ICT vulnerability management in South Australian public sector entities

This is a report on the results of a high-level review we conducted of 10 public sector entities to understand the level and maturity of their penetration testing and vulnerability scanning. The review involved confirming the types of public facing ICT environments maintained by each entity, the number and frequency of testing and scanning reviews performed in the last three years, the resources used to perform these reviews and the level of remediation.

We found the entities we reviewed did not always effectively manage the penetration testing and vulnerability scanning of their public facing environments.

We also found that the level of penetration testing and vulnerability scanning conducted by most of these entities in the last three years was limited and ad hoc. We identified several environments holding sensitive information that were not tested or scanned.

While penetration testing and vulnerability scanning performed by these entities increased in the last 12 months, they need to further strengthen their overall management of vulnerability management security controls.