27. July 2006, 13:21 | by WD Milner | Full Article |

The following excerpt, which would be enough to get any IT administrator in the private sector an early departure from the firm, is from a report by Nova Scotia’s Auditor General, Jacques Lapointe.

“We also identified five individuals who share the same password to access a computer used in the processing of electronic funds transfers. Management advised us that, for technical reasons, it is necessary to share this password. However, computer logs are not used to monitor user activity related to this computer system.”

After less than six months in the position, Nova Scotia’s new Auditor General has found major IT related bungling. Unfortuantely, in this province this will not provoke the justifiable outrage and reaction from government that it should. It is an obscenity that a public sector organization would be allowed to leave such security holes open for months on end. It is also shameful that citizens exposed to such threats on a regional level aren’t provided the same kind of stewardship and protection they expect on a national one.

There are many such outrageous vulnerabilities listed in the report such as:

“We noted certain accounting staff could initiate an ad hoc payment to an existing income assistance client. These individuals also have access to accounting records and are responsible for income assistance payments and bank reconciliations. Staff informed us that these access rights are not required to fulfill their position responsibilities.”

The Auditor General’s findings conclude that while some computer controls are adequate, there are enough weaknesses in the system that it is not managed properly overall. What is disturbing about the 194 page report is the lack of accountability for those running these systems. The reasoning given for the current situation would be laughable if the risks were not as serious as they are.

For example, why aren’t passwords changed or shut down once employees leave the provincial government? IT management stated that “access change documentation is often not received in a timely manner”. Trying to shift the blame before the event won’t find acceptance once a breach occurs so it shouldn’t be an valid reason beforehand.

And what is the government’s take on all this? The response from the Nova Scotia government is that, “like many other enterprises, they are in the midst of a technology upgrade, which when it is complete by January 2007 should address the Auditor General’s concerns”. That means attackers, virus writers and particularly disgruntled former employees have another six months to do whatever they like to defraud, infiltrate and damage the system, and the citizens that depend on it.

Ultimately, these aren’t issues with technology. They are issues of policy and processes and mindset that revolve around improperly providing access to those who don’t need it, a lack of integrating security auditing and tracking of activities into existing workflows and storing the resultant documentation. The same issues arise in all types of businesses, but government, even provincial ones, (even municipal ones for that matter) should be providing exemplary adherence to IT security, not providing case studies in ‘what not to do’.

- 30 -

Categories: ,
Keywords: Nova Scotia,governmetn,Canadian,IT,security



Textile help
* Indicates a required field.

As a SPAM prevention measure, comments are moderated and will be posted once vetted.


Article & Comments

Comments are not enabled for all articles or documents.

Article Navigation


Internet and WWW
Music and Audio
Society and Culture
Stage and Screen
Tips and Tricks
Web Design
Web Site

The Birches - Support Child Safety Online


 Help to FIGHT spam!