The Public Accounts Committee (PAC) recommended to Parliament that the Ministry of Information, Communications and the Arts (MICA) should provide guidance to ministries and statutory boards on how to ensure the security of their IT operating environment.
This is after instances of unauthorised access to the Public Service Division's (PSD) Government-wide human resource system.
PSH had outsourced the maintenance of the Government-wide human resource system to a contractor.
From the Auditor-General's Office's (AGO) report, the committee noted that between 1 February and 31 March 2010, there were altogether 1,050 instances of access (majority of which were unauthorised) to salary and other HR data by the contractor’s operators and their supervisor.
Concerns were raised by the committee and PSD agreed that access control for the system could have been better managed.
PSD said that the files that had been accessed by the operators did not contain all the HR data that would enable them to link the names of the civil servants to their salaries.
In PSD’s opinion, no confidential information was compromised or leaked.
PSD said that the contractor did not breach any rules of conduct or other contractual agreement.
However, PSD admitted that it did not have a procedure requiring operators to seek formal approval before carrying out their operational functions, as required under the Government Instruction Manuals.
PSD has since implemented such a procedure.
PSD has also changed the access for general operators so that they cannot open or copy files.
Only one supervisor and one backup are given the access rights to perform the tasks that would enable them to recover the files and the audit logs will be reviewed monthly by the system owner to ensure that there is no unauthorised access.
The committee noted that other than PSD, there were two other public bodies on which the Auditor-General reported IT security lapses.
In all the three cases, third parties had been engaged to maintain the computer systems.
The committee agrees with AGO that there is a need for greater vigilance in IT controls; this is especially so for access controls which form the first line of defence against unauthorised access to IT systems.
It said even where the running of the IT systems has been outsourced to third parties, the ministry or statutory board concerned is accountable and should ensure that there is a secure operating environment for its IT systems.
Therefore, the committee recommends that MICA, as the central agency for IT security in the public sector, provides guidance to ministries and statutory boards on how to ensure the security of their IT operating environment, particularly when the running of their IT systems is outsourced.