Gov’t withholds reports on IT systems

Issues unrelated to missing police data

Two audit reports completed over the past year revealing significant problems with separate government data management systems were withheld from public release for fear that disclosing them might reveal security weaknesses in the information technology systems.  

One report concerning the government’s integrated resource information system, known as IRIS, which is operated by Oracle Financials, was presented to lawmakers a year ago, according to the Cayman Islands Auditor General’s Office.  

The system is used to keep track of central government departments’ revenues and expenses. 

“The [auditor’s office] completed a review of the government’s financial systems last year, including its main application IRIS and other related revenue systems,” a statement from Auditor General Alastair Swarbrick’s office read. “As the government has recently completed its implementation of the IRIS upgrade, we will be carrying out a [second] review in the next few months.”  

The auditor’s office declined to disclose the original report Monday.  

A separate audit, which looked at the then-Portfolio of Internal and External Affairs (now the Ministry of Home Affairs) Sungard OSSI information system, was completed last year by the government’s Internal Audit Unit. An open records request for the report filed in November 2013 by the Cayman Compass was denied.  

“We are temporarily withholding [the report] under section 11[2][c] of the Freedom of Information Law due to the fact that the risk of an identified system weakness being exploited would increase if the report reached a wider audience at this time,” the acting chief officer of the Portfolio of the Civil Service said in a statement.  

The portfolio pledged to release the audit when the security problems had been addressed. As of press time Tuesday, it had not done so.  

Sungard Public Sector has sold the Cayman Islands government a number of products, including the computer-aided dispatch system used by the 911 Emergency Communications Centre and the Royal Cayman Islands Police Service Jail and Records Management systems, among others.  

The Sungard system provides a common public safety software platform that allows all information to flow between each law enforcement-related entity, allowing departments to share information. Security authorizations for access are associated with the system.  

The IRIS system is used to record government’s financial transactions. It had been noted as long as a year ago by Mr. Swarbrick that the outdated system needed a major upgrade. 

According to Mr. Swarbrick in June 2013, Oracle Financials indicated that, as of November 2013, it would no longer support the operating system used by government.  

“IRIS, in its current configuration, is not managed effectively and does not support the financial community in carrying out its primary role for managing and recording government’s financial transactions … to facilitate accurate and timely financial reporting,” Mr. Swarbrick said.  

According to that report, a “large investment” was being contemplated by the government regarding upgrades to the computer system. It was estimated at the time that the upgrade would cost $700,000 or more, but the actual figure has not been revealed.  

The problems relating to the operation of the IRIS system are not related to issues that led to the recent failure of several hard drives on a government server kept in the Citrus Grove building in George Town. The drives contained about 1.2 terabytes of data from the Royal Cayman Islands Police Service that were apparently corrupted in the crash. Government officials are still looking into that incident.  


  1. What were the reasons given to Mr. Swarbrick as to why the IRIS system had not been upgraded (and properly configured) or replaced by the CIG?

    It is easy to blame these problems on the technical staff responsible for managing these systems from a technical perspective. The truth is however most often linked to things like a lack of funds to complete the upgrades or a lack of commitment on the part of the end users to complete the testing and certification that might be required before the implementation of a new release.

    No system is perfect and 100% free from security issues but I found it strange that Sungard and the CIG would not move quickly to rectify any security issues related to the Sungard solution.

    While I can understand why the CIG will not release any documentation that might expose potential security issues with the solution, the related RFP and all subsequent responses should be subject to public disclosure.

Comments are closed.