VIC govt agencies' IT server security found lacking

By Jason Pollock on Nov 4, 2025 1:07PM
VIC govt agencies' IT server security found lacking

An audit into the cybersecurity measures applied to IT servers of 10 unnamed Victorian state government departments has found a number of gaps related to effective security controls.

The recently released Victorian Auditor-General’s Office (VAGO) report, which also analysed the CenITex IT Service Centre, found that no audited agency has a complete and accurate inventory of their servers.

"Without this, agencies cannot reliably apply, manage or monitor the technical security controls needed to protect their servers," the office said.

The audit also found that those agencies have outdated operating systems and some servers that lack mature technical security controls, exposing agencies to cyber threats and increasing the risk of successful cyber attacks.

Specifically, the VAGO concluded that automated asset discovery tools are not set up to capture all servers; not all agencies reconcile server information; all agencies have server information that is inaccurate or incomplete; agencies’ technical security controls have low maturity based on industry benchmarks; and all agencies have servers with operating systems that are not receiving mainstream support.

The VAGO made two recommendations for all agencies to improve tracking of their servers and to strengthen the technical security controls applied to them and made one recommendation for the Department of Government Services to issue guidance on expectations for server security.

The audit followed two lines of enquiry: do agencies track all their servers and apply foundational security controls to them and do agencies monitor their server security and strengthen it in response to threats?

To answer these questions, the VAGO examined server inventory information; technical security controls applied by agencies to their IT servers against the Microsoft cloud security benchmark; and threat and vulnerability monitoring and reporting activities.

The VAGO gathered information on technical security controls applied by agencies via a survey and interviews.

This is the second report examining cybersecurity in the Victorian Public Service.

The first report in 2023 found that audited agencies could improve their cloud-based identity management and device management controls.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
security vago victorian auditor-generals office

Partner Content

Tech Data: Driving partner success in a digital-first economy
Tech Data: Driving partner success in a digital-first economy
From Insight to Opportunity: How SMB Service Demand is Shaping the Next Growth Wave for Partners
From Insight to Opportunity: How SMB Service Demand is Shaping the Next Growth Wave for Partners
Tech Buying Budgets for SMBs on the Rise
Tech Buying Budgets for SMBs on the Rise
Shure Microsoft Certified Audio for Teams Rooms
Shure Microsoft Certified Audio for Teams Rooms
Channel faces AI-fuelled risk as partners lag on data resilience, Dicker Data summit told
Channel faces AI-fuelled risk as partners lag on data resilience, Dicker Data summit told

Sponsored Whitepapers

Defend Your Network from the Next Generation of AI Threats
Defend Your Network from the Next Generation of AI Threats
The race to AI advantage is on. Don’t let slow consulting projects hold you back.
The race to AI advantage is on. Don’t let slow consulting projects hold you back.
The changing face of Australian distribution
The changing face of Australian distribution
Tech Data
Tech Data
Coro
Coro

Events

techpartner.news Benchmark Security Awards 2025
techpartner.news Benchmark Security Awards 2025
Tech Data x techpartner.news IT Service Provider Summit
Tech Data x techpartner.news IT Service Provider Summit
techpartner.news MSP index - Sydney
techpartner.news MSP index - Sydney

Most read articles

Nexon Asia Pacific sold to Adamantem Capital

Nexon Asia Pacific sold to Adamantem Capital
Channel faces AI-fuelled risk as partners lag on data resilience, Dicker Data summit told

Channel faces AI-fuelled risk as partners lag on data resilience, Dicker Data summit told
Save-the-dates for Pipeline 2026: We're levelling up to Hamilton Island in May!

Save-the-dates for Pipeline 2026: We're levelling up to Hamilton Island in May!
The State of Channel Security

The State of Channel Security

Log in

Email:
Password:
  |  Forgot your password?