Singapore's public sector must plug weaknesses in IT controls and resolve recurring lapses, or these will adversely impact accountability over public funds and resources. Greater use of analytics also should be considered to identify unusual behaviour within public IT systems, according to the latest report by the Public Accounts Committee.
Responsible for assessing how public funds are used, the committee pointed to concerns over weaknesses in IT controls and lapses in procurement and contract management across the public sector. These had been highlighted repeatedly in past annual reports released by the Auditor-General's Office, including last year's.
"There is a need for the public sector to address the recurring lapses and basic mistakes," said the Public Accounts Committee in its report. "Given the scale, speed, and complexity of the work in the public sector, the committee is concerned that these lapses--if not addressed--may compound over time and weaken the governance and accountability over public funds and resources."
It called on the government to "more fundamentally" assess systems and process improvements as well as adopt more effective measures in extending the lessons learnt across all public sector agencies. These organisations then should follow through the plans and measures rolled out to address the lapses.
The committee called up delegates from four government agencies including the Ministry of Finance, Smart Nation and Digital Government Group (SNDGG), and Ministry of Health to discuss how the lapses would be addressed.
Specifically, given the speed at which the public sector was implementing new IT systems, the committee expressed concerns over the repeated audit observations on weaknesses in IT controls across several public agencies. It added that many of the operating system (OS) administrators, with access to sensitive data and privileged user accounts, were IT vendor staff.
"There is a risk of agencies not detecting unauthorised access or unauthorised activities that could compromise the integrity and confidentiality of data in their IT systems," the committee noted, adding that the SNDGG was asked to outline its plans to address these concerns.
In response, the group said the logging and review of privileged users' activities were carried out manually and human oversight was needed to examine event logs, which could be "voluminous".
With regards to user access rights management, there also was a lack of good standard operating procedures for IT teams to identify employee's job movements and role changes. In addition, there was no coordination between the IT and human resource departments to highlight staff movements. These resulted in delayed reviews of user access rights.
Technical measures to be rolled out
To plug weaknesses in IT controls, the SNDGG unveiled plans to "codify practices" and implement centralised systems to automate IT tasks. These would reduce the potential for human errors, it said. In this aspect, the committee recommended the smart nation group expanded the use of data analytics to extract insights and identify unusual behaviour within IT systems.
The SNDGG also planned to build a technical system to facilitate IT governance by tapping audit and incident data to predict potential governance risks in ICT systems. Slated to be ready by October 2020, the system would enable checks and audits to be more effective and targeted, it said.
A system to pull and analyse log data from all agencies also would be established to resolve inadequacies in the management of privileged user access. This would flag unexpected user behaviours were detected and trigger alerts to the relevant agency for review.
The SNDGG said this would be applied to critical systems, targeted for completion by December 2022. In addition, machine learning capabilities could be incorporated so the system would become more astute in picking up anomalies over time for better insights.
An application also would be developed to automate the removal of user accounts and access rights once HR records were updated, after an employee leaves an agency. This would be rolled out for critical systems by December 2023.
To further beef up accountability, the SNDGG said a senior officer--at the Deputy Secretary level--since had been appointed at every ministry to oversee ICT governance and security issues as well as drive their respective ministry's technology and digitalisation efforts.
In its 2019 report, the Auditor-General Office highlighted IT controls as a major area for improvement. The Ministry of Defence, for example, granted several employees of a third-party IT vendor access to its Enterprise Human Resource system, enabling them to read personnel and payroll information on the system, including 73 data types for which the ministry required controlled access to be put in place.
In addition, no review was carried out on the log records of the datasets that had been accessed and read by the IT vendors. In fact, the Defence Ministry had not conducted a review of such log records since 2014, which meant any access for unauthorised purposes would have gone undetected and not followed up upon.
"With vast amounts of data managed, which includes personal and confidential data, any unauthorised access or activity could have significant implication on the integrity and confidentiality of the data in the IT systems," the Auditor-General Office noted.
Investigation into a July 2018 security breach, which compromised personal data of 1.5 million SingHealth patients, uncovered several poor security practices, including the use of weak administrative passwords and unpatched workstations. Inadequacy in the network also allowed the hackers to run bulk queries because the system lacked rules or controls that could have identified such patterns of behaviour or unauthorised use.
This, and a spate of breaches that involved other government entities, led to a review last April of data security practices within the public sector to assess, amongst others, processes related to the collection and protection of citizens' personal data.