Reasons for Repetitive Findings of IT Lapses in Government Agencies

9 Mr Pritam Singh asked the Prime Minister in light of the Auditor-General's observations with regard to IT lapses in the Report of the Auditor-General for FY 2018/19 and similar observations in preceding years (a) what are the systemic reasons that explain these repetitive findings; and (b) what are the findings of the major audit on public sector IT systems carried out from 2009-2011.

The Senior Minister of State for Communications and Information and Transport (Dr Janil Puthucheary) (for the Prime Minister): Mr Speaker, Mr Singh has asked about audit findings over two periods – 2009 to 2011, and, secondly, 2018 to 2019 – across our IT systems.

Major IT systems belonging to 85 agencies were audited over three years from 2009 to 2011. A common finding from these audits was that agencies were not carrying out regular reviews of their system architecture and standards to make sure that there were no weaknesses and to bring them up to date with the latest available security systems. This has been addressed through the deployment of central IT infrastructure and common services, whose architecture and standards are reviewed regularly at a whole-of-Government level. Some agencies also had lapses in the conduct of regular reviews of security controls in their systems, including the validity of access rights. GovTech has tightened the rules and guidelines to improve governance processes by agencies in these areas.

One specific type of IT lapse in the Auditor-General’s Office's audit for FY 2018/19 and the preceding years is where agencies’ processes depend on individuals to manually update and monitor areas like access and log management. Such manual processes can result in delays and errors. To address this decisively, the Government will introduce systems to relieve our officers from carrying out these processes manually and reduce the likelihood of such lapses. We will systematically automate IT processes across the public sector to manage user access rights, review privileged users’ activities and review system logs.

The use of automated solutions will facilitate compliance but will still require supervision and oversight by our officers. Officers must also be alert to situations where IT lapses can occur and flag these up. Thus, we will also continue to raise IT security awareness and capabilities among our public officers. The Public Sector Data Security Review Committee, chaired by Senior Minister Teo, will present its final recommendations to the Government in November and will look into not just the technical measures such as automation, but also process and people measures to raise data security across the public sector.

Mr Pritam Singh (Aljunied): I would like to thank the Senior Minister of State for that reply. My question pertains to the second part of the original Parliamentary Question – the three-year long IT processes audit that was carried out in the public sector.

Just two quick clarifications. What was it prompted by, such an extensive review? Secondly, were the issues, which have been repeatedly raised in Auditor-General's Office's Report from 2011/12 right up to the current year, of vendor management, access rights – they keep coming up every year – actually raised in the first report which is identified in the second part of my Parliamentary Question? Were these issues brought up and was there a review of the Government IM, for example, to ensure that access rights ought to be more heavily controlled?

Dr Janil Puthucheary: Mr Speaker, I thank Mr Singh for his questions. The audit findings from 2009 to 2011 were largely about the systemic processes around IT systems, namely whether the agencies have put in place the right kind of internal reviews and oversight. The 2018 to 2019 findings were largely whether individuals were able to easily comply with the manual implementation of processes and policies that were already in place. So, the two audits in 2009 and then subsequently 10 years later, both covered vendor management and access rights, but from very different perspectives.

In the latter case, it was largely about the individuals' ability to comply with, sometimes very onerous or very complex policies. In the first instance, 10 years ago, it was largely about whether the agencies had processes in place and whether they were reviewing those processes adequately.

As for the first question, I do not know if there was one specific factor that I can point to, but I would be happy to get back to the Member about what triggered the audit. My assumption would be that this was part of the on-going review that public agencies would take for risk mitigation, where areas of concern are audited.