Checks in Integrity of Work Permit, and Employment and S Pass Systems
Ministry of ManpowerSpeakers
Summary
This question concerns MP Png Eng Huat’s inquiry on whether a forensic review was conducted for the Work Permit and Employment/S Pass systems between 2011 and 2017 following an Auditor-General’s Office report on IT vendor activities. Minister for Manpower Mrs Josephine Teo replied that while 2018 reviews found no unauthorized activity, mitigation measures like role segregation and session recordings have been in place since 2004. She noted that the Ministry now conducts monthly reviews and employs a risk-based approach to monitor administrator sessions. Since no malicious activities or system anomalies were detected through these safeguards, Minister for Manpower Mrs Josephine Teo stated there was no basis to order a forensic review.
Transcript
75 Mr Png Eng Huat asked the Minister for Manpower with regard to the Report of the Auditor-General for FY2018/19 whether any forensic review has been done to ascertain the integrity of the Work Permit and Employment/S Pass systems for the period of 2 June 2011 to 31 December 2017 since there were no reviews conducted by the Ministry of activities performed by the IT vendor staff using the privileged operating system user account during that period as flagged by AGO.
Mrs Josephine Teo: Following AGO's finding, MOM reviewed the operating system administrators’ activity logs from January 2018 (earliest available). We found no unauthorised activity. Given the heightened cybersecurity risks, we acknowledge the value of more regular reviews and now conduct them on a monthly basis.
Although the same type of review was not conducted between June 2011 and December 2017, MOM has in place various measures to mitigate the risk of unauthorised activity undermining system integrity.
Since the commissioning of the Work Permit System and the Employment Pass System in 2004 and 2008 respectively, all personnel, including IT vendor staff, have been segregated into applications and system administrator roles, with separate access rights for different part of the systems. This reduces the risk of a malicious breach of system security or data integrity as no individual has sufficient access to the system to manipulate it without being discovered. There are also regular reports and automated checks to ensure that applications are functioning as intended.
Since 2011, the Ministry has also recorded the sessions of all administrators. The primary purpose of the session recordings is to support investigations if a system anomaly is detected, or malicious activity is suspected. Given the volume of data amassed from the recordings, MOM takes a risk-based approach and reviewed sessions of higher risk activities. No unauthorised activity has been detected thus far.
A forensic review is an in-depth investigation triggered by a suspected malicious activity or security incident, in order to uncover details about the specific incident. As no unauthorised activity was detected, there was no basis to order a forensic review.