We are creating some awesome events for you. Kindly bear with us.

Singapore’s Whole-of-Government approach to strengthen IT governance within the public sector

Singapore’s Whole-of-Government approach to strengthen IT governance within the public sector

The Second Report of the Public Accounts Committee of Singapore was presented to Parliament yesterday. The Committee considered the Report of the Auditor-General for the financial year 2016/17. One of the common themes in the report was certain weaknesses in IT controls across public sector agencies. The Committee sought written explanations from three ministries: Ministry of Home Affairs (MHA), Ministry of Manpower (MOM) and the Ministry of Social and Family Development (MSF). All three have responded. They have taken multiple steps to close the gaps and strengthen IT governance.

The Committee noted that the recently formed Smart Nation and Digital Government Group (SNDGG) is taking actions at the Whole-of-Government (WOG) level to strengthen IT governance within the public sector. The Committee also reiterated that to eliminate recurring lapses and strengthen governance, every public sector agency has to play its part and be committed to implementing effective controls.

Actions taken by MHA

The Committee noted from the audit observations on the Singapore Corporation of Rehabilitative Enterprises (SCORE) that there were inadequate controls to detect unauthorised changes made to payroll records. SCORE indicated that it would verify all salary payments made from April 2014 to January 2017 to ensure that no unauthorised changes were made to staff salaries.

MHA informed the Committee that the verification exercise was completed and no anomalies were detected. MHA has also taken a number of remedial actions to address the weaknesses in the payroll processing. SCORE had started monthly reviews of user access rights and the activities of privileged users since June 2017.

In July 2017, enhancements were made to tighten the payroll process to prevent and detect tampering of payroll records.

MHA Computer Assisted Auditing Tool is being used since July 2017 to flag out anomalies and suspicious transactions before each payroll run.

MHA has seconded an experienced Human Resource (HR) officer to oversee SCORE’s HR department in October 2017.

Finally, SCORE will be migrating to the Public Service HR and payroll systems which adhered to best practices in controls, by first quarter of 2018.

Actions taken by Ministry of Manpower (MOM)

The audit report noted that at the Central Provident Fund Board (CPFB), that there might be a lack of management and oversight of the areas of change management, security monitoring and access control for IT systems.

MOM informed the Committee that CPFB has in place a sound system to oversee change management, monitor its IT systems and usage, and manage system access rights to ensure that CPFB’s systems and databases are protected against IT security threats and unauthorised access at all times. The lapses identified in the management of CPFB’s two IT security monitoring systems and controls for system access for temporary staff were the exceptions rather than the norm.

On the management of the two IT security monitoring systems, MOM has followed up and closed the gaps.

One of the steps taken is the implementation of a change management process since January 2017 to ensure that all changes made are formally authorised and tracked. It had also completed a further round of checks of all other IT systems and confirmed that there is a documented change management process specific to each system.

In addition, CPFB has since placed all its critical systems (including the non-public facing ones) under monitoring in June 2017. CPFB has also completed the review of the monitoring rules of the IT security monitoring systems in March 2017, to ensure that the systems remain effective. A periodic review process had also been implemented in May 2017.

Disciplinary action has been taken against the staff who failed to properly configure the IT security monitoring system to provide complete alert reports on IT security violations.

Moreover, CPFB has implemented an Identity Governance and Administration (IGA) system to strengthen the access controls of CPFB’s systems. This IGA system provides full visibility of who has access to which IT systems, automates life-cycle management of accounts and account dormancy checks, and facilitates periodic review of accounts and accesses. All CPFB’s core systems have been placed under the IGA system in October 2017 while the rest of the systems will be placed under the IGA system by December 2018.

Another observation by the Committee was that the system access of some temporary staff accounts was not removed promptly after the temporary staff left CPFB.

MOM explained that the lapses occurred due to an oversight of a supervising officer and CPFB had taken disciplinary action against the officer for not complying with the established procedures. CPFB had since improved the process, including having a checklist of actions to be completed when a temporary staff leaves. This checklist would be reviewed at three levels to ensure that necessary actions have been taken.

Actions taken by MSF

The Committee noted that there were instances of inappropriate access and breaches on rule on access control by MSF’s IT vendor staff to the IT systems that support the Baby Bonus and Child Care/Infant Care subsidy schemes. MSF has conducted and completed investigation of all 595 previous instances of inappropriate access.

The investigation by MSF revealed that all instances of access were for valid business purposes. The lapse lies in the use of different accounts by IT vendor staff and failure to duly adopt segregation of roles in hope of completing the assigned tasks quickly. Upon conclusion of the investigation, MSF had issued a stern warning letter to the management of the IT vendor to comply strictly with the existing Standard Operating Procedures (SOPs).

To prevent recurrence of similar incidents and strengthen oversight of its IT vendors, MSF had taken the following actions which include: (1) a one-time review of all system and database administrator accounts and the access logs for the past 12 months; (2) reviewed and directed the IT vendors to strengthen their procedures for the administration of IT systems and management of accounts, (3) instituted independent monthly review of accounts and access logs by MSF’s IT staff using data analytics, (4) required IT vendors to carry out review of privileged accounts and activities, and to report their findings to MSF’s IT project team on a monthly basis with key results to be reported to MSF’s IT management team on a quarterly basis, and (5) tightened the processes of IT vendors to ensure that appropriate processes and resources are available for vendors to complete their tasks without compromising segregation of roles.

These actions taken by MSF illustrate the Ministry remains accountable and is stepping up in its oversight to ensure proper compliance with SOPs. Strengthened procedures will ensure appropriate level of access and clearer segregation of roles.

WOG approach in strengthening IT Governance within the Public Sector

Addressing the concerns over the weaknesses in IT controls found across several public sector entities, MOF informed the Committee that Singapore is taking a WOG approach in strengthening IT governance within the public sector with the recently formed SNDGG under the Prime Minister’s Office.

The SNDGG is designated to be the central body that oversees policies on IT management in the Government to safeguard the integrity of IT systems and the data within. SNDGG has been continually refining IT management policies to ensure proper controls. It also conducts independent audits to help agencies identify and rectify any gaps in compliance with the policies, which is then shared to various WOG and multi-agency platforms every year. For example, SNDGG has shared key learning points from AGO’s findings on weakness in IT controls at senior management forums.

The Government Technology Agency (GovTech) has also completed an assessment of the feasibility and cost-worthiness of solutions to automatically update account and access rights in IT systems when officers’ records are added or removed in HR systems.

Given the cost and complexity of implementing the solutions, GovTech would prioritise the agencies to work with to adopt the automated solutions over the next few years, beginning with those with the largest impact.

Featured image: TteckK.

PARTNER

Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.

PARTNER

CTC Global Singapore, a premier end-to-end IT solutions provider, is a fully owned subsidiary of ITOCHU Techno-Solutions Corporation (CTC) and ITOCHU Corporation.

Since 1972, CTC has established itself as one of the country’s top IT solutions providers. With 50 years of experience, headed by an experienced management team and staffed by over 200 qualified IT professionals, we support organizations with integrated IT solutions expertise in Autonomous IT, Cyber Security, Digital Transformation, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Well-known for our strengths in system integration and consultation, CTC Global proves to be the preferred IT outsourcing destination for organizations all over Singapore today.

PARTNER

Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit www.planview.com.

SUPPORTING ORGANISATION

SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.

PARTNER

HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 

PARTNER

IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.

Send this to a friend