The Cayman Islands government’s information technology (IT) security continues to be poor and has even “deteriorated” since 2012 the former Auditor General (AG) Alastair Swarbrick said.
In a recently issued report to the Legislative Assembly, he summarised his ongoing concerns with government IT security. This report follows one that he issued back in 2012 to government managers on the same issue.
Mr Swarbrick said penetration tests to access government computer systems were carried out and revealed that government IT security was in a poor state.
The Ministry of Home Affairs responded saying it, along with the government Computer Services Department (CSD), has embraced the OAG’s report and began addressing issues found during the audit before receiving the final report.
The ministry noted that cyber security is arguably the biggest threat facing governments, businesses and individuals around the world and is one that consumes vast amounts of resources. The Cayman Islands is not exempted from the challenges of this threat.
The ministry admitted that the security flaws discovered by the Office of the Auditor General are “unacceptable”. It revealed that it has even commissioned additional security examinations, and are actively engaged in strategic IT governance planning and implementation.
“The collective findings point to issues that are systemic and best addressed through improvements in governance, leadership, processes and procedures along with the appropriate technology,” said the ministry in an official statement.
It added that IT infrastructure that posed a security risk has been replaced at a cost of $698,551. “This further demonstrates that the Ministry is working to reverse the degradation of CSD’s capabilities, which in large part was due to the budget cuts prior to the 2013-2014 budget,” the ministry statement read.
The ministry is also working on improving leadership and management in CSD to be better prepared to deal with IT security and other IT challenges.
Chief Officer Eric Bush shared, “While much work remains, the worldwide focus on cyber security risks has elevated the priority of cyber security within the Cayman Islands Government. We continue to work on building defensive IT systems, along with improving systems and processes to minimise cyber risks, increase resilience and speed recovery from cyber-attacks.”
“There are some fundamental issues that need to be addressed that presents significant vulnerabilities to the IT security of the government at this time,” said Mr Swarbrick.
The report highlighted some high level risks. These include outdated and unsupported software in use that no longer provides the security required for government IT systems; vulnerability of sensitive information from a potential cyber-attack; and inappropriate configuration settings and system hardening allowing potential cyber-attackers the ability to compromise the security of the systems and services.
While the Computer Services Department has made some progress in remediating the issues identified in the 2012 assessment the former AG said he found that the overall situation had deteriorated.
He revealed that progress has been too slow in addressing the concerns he raised in the 2012 report and more significant action is needed.
However, he acknowledged that the government has responded lately to his recent report and has begun to take the issue very seriously.
Premier and Minister of Home Affairs Hon Alden McLaughlin confirmed this in his speech at the Chamber of Commerce Luncheon. He said a visiting a group from the Estonian e-Governance Academy also emphasised the need for government systems and data to be secure and trusted.
“I have advised the staff in the Ministry of Home Affairs to ensure that there is a sufficient, urgent focus on data security across Government. There is no place for complacency or second best when it comes to security and public confidence, for which Government has responsibility,” said the Premier.
Mr Swarbrick explained why he thinks the issue may not have been recognised as being of importance and of high priority until now. For a number of years, the view around IT was to try to get systems developed and functioning and as a result things like IT security, which are fundamentally important, were put on the back burner, he explained. But now he is seeing a complete shift and more forward actions being taken by government towards better IT strategy and governance.
The AG report noted that the government reliance on IT to manage information and deliver public services has accelerated during the last two decades and will continue to increase.
“Ultimately as they move towards more e-government, more online services IT security is fundamental,” said Mr Swarbrick.
The former AG said his office conducted the report because he believes there are monetary repercussions to not having a safe and secure IT system.
The report noted that there needs to be proper management of information, which is a key asset of government. Failure to do so can lead to significant reputational, operational, legal and potentially national security risks.
“You could have litigations, you can lose data that could be sensitive to government and to individuals, so there’s a whole pile of issues,” said Mr Swarbrick.
Government IT systems contain vast amounts of business critical and sensitive information, data about citizens and businesses such as payment information and national security matters. Therefore, it is fundamental that these systems are effectively protected against both internal and external malicious attacks.
Mr Swarbrick gave a press briefing on this issue on the last official day of his post. The former AG who resigned after five years also revealed that he signed government consolidated accounts for the first time after carrying out an audit on the information submitted for the 2013/14 financial year.
He said that financial reporting was previously “dire” and transparency in government was non-existent. But “whilst things have moved slowly at times and we haven’t gotten as far as I’d like to we’ve come a long way from that position,” he stated as the quality and timeliness of financial reporting has improved significantly.
---
Autor(en)/Author(s): Monique Spence
Quelle/Source: The Cayman Reporter, 02.10.2015
Bitte besuchen Sie/Please visit:
