For 1-1/2 years, the Central Provident Fund (CPF) Board did not review the changes made to one of its systems that monitors IT security. As a result, there is no way to find out if unauthorised changes had been made during that time.
The Auditor-General's Office (AGO) flagged this in its audit of the board, which was found to have several lapses in IT security management.
A problem area discovered had to do with two of the board's IT security monitoring systems which track the activities of the CPF Board's databases and systems.
One of the systems was not configured properly and could not alert the board to IT security violations that happen on a particular day each week. For the other system, the AGO found that changes made to it were not supported by approved change requests.
"These lapses could affect the effectiveness of the two IT security monitoring systems in detecting IT security violations," the AGO said in its report.
The board said the lapses did not compromise CPF members' data, as there were no unauthorised activities or transactions in members' databases.
In its response yesterday, it said the various layers of IT defences in place mutually reinforce one another and protect against different types of security threats. There is also a clear segregation of duties between the administrators of the IT security monitoring system, the IT system and database.
The board... has also tightened access controls by putting in place a three-level check for all IT system access given to temporary staff.
"Together, these measures strengthen our prevention, detection, monitoring and response capabilities against cyber-security threats. CPF Board is committed to safeguarding the security and integrity of our IT systems and databases, and will continue to implement additional measures where necessary," the board said in a statement. It has done a thorough review and improved the management of the two systems.
Another concern of the AGO was lapses in the management of IT accounts of the board's temporary staff in the department that administers its GST Voucher scheme. Some accounts were used by unidentified users after the last working day of the temporary staff, or were not deleted within seven working days as required by the board.
The board said it did a thorough review and members' data was not compromised by the lapse.
It has also tightened access controls by putting in place a three-level check for all IT system access given to temporary staff. "This ensures that IT system access is granted on an as-needed basis and is promptly deleted when it is no longer required," said the board.