Numerous lapses have been uncovered over how Singapore government ministries and agencies managed their IT systems, which include unapproved administrative changes and unauthorised third-party access.
These oversights were highlighted by the Auditor-General’s Office (AGO) in its annual audit of government accounts for the fiscal year, ended March 31, 2017. The assessment covered eight areas including procurement and payment, financial controls, IT controls, and contract management. All 16 government ministries, 12 statutory boards, and five government-owned companies were among those audited.
The AGO said it identified weaknesses in IT controls across several public sector entities, some of which were similar to those highlighted in previous audits.
“The lack of attention to these areas observed in some entities is of concern in view of the public sector’s high dependency on IT systems and data for government operations, and the fast-evolving IT security threats,” it noted in its report released Tuesday.
The office added that IT was widely used across Singapore’s public sector to manage financial transactions, engage with citizens and businesses, as well as enhance work productivity. These government bodies also manage large volumes of data containing personal and other sensitive information.
Amidst a landscape where cybersecurity threats were increasing, the AGO underscored the need for Singapore’s public sector to adopt effective measures to safeguard their IT systems and data.
In its report, it noted several lapses in IT controls under the purview of the Central Provident Fund Board (CPFB), Singapore Corporation of Rehabilitative Enterprises (SCORE), the National Parks Board (NParks), and the Ministry of Social and Family Development (MSF).
The CPFB, for example, failed to monitor its IT security systems and unauthorised changes to its databases and systems. During test checks of system logs over three months, the AGO determined that 88.7 percent of changes made by CPFB administrators were not pre-approved. Alert reports generated for review by an IT security monitoring system also were incomplete.
In addition, 14 user accounts were not removed promptly after employees had left the board. Of these, six accounts were used after the staff’s last working day and the identities of those who accessed the accounts could not be determined.
Similar lapses were found at NParks, which did not remove access rights of 104 suspended user accounts after the employees had left the organisations, some as far back as a decade ago.
Over at MSF, which was monitored over 11 months, 595 instances of access by its IT vendor team were found to be inappropriate and should have required further investigation. In fact, 560 instances involved the IT vendor’s use of a privileged system user account–that did not belong to the vendor–to access the MSF systems.
“These violations of IT controls could compromise the confidentiality and integrity of the data in the systems, resulting in leakage of information or corruption of data used for computation of bonuses or subsidies under the schemes [processed by MSF],” the AGO said.
In its response, Singapore’s Ministry of Finance said the government’s “overall system of managing public funds remains sound”, but it acknowledged there was room for improvements as identified by the AGO report, including in IT controls.
“While we recognise it is not possible to completely eliminate individual human lapses, errors or misjudgement, the public service is taking a concerted effort to address the issues identified… Heads of the agencies responsible have reviewed each case and where warranted, appropriate actions have been or will be taken against those responsible,” the ministry said.
In the its audit last year, the AGO rapped the Ministry of Law for not properly monitor and review logs containing activities carried out by external IT vendors, specifically, those involving IPTOBis servers. These systems were used by the law ministry to manage cases pertaining to its insolvency, public trustee, and related regulatory functions. Proper reviews of the activity log would have enabled the ministry to detect any unauthorised system access or change, the AGO said, adding that 44 user accounts temporarily provided to IT vendors had not been removed after these were no longer required.
Government outlaws use of unauthorised USB drives
The AGO report followed a week after the Singapore government unveiled its draft cybersecurity bill, outlining new legislations that would require operators of local critical information infrastructures to take steps to safeguard their systems and swiftly report threats and incidents. Released by the Ministry of Communications and Information (MCI) and Cyber Security Agency (CSA), the proposed new laws also would facilitate information sharing across critical sectors and require selected service providers as well as individuals to be licensed.
Last week, the Government Technology Agency (GovTech) announced that all government employees from July 25 would be able to use only authorised USB storage drives. A pool of portable storage devices that catered to the government’s security requirements would be made available to public servants on a “working need basis”, the government’s CIO office told local media. It added that other tools such as file transfer devices also would be provided to government agencies.
GovTech said: “USB storage devices continue to be a means to introduce malware and exfiltrate data, especially as they have the potential to be easily misplaced.”
The latest move came more than a year after the government said it would restrict internet access amongst its 143,000 public servants, allowing them to access only the intranet and work e-mail via their workstations.
Full online access would only be provided via designated terminals, though, the government employees still would be allowed to browse the web via their own personal mobile devices, which would have no access to work e-mail systems.