Lack of understanding regarding basic computer technology and information system access protocols led to the potential for major security breaches in the Department of Agriculture prior to last year.
A report by the Cayman Islands government’s Internal Audit Unit in February 2014 indicated that department managers were unaware of proper security procedures for various computerized operations dealing with the “counterpoint point-of-sale” system the department used, so those procedures were not reported to the government Computer Services Department.
For instance, access to the information system used by the Agriculture Department was not restricted to authorized users only, internal auditors found.
“According to the assistant director of the Department of Agriculture, he was unaware of this security issue,” the report found, indicating that computer services was relied on to “configure best practice security on their network.”
“This means that any government employee with basic computer knowledge who tinkers around the network and accidentally finds the network folders owned by the Department of Agriculture could modify data, create fictitious data, or delete critical files and information and disable the [system] by deleting critical configuration files.”
Agriculture Department management noted in its response to the audit that the Computer Services Department had since been asked to fix the issue, noting “they are responsible for [the] operation, maintenance and security of the server and network.”
Throughout the report are documented occurrences in which the department management – which was unaware of IT security protocols – did not report these issues to computer services. The Computer Services Department, while responsible for IT security and operations of government, would not necessarily have known about the issues unless they were informed by the department, auditors said.
Another problem identified in the 2014 report was that security “patches” – published online at various intervals by software companies – were not being added to the department’s point-of-sale computer servers. Auditors found that no program was established to update these security patches.
“The counterpoint point-of-sale server and database are, therefore, vulnerable to known threats,” auditors stated. “These exploitations could lead to exposure of data, manipulation of data, or total destruction of the system by external parties.”
Again, this was news to department managers.
“The department was completely unaware that these critical security patches were not being installed as a matter of routine maintenance,” the management response to the report read. “The department … is cognizant of the fact that it can only make requests with [computer services] but has no authority to instruct or direct [computer services] in the operation of government IT systems.”
Although a number of other security issues were identified in the internal audit report, the software used by the Agriculture Department was found to be “functional for its intended purpose” by auditors who reviewed it.
The department has also taken steps to implement audit recommendations related to security and operations protocols since the report was issued. In a number of cases, department officials complained of short staffing and vacant positions that led to some of the difficulties regarding unauthorized access to the system.
“Many of the recommendations we made require the assistance of the Computer Services Department,” auditors found. “While [computer services] should be proactive in collaborating with the department regarding information technology best practices, it is ultimately the responsibility of the department, as the owner of their systems and data, to ensure that the entire IT infrastructure … has effective controls in place to mitigate the identified risks.”