JINNY Sims, Minister of Citizens’ Services, said on Tuesday the government is accepting all the recommendations of the Office of the Auditor General of British Columbia’s audit of the B.C. government’s internal directory account management.
She said in a statement: “Staff in five ministries – Citizens’ Services; Attorney General; Health; Forests, Lands, Natural Resource Operations and Rural Development; and Finance, including its related branches and agencies – have worked with OAG auditors since August 2017 as they prepared this report. The result is a detailed examination of the management of internal directory (IDIR) accounts that government employees and contractors use to provide the services British Columbians rely on.
“Early in 2018, the Office of the Chief Information Officer (OCIO) began working with ministries to clean up dormant IDIR accounts and has made significant progress in this area, having already addressed more than 90% of the accounts identified through this audit. It’s important to note that our existing safeguards had already suspended these accounts. None of these accounts were still active.
“The OCIO is now in the process of implementing the remaining recommendations and will work across government to ensure that ministries understand their role in regularly reviewing employee IDIR accounts and managing them effectively.
“Protection of government systems and the information they contain remains a top priority for the Ministry of Citizens’ Services and the OCIO, especially concerning the personal information belonging to people living throughout the province. Our staff work hard every day to protect government systems.
“We already have key controls in place to help manage access to our systems, including firewalls and around-the-clock monitoring. The work we are currently doing, along with recommendations stemming from the OAG’s report, will further strengthen our safeguards and bolster our protection of vital government information and data.”
THE Office of the Auditor General in a press statement noted that every government employee and contractor has a user name and password to access government systems, and government’s internal directory system (IDIR) authenticates each user’s identity to ensure it is legitimate. To provide services for people in British Columbia, government collects and stores a great deal of sensitive and personal information. Therefore, only government employees and contractors who need access to government systems containing sensitive information should have access.
“The IDIR service is the first defence against unauthorized access to government resources,” said Carol Bellringer, Auditor General. “All it takes is one poorly managed user account to compromise government systems.”
The office audited five ministries and found that some of them were not consistently following the Office of the Chief Information Officer’s (OCIO) established key controls to restrict unauthorized access. It is important to note that the office did not look for inappropriate use of accounts or security breaches that could result from improper accounts, the office pointed out..
The office also found a lack of understanding regarding the role of the OCIO versus individual government organizations in the responsibility for maintaining the central records of accounts. The OCIO has overall responsibility for managing the internal directory service, and each ministry and government organization manages its staff IDIR accounts. “The OCIO needs to remind ministries of their responsibilities as defined in the OCIO’s information security standards,” Bellringer said.
Some government employees have significant access to and abilities within government systems. For example, a system administrator often has the ability to create or alter accounts for their organization’s users. The office found that the activities of these employees were not reviewed consistently to ensure appropriate use.
Finally, employee information and account information are stored in two separate databases. The OCIO has responsibility for the IDIR system, but the Public Service Agency (PSA) holds and maintains the list of current government employees. The office recommends that the OCIO and the PSA compare the two lists to ensure legitimacy. A strong co-ordination and commitment to key controls and management of IDIR user accounts between the OCIO and across ministries is fundamental to controlling access.
The full report is available on the Office of the Auditor General website: www.bcauditor.com