Full fix promised by Dec. 31, 2014
Numerous security issues in the computerized data management system used by the Judicial Administration department, the division that provides administrative services to the local courts, have been revealed by an internal government audit.
“These security risks may lead to exposure of sensitive judicial administration data or compromise the integrity of judicial information,” the Internal Audit Unit’s review noted.
Some of those risks were addressed prior to the release of the August 2013 report, which was released to the Caymanian Compass under the Freedom of Information Law. However, other issues – such as ensuring only certain users were given access to specific parts of the system – won’t be implemented until the end of 2014, according to the report.
A system-wide upgrade was planned to be in place for the judicial administration by Dec. 31, 2013. Prior to then, the administration was running its data system on 2005-era database, hosted in a Microsoft Windows 2003 application server. The last IT vendor support contract the courts administration signed was a two-year deal from 1998, according to auditors.
Among the most serious concerns revealed in the Internal Audit Unit report were that information from folders in the judicial administration file share system were not encrypted and thus were available to anyone with basic IT knowledge.
“These data include warrants, registration documents, jury reports … and specific files for each case recorded within JEMS [the Judicial Enhancement Management System – the computerized data system used by the courts administration],” auditors noted. “The jury reports contain juror status, bank accounts, summons and other sensitive information.”
The audit states that these records were never designed to be accessible to everyone, but theoretically, they were. The government users network group “everyone” includes all government employees using the domain managed by the government Computer Services Department, according to auditors.
“This access may not be readily obvious to the average computer user, [but] someone with basic knowledge of network file share mapping within the government can easily access the sensitive files,” the audit states. “This poses risk of data exposure, alteration or corruption as a result. This may also have further negative implications for the integrity of the justice system.”
The IT analyst who assisted the Internal Audit Unit with the report on the judicial administration’s computerized data system was “not aware” why these sensitive folders were not restricted appropriately. According to judicial administration management, the file folders were given restricted access during the course of the Internal Audit Unit’s evaluation.
Another serious concern involved the fact that the Computer Services Department had “full control” of the judicial administration’s computerized database.
“The IT analyst was not sure why computer services was given full control of the database,” the audit noted. “Granting privileged server and database access to individuals who do not require such access … weakens the security environment of the JEMS system.”
Other issues were found with the court computer servers’ memory capacity.
According to the judicial administration, the computerized data network server has to be restarted every week in order maintain its memory access and integrity, otherwise a system outage could occur and crucial courts data could be lost. In addition, the computer room hosting the JEMS server was in a tiny room next to the court staff kitchen area, subjecting it to risks of fire and overheating.
The courts management also said that problem would be addressed by the system upgrade planned for Dec. 31, 2013.
Other problems identified, such as the access levels given to various individuals within the courts computerized data system, would take a bit longer to fix, according to the audit.
These are issues such as individuals with no responsibility for government or court system finances having access to financial information, or financial managers having access to non-financial information within the criminal courts system.
“Although these may not necessarily indicate inappropriate access levels, the perceived inconsistencies, and the fact that these detailed access levels were not subjected to a formal review and approval process require reasonable attention for senior management inspection,” auditors found.
Court administrators, in their response to the audit, said this last issue was more complex and required the system upgrade to be completed first before various access levels were granted. In the meantime, no extra access permissions are given without “explicit instructions” from the court administrator, management noted.
The review of computer system access would be finished by Dec. 31, 2014, managers stated.