Continued Scrutiny by Auditor-General's Office on Accountant-General's Department's IT Security Controls over Most Privileged Operating System User Account
Ministry of FinanceSpeakers
Summary
This question concerns whether the Auditor-General’s Office (AGO) will continue scrutinizing the Accountant-General’s Department’s (AGD) IT security following recurring issues with privileged account controls. Minister for Finance Lawrence Wong explained that the AGO is an independent organ of state that determines its own audit scope as part of annual financial statement reviews. He highlighted that the AGD proactively commissions annual external IT audits and has strengthened security by migrating to GovTech-managed sites and implementing privileged access management systems. The Minister clarified that recent observations pertained to technical configuration gaps which have since been fully rectified and verified by independent audits. He affirmed that the AGD will continue to ensure robust and effective IT security controls over its privileged access accounts.
Transcript
15 Mr Gerald Giam Yean Song asked the Minister for Finance whether there will be continued scrutiny by the AGO on AGD's IT security as weak controls over the most privileged operating system user account has been continuously flagged across different systems over the past three years.
Mr Lawrence Wong: The Auditor-General’s Office (AGO) is an independent organ of state that carries out audits on the Government’s management of public finances. The Government does not determine the agencies or areas that AGO chooses to audit.
The IT audits that the AGO conducts of the Accountant-General’s Department (AGD)’s systems are part of AGO’s annual audit of the Government Financial Statements. The IT audits undertaken by AGO covered separate parts of the AGD system: last year, it was on the payroll and claims system, and this year, it was on the accounting and financial transaction system. Separately, AGD itself commissions external IT audits annually to continuously review and strengthen IT security across its systems.
AGD has also proactively taken steps to systematically strengthen IT security over privileged access accounts in the past few years. These include hardening the hosting environment, transiting its in-house IT setup into a GovTech-managed site, implementing privileged access management system, and automating audit logs management to strengthen the controls over privileged access accounts in line with industry standards and best practices.
The AGO observations flagged last year and this year were related and pertained to specific technical configuration gaps in the security software used across various AGD systems. When the technical misconfiguration in one of AGD’s systems was first flagged by AGO in its report last year, AGD had followed up to conduct a comprehensive review to prevent similar technical misconfigurations across other AGD systems. But this work could not be completed in time for the AGO report this year. Hence, as noted by the AGO in its latest report, the specific privileged access configuration identified in the latest AGO observation would have been addressed as part of AGD’s commissioned IT audit which was ongoing when AGO conducted its audit between July and November 2020.
AGD has since fully rectified the technical misconfigurations highlighted by AGO. The rectification has also been verified through an independent IT audit commissioned by AGD. AGD will continue to strengthen and ensure robust and effective IT security controls over privileged access accounts of AGD systems.