IT controls in several Singapore government entities including the Defence Ministry have been found to be weak, where third-party access rights are lax and the logging and review activities of privileged users inadequate. There also have been lapses in the management of user access rights, where some of these privileged users are staff of IT vendors.
These findings were released in the Auditor-General Office's (AGO) latest annual report, which further noted that similar issues already had been identified across various public sector entities in its audits over the last few years. This indicated that IT controls remained a major area for improvement, it said.
The assessment covered all 16 government ministries, nine statutory boards, four government-owned companies, four government funds, and three other accounts, and involved the office's examination of records, files, reports, and various other documents as well as site visits and interviews with government officers.
In stressing the importance of robust IT controls to prevent and detect illegal activities, the AGO said the public sector was leveraging technology in many ways such as digitisation and process automation to improve its services to citizens and businesses.
"With vast amounts of data managed, which includes personal and confidential data, any unauthorised access or activity could have significant implication on the integrity and confidentiality of the data in the IT systems," it said.
The Ministry of Defence, for example, had granted several employees of the IT vendor access to its Enterprise Human Resource system, enabling them to read personnel and payroll information on the system, including 73 data types for which the ministry required controlled access to be put in place.
Read-access were not given to these IT vendor staff on a needs-only basis, noted the AGO. For instance, 23 data categories had not been accessed by any of the staff at anytime over the 2.8 years the AGO conducted its tests, while four of these employees never accessed any of the 73 information types since they were granted rights. This showed access was not given based strictly on an IT vendor employee's job scope and duties, the office said.
In addition, no review was carried out on the log records of the datasets that had been accessed and read by the IT vendors. In fact, the Defence Ministry had not conducted a review of such log records since 2014, which meant any access for unauthorised purposes would have gone undetected and not followed up upon.
In its defence, the ministry said it had anticipated the HR systems to be complex to administer and requiring dedicated resources to manage a range of HR operations. Hence, it deployed the employees of its IT vendor to support the management of the system, which meant granting them read-access to all information types.
According to the AGO, the Ministry of Defence said it had put in place "strict" controls to mitigate risks arising from granting such access, including security clearance of the IT vendor's staff, designated rooms that were monitored by CCTV for them to work in, and regular reviews of CCTV footage.
The ministry, though, acknowledged it could have better managed the assignment of roles based on more specific job scopes, so access rights could be streamlines to only what was required. It told the AGO it had since removed IT vendor employees' access to the 23 information types and access rights for the four IT vendor employees who never accessed any of the datasets were removed.
According to the report, similar lapses also were found at the Ministry of Finance, where access rights assigned to privileged users for the government's accounting and financial system, NFS@Gov, allowed them to change configuration settings such as controls over the approval process and other business rules.
In addition, the Accountant-General's Department did not conduct any review of the system audit tables and activities, such as updating of approval limits and setting up of approval workflow in NFS@Gov were not captured in the system audit tables, because the department had only partially turned on the system audit tables.
Lapses also were found at the Manpower Ministry, in particular, its management of its IT security monitoring system. It did not know five servers for two of its IT systems were unable to send logs to the IT security monitoring system due to outdated configurations.
The ministry also had not review changes made to the SIEM (security information and event management) system since it was deployed in January 2016. Furthermore, two of its staff and one from its IT vendor who were responsible for maintaining the SIEM system had access rights to change security alert rules and remove systems from being monitored by the SIEM system.
In his remarks on the report, Singapore's auditor-general Goh Soon Poh pointed to similar lapses in procurement and weaknesses in IT controls that were found in previous years and urged for diligence. Goh said: "It is important that public sector entities avoid repeating similar lapses and implement effective measures to enhance governance and controls on the use of public funds."
Following a "stocktake" of the public sector's security practices, Singapore's government agencies will roll out "technical measures" for existing as well as new systems to beef up data security standards, including automated detection of emails containing sensitive information and stronger encryption for files.
Businesses that handle customer data should be expected to do so with all the appropriate cybersecurity systems and polices in place, rather than provide these as a "value-add service", and it's time the Singapore government holds those that fail to do so accountable.
Numerous oversights have been found in how the country's government agencies managed its IT systems, including unapproved administrative changes and unauthorised access by external vendors.
Following a spate of data breaches affecting healthcare patients in Singapore, another lapse has occurred. A server containing personal information of 808,201 blood donors was not properly secured by a third-party vendor, potentially exposing data such as blood type and national identification number.
Health Minister Gan Kim Yong says the government had to "balance" the interests of affected individuals and general public after discovering in 2016 the personal data of individuals diagnosed with HIV had been illegally accessed, and only publicly revealed the incident in January 2019.