Continued Scrutiny by AGO on AGD's IT Security Controls over Most Privileged Operating System User Account
03 Aug 2021Parliamentary Question by Mr Gerald Giam Yean Song:
To ask the Minister for Finance whether there will be continued scrutiny by the AGO on AGD's IT security as weak controls over the most privileged operating system user account has been continuously flagged across different systems over the past three years.
Parliamentary Reply by Minister for Finance, Mr Lawrence Wong:
The Auditor-General’s Office (AGO) is an independent organ of state that carries out audits on the Government’s management of public finances. The Government does not determine the agencies or areas that AGO chooses to audit.
The IT audits that the AGO conducts of the Accountant-General’s Department (AGD)’s systems are part of AGO’s annual audit of the Government Financial Statements. The IT audits undertaken by AGO covered separate parts of the AGD system – last year, it was on the payroll and claims system, and this year, it was on the accounting and financial transaction system. Separately, AGD itself commissions external IT audits annually to continuously review and strengthen IT security across its systems.
AGD has also proactively taken steps to systematically strengthen IT security over privileged access accounts in the past few years. These include hardening the hosting environment, transiting its in-house IT setup into a GovTech-managed site, implementing privileged access management system, and automating audit logs management to strengthen the controls over privileged access accounts in line with industry standards and best practices.
The AGO observations flagged last year and this year were related and pertained to specific technical configuration gaps in the security software used across various AGD systems. When the technical misconfiguration in one of AGD’s systems was first flagged by AGO in its report last year, AGD had followed up to conduct a comprehensive review to prevent similar technical misconfigurations across other AGD systems. But this work could not be completed in time for the AGO report this year. Hence as noted by the AGO in its latest report, the specific privileged access configuration identified in the latest AGO observation would have been addressed as part of AGD’s commissioned IT audit which was ongoing when AGO conducted its audit between July and November 2020.
AGD has since fully rectified the technical misconfigurations highlighted by AGO. The rectification has also been verified through an independent IT audit commissioned by AGD. AGD will continue to strengthen and ensure robust and effective IT security controls over privileged access accounts of AGD systems.