The auditor-general has reprimanded Singapore’s ministry of defence (MINDEF) and the ministry of education (MOE), in particular, due to insufficient IT controls and poor oversight, a new report reveals.
The report found significant weaknesses in the management of access rights for MINDEF’s electronic procurement system (ePS), due to a lack of periodic reviews on user access rights, which are required by the Singapore government.
Furthermore, MINDEF delayed removing unneeded access rights for 41 users out of 219, equating to 18.7 per cent of total users, according to the report.
These lapses are not insignificant, exposing the system to unauthorised access and compromising the integrity and confidentiality of data in the ePS.
Why the oversight? The report lays blame at the system owner, who had not performed the required six-monthly reviews of accounts and associated access rights since 2013.
Furthermore, all the five units audited did not carry out the required quarterly reviews of accounts and associated access according to the report.
Such measures are required to ensure accounts are current and obsolete accounts and access rights were removed.
In regards to the delay in removing unneeded access rights for 41 users, after queries by the auditor-general’s office, MINDEF removed the unneeded roles and associated access rights between September 2017 to January 2018, representing a delay of 53 days to 10.7 years.
“Of the 41 unneeded roles, 14 roles were with access rights to perform procurement activities, which included raising purchase requisitions, approving fund commitments and performing goods receipts functions,” said the report.
“The remaining 27 roles were with access rights to view information on transactions, which included cost and quantity of good ordered."
However, according to MINDEF the officers performing the reviews of the 14 roles with access rights either did not have the knowledge to perform proper reviews or did not take due care, according to the report.
In regards to the other 27 roles, according to MINDEF these roles were automatically assigned by the system when the users were appointed unit resource officers to approve fund commitments and payments.
MINDEF claims it was not aware that the system was not designed to automatically remove the unneeded roles when users relinquished their unit resource officer appointments.
As a result of this report, MINDEF has said it intends to stress the importance of conducting regular reviews and maintaining proper documentation going forward.
MINDEF has since enhanced the system to automatically remove the roles with viewing rights when the users relinquish their URO appointments.
A further issue highlighted by the report included the possibility of account sharing to perform procurement activities.
The report highlighted the period from 1 April 2015, to 31 July 2017, in which 197 instances where 33 authorised users might have shared their accounts with other persons raising the possibility of procurement activities performed an unauthorised person - the 197 instances amounted to $2.83 million.
According to the report, 19 of these instances involved four users who were on overseas leave, indicating that it was indeed an unauthorised use.
However, for the remaining 178, MINDEF explained that the authorised users who were on local leave might have gone back to the office to perform the activities. MINDEF was, however, unable to conclusively prove this to be the case and so unauthorised use could not be ruled out.
According to the report, MINDEF has disciplined three of the four users who had shared their user accounts with others, with the remaining user having left the service.
In regards to the oversight by the MOE, the report by the auditor-general revealed that the MOE did not log and review the activities of seven IT administrators, who were vendors engaged to schedule computer scripts for execution in two IT systems.
“The IT systems support the management of financial transactions of Edusave and Post-Secondary Education (PSE) accounts,” said the report.
As such, the administrator could not be held responsible if there was any unauthorised execution of computer scripts, as it would not be possible for MOE to trace who the administrator was.
The computer scripts contained a series of commands to enable the systems to execute important tasks, such as top-ups to and withdrawals from students’ Edusave and PSE accounts.
Furthermore, the IT administrators used a job management system to schedule the computer scripts. They also set alerts to keep MOE informed of successful or failed execution of the scripts since its implementation in 2012.
This meant, however, there was a lack of traceability and accountability as the administrator who was responsible for any unauthorised computer scripts that were scheduled could not be identified.
Of the 60 computer scripts test-checked by the auditor-general’s office, seven were found to be without documentation to show that they were approved for execution.
It was also found that through test checks by the auditor-general’s office of the operating system (OS) and database (DB) activity logs of 16 servers for the two IT systems that the logs did not capture details of the activities of the OS and DB administrators, the report revealed.
Furthermore, in June 2017 a password control had been turned off by the DB administrator who subsequently changed the password of the DB user account to one that failed to meet the password complexity requirement in the Government Instruction Manuals, according to the report. This was based on checks done from April to August 2017.
Due to the lack of details recorded in the logs, MOE was unaware of these changes and as such was not able to detect unauthorised changes to the settings of the two IT systems and the data in the database made by the OS and DB administrators, the report claimed.