AGO's report on CPF Board: Lapses in management of 2 IT security monitoring systems

AGO's report on CPF Board: Lapses in management of 2 IT security monitoring systems

The Central Provident Fund Board did not review changes made to one of the IT security monitoring system for 1.5 years after it was implemented in March 2015, the Auditor-General’s report found.

SINGAPORE: Two IT security monitoring systems used by the Central Provident Fund Board (CPFB) to track the activities of databases and systems were in the spotlight in the Auditor-General’s latest report.

According to the report by the Auditor-General’s Office (AGO), which was released on Tuesday (Jul 18), it noted the lapses included not reviewing changes made to the IT security monitoring systems and incomplete reports generated for review of potential IT security violations. There was also no policy to identify IT systems that should be tracked by one of the IT security monitoring systems, it added.

“These lapses could affect the effectiveness of the two IT security monitoring systems in detecting IT security violations,” the report pointed out.

OVERSIGHT LACKING

According to the report, CPFB did not review changes made to the one of the IT security monitoring system for 1.5 years after it was implemented in March 2015. It was only done in September 2016, after AGO commenced its audit, and as such, it was not possible to ascertain if there were unauthorised changes made to the system before that.

“Unauthorised changes to the system increase the risk of IT security violations not being detected and consequently mitigated or prevented in a timely manner,” the report said.

Even after CPFB started reviewing changes made to this IT monitoring system, AGO’s checks found that in one instance, a system administrator did not make three approved changes, but instead made six changes which had not been approved. The administrator’s supervisors, who had reviewed the changes, also failed to detect the discrepancies.

The system was also not configured properly to provide complete alert reports on IT security violations detected, the report said. For instance, AGO noted that the reports generated did not capture the activities on a particular day of each week, which meant that CPFB would not be alerted to any violations if they happened on those days.

As for another IT security monitoring system that tracked IT activities on CPFB’s systems, AGO said the Board did not enforce the proper change management process before changes were allowed to be made to the system for two years after it was implemented in November 2014.

Again, CPFB only started doing so after the AGO commenced the audit, which found that from July to September 2016, about 88.7 per cent of the changes by administrators were not supported by approved requests for change. This meant the AGO was not able to determine if the changes made during the period were authorised, it said.

The government fund also did not have a policy to identify IT systems that should be monitored for IT security violations, and this could mean that such violations would not be brought to CPFB’s attention, the report said.

The monitoring system had also not been configured to flag out certain key IT activities, such as the creation of user accounts and assignment of privileges to these accounts, in the systems being monitored since its implementation, the AGO report pointed out. It also said CPFB did not have a process to periodically review and update the IT security monitoring system’s configurations.

REMEDIAL ACTION TAKEN

To these end, CPFB said it acknowledges the gaps and has taken the following steps to address the highlighted lapses:

  • Implemented a change management process since January 2017
  • Placed all key systems under monitoring in December 2016
  • Generated daily alert reports for review since January this year
  • Confirmed there were no unauthorised activities after reviewing available log data not captured in previous alert reports
  • Implemented a system to periodically review the configurations of the IT security monitoring system that tracks IT activities on its systems

CPFB also explained that it has a “multi-layered IT defence system” to protect against unauthorised access and changes at all times and, while there were gaps in the management, there are “separate and tight controls to ensure that its systems and databases continue to be protected against possible threats”, the report said.

LAX MANAGEMENT OF TEMP STAFF ACCOUNTS

Beyond the IT security monitoring systems, the AGO report also found that of the 15 user accounts for two IT systems assigned to temporary staff, 14 of these were not removed promptly after the worker left the organisation.

Additionally, six of these accounts were used after the last working day of the temporary staff and CPFB was unable to identify who had used them. “Such laxity in managing user accounts exposes the two IT systems to unauthorised used,” the report said.

AGO noted that this happened in a department which administered the Goods and Services Tax Voucher scheme, and had engaged the 15 staff in 2014 and 2015 and gave them primarily enquiry access to the two IT systems.

Of the 15 user accounts, 14 were not set to expire on the last day of work even though the organisation had such a requirement. Nine of the 14 accounts were deleted between eight and 66 working days after the last working day of the staff, even though requirements state that they should be deleted within seven working days.

It also found that six of the nine accounts had been used to access the IT systems after the temp worker’s last day, and one of these had the additional access rights to initiate changes to information in one of the IT systems.

CPFB explained that some of the new temporary staff were allowed to use the accounts of their predecessors so they could start work immediately while waiting for new accounts to be created, but it could not provide evidence to support its claim, the report noted, adding that such sharing of accounts was a breach of the organisation’s IT security policy.

CPFB acknowledged the process gap in the department’s management of access to IT systems for these temp workers, and said sharing of user accounts had been discontinued. The report also noted that CPFB has instituted a three-level check for all IT system access granted to staff to ensure they are granted on a need basis, and promptly deleted when it is no longer required.  

Source: CNA/kk