Data, cyber security remain key risks for Govt

Weaknesses in IT controls across several public agencies were flagged by Parliament's Public Accounts Committee (PAC) yesterday, as it warned that IT-related risks will remain a key concern amid the increasing pace of digitalisation and outsourcing of IT operations in the public sector.

In particular, the Government will have to watch out for data security and cyber security risks, the committee said in its report.

West Coast GRC MP Foo Mee Har, who chairs the PAC, said in a statement: "Given the higher incidence of cyber attacks globally, the committee noted the ongoing efforts to strengthen IT governance, data security, cyber security as well as human capital."

"While automation is central to addressing persistent IT lapses, automation alone is not sufficient without the accompanied agencies' leadership attention and third party IT vendors' compliance."

The PAC had highlighted inadequate oversight of privileged user accounts and insufficient controls over third-party vendors.

For instance, Ngee Ann Polytechnic had reviewed only six out of the 38 actions that could be performed by its privileged database accounts. Since March last year, it has started to monitor 32 out of 38 actions, with six remaining actions deemed as having less impact on IT security.

Responding to the PAC on its concerns, the Smart Nation and Digital Government Group (SNDGG) said it has introduced measures to address the lapses.

For example, it has put in place a system that would alert 38 public sector agencies about staff movement and role changes, so that the agencies can manually remove accounts that are no longer needed.

A system to automate the removal process is targeted for completion in December this year.

The SNDGG said it had also taken steps to strengthen organisational structures and processes and raise awareness of cyber threats, including setting up the Government Data Security Unit to drive and coordinate data security efforts across the public sector.