New systems, steps to be rolled out to reduce IT lapses by ministries

The Government's smart nation and technology office will roll out new automated systems and accountability measures aimed at reducing IT lapses by ministries, a recurring issue flagged by the Auditor-General's Office (AGO) in recent years.

These will include IT solutions that will review the activity logs of privileged user accounts and flag any unexpected behaviour - such as unauthorised data access - while also automatically removing user accounts and access rights once an officer resigns or changes roles.

Privileged accounts are user accounts with fewer restrictions than for ordinary users, which also make them more likely to be targeted by hackers as such accounts would have deeper access to critical systems and sensitive data.

The parliamentary watchdog of public sector accounts said in its report yesterday that the Smart Nation and Digital Government Group (SNDGG) will introduce these tools across government agencies in the coming years.

The system to automate the analysis of log data will cover critical government systems by December 2022, while the second one on user access rights will be ready a year later.

The SNDGG consists of the Smart Nation Office under the Prime Minister's Office, and GovTech, the agency behind the public sector's technology transformation.

The SNDGG will also work with public agencies to effect deeper changes at the "technical, process and people levels to address the systemic causes" behind repeated findings by the AGO of weak IT controls, said the Public Accounts Committee (PAC).

Among these is a comprehensive rewrite of a government instruction manual to emphasise IT security - with benchmarking against leading industry practices - and a new technical system that will use audit and incident data to predict risks and allow for more targeted checks. Both are expected to be completed later this year.

To make government bodies more accountable, key performance indicators (KPIs) for cyber security and data security will also be built into each agency's corporate KPIs, said SNDGG.

Individually, officers found to be negligent in their duties can be disciplined under the public sector disciplinary framework, it added.

Government agencies' weak IT controls have been flagged by the AGO in its annual report for each of the past three years, with East Coast GRC MP and PAC chairman Jessica Tan having noted previously that the issues cut across the public sector and are not new.

In its report last July, the AGO said weaknesses include inadequate monitoring and review of the users of IT systems, especially external vendors with access to sensitive or personal information.

For instance, seven IT vendor employees at Singapore Customs could access the most privileged OS (operating system) user account without password authentication in six of the seven servers checked by the AGO, while vendor staff with the Ministry of Defence had unrestricted access to personnel and payroll information.

Both said they have since rectified their processes.

"Given the speed at which the public sector was implementing new IT systems, the committee was concerned over the repeated audit observations on weaknesses in IT controls across several public agencies," the watchdog said.

With many public agencies' administrator accounts - with access to sensitive data - with external vendor staff, there is a risk of agencies not detecting unauthorised access or activity that could compromise the integrity of data in their IT systems, the PAC noted.

The SNDGG said in response to the committee's questions that, going forward, it will look into the issue of third-party management.

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on January 18, 2020, with the headline New systems, steps to be rolled out to reduce IT lapses by ministries. Subscribe