also result in inaccurate records.

The ANAO’s review found legacy access is not the only issue. 

“The majority of entities assessed, 119 entities of 144 relevant entities, do not have an effective control to monitor access or activity in entities systems after user cessation,” the report says.

“Of these 144 entities, 14 entities currently have an open finding relating to terminations including seven which have been assessed as a moderate risk.”

The full report is accessible here.