AGO report: CPF Board says members' data not compromised


The Central Provident Fund (CPF) building in Tampines Central.
The Central Provident Fund (CPF) building in Tampines Central.PHOTO: ST FILE

SINGAPORE - No unauthorised activities or transactions were made to Central Provident Fund (CPF) members' databases due to lapses in the management of two IT security monitoring systems, the CPF Board said on Tuesday (July 18).

The CPF Board said in a statement that it has conducted a thorough review after the Auditor-General's Office (AGO) flagged the lapses, and has improved how the two systems are managed to ensure all changes made to the IT security monitoring systems are properly tracked at all times.

The CPF Board was among several government ministries and agencies rapped by the Auditor-General for weaknesses in controls over IT systems.

These lapses were discovered by the AGO in the latest annual audit of government accounts for financial year 2016/17, and were highlighted in the AGO's report released on Tuesday.

The AGO had noted that one of the CPF Board's IT security monitoring systems was not configured properly and would not alert the board to IT security violations which took place on a particular day of each week. The Board also did not have a policy to identify IT systems that should be monitored for IT security violations.

In response, the board said it has various layers of IT defences in place which mutually reinforce each other and protect against different types of security threats to IT systems. The IT security monitoring systems complement these layers.

It added that there is a clear segregation of duties between IT security monitoring system administrators, and IT system and database administrators.

"CPF Board is committed to safeguarding the security and integrity of our IT systems and databases and will continue to implement additional measures where necessary," the statement said.

Another concern of the AGO was lapses in management of the IT accounts of the board's temporary staff in the department that administers its Goods and Services Tax Voucher scheme.

Some accounts were used after the last working day of the temporary staff by unidentified users, or were not deleted within seven working days as required by the board.

The CPF Board said it has conducted a thorough review and found that members' data had not been compromised by the lapse.

It has also tightened access controls by putting in place a three-level check for all IT system access granted to temporary staff.

"This ensures that IT system access is granted on an as-needed basis and is promptly deleted when it is no longer required," said the board.