Several basic, but potentially catastrophic problems involving the security of information within a number of government departments have been revealed within the past two years.
Problems such as the lack of a formal backing up process for computerized data, improper security protocols that inadvertently allowed anyone using the government network to access information and lax password or user authorization procedures are some of the issues putting the government at risk.
A number of problems have been flagged up in separate Internal Audit Unit reports issued since the beginning of 2014. Other difficulties were discovered by the Cayman Compass newspaper in the course of reporting on different tech-related stories. The Cayman Islands Auditor General’s Office has also been looking into the matter.
The public sector entities affected ranged from the Royal Cayman Islands Police Service, to Cayman Airways, to the Department of Agriculture and the Department of Environmental Health. In addition, there are concerns about government’s overall financial management software and various law enforcement computerized data management systems.
Internal auditors performing a general IT controls review for the territory’s national airline in 2013-2014 found that Cayman Airways lacked a formal disaster recovery plan.
In other words, in the event of system crash or multiple hard-drive failures, Cayman Airways had no specific plan to mitigate against data loss or how it would keep operations running in the event crucial data was unavailable to employees.
“A disaster scenario may result in business interruption, financial loss and reputational damage,” auditors cautioned in the June 2014 report.
In addition, auditors looking into deficiencies within computerized backup data at CAL noted a number of problems, including that a paper-based backup log sheet was being used at the time and that failed attempts to backup computerized data at the airline “were too frequent.”
“In our test samples, two of the five daily backups failed during the week the testing was conducted, no weekly backups were successful in the month of September 2013 and the monthly backups of August and September 2013 were either missed or failed due to bad tapes,” the report found.
In both cases, airline management acknowledged the auditors’ findings and were in the process of addressing the various problems identified. Fixes were promised by the end of 2014, according to airline management’s response to the report.
Two audit reports completed in 2013 and in 2014 that revealed significant problems with separate government data management systems have so far been withheld from public release for fear that disclosing them might reveal serious security weaknesses in the information technology systems.
One report concerning the government’s integrated resource information system, known as IRIS, which is operated by Oracle Financials, was presented to lawmakers in 2013, according to the Auditor General’s Office. The IRIS system is used to keep track of central government departments’ revenues and expenses.
A separate audit, which looked at the then-Portfolio of Internal and External Affairs’ (now the Ministry of Home Affairs) Sungard OSSI information system, was completed in 2013 by the government’s Internal Audit Unit. An open records request for the report filed in November 2013 by the Compass was denied.
The portfolio pledged in 2013 to release the audit when the security problems had been addressed. The document has never been released.
Sungard Public Sector sold the Cayman Islands government a number of products, including the computer-aided dispatch system used by the 911 Emergency Communications Centre and the Royal Cayman Islands Police Service Jail and Records Management systems, among others.
The Sungard system provides a common public safety software platform that allows all information to flow between each law enforcement-related entity, allowing departments to share information.
An open records request in February 2014 seeking details of certain expenses and maintenance data for the Joint Marine Unit that was initially “lost” in a computer hard-drive crash has apparently been either delayed or ignored for the past six months, with officials still unable to put their hands on the relevant records.
Officials with the Cayman Islands Information Commissioner’s Office confirmed in May that they would have to open an appeal against the police to retrieve the records if they did not receive a response.
The issue of the “lost” files of the Royal Cayman Islands Police Marine Unit has been ongoing since June 2014 when the Compass was told that a number of relevant records had been compromised after multiple hard-drive failures at the Citrus Grove building. Last October, police officers noted they still could not open computer records they believed had been restored following the computer crashes. The Computer Services Department indicated in October that the relevant records had been restored.
In mid-May, RCIPS Superintendent Adrian Seales said, “The data has not been restored. Two restore links were provided from [computer services], the first was done and placed in the corrupted folder, which ended up being corrupt. The second restore link returned folders within the drive but data is missing.”
An audit completed in late 2014 on the Department of Environmental Health revealed that trash fees had not been charged to hundreds of local businesses that were supposed to pay them. The Compass reported on those issues last week.
However, the review also flagged up more basic management problems within the department’s IT infrastructure, including that at least six employees had privileged access to the trash fee management system – known as EVMAS – when they did not require that access. In at least one other case, a person who had left the department maintained privileged access to the system.
The report noted that there was “no formal policy or documented standard process for managing access in EVMAS.” It continued, “Unnecessary granting of privileged database access, untimely revocation of access and insufficient profile segregation within EVMAS compromises the security and integrity of the system.”
In addition, the IT evaluation revealed that the EVMAS system was being operated on an “obsolete platform.” EVMAS uses the Tru64 operating system, which expired in 2012 and Oracle 9i, the extended support for which ended in 2010.
“This means that [the government Computer Services Department] is without vendor support if EVMAS encounters issues related to the core operating system or database,” auditors stated.
Department management said they would make a funding request to upgrade the EVMAS system and hopefully have a new operating system in place by this month. Troubles with system access were due to be addressed by the end of last year.
Lack of understanding regarding basic computer technology and information system access protocols led to the potential for major security breaches in the Department of Agriculture.
A report by the Internal Audit Unit in February 2014 indicated that department managers were unaware of proper security procedures for various computerized operations dealing with the “Counterpoint point-of-sale” system the department used, so those procedures were not reported to the government Computer Services Department.
For instance, access to the information system used by the Agriculture Department was not restricted to authorized users only, internal auditors found.
“According to the assistant director of the Department of Agricult
ure, he was unaware of this security issue,” the report found, indicating that computer services was relied on to “configure best practice security on their network.”
“This means that any government employee with basic computer knowledge who tinkers around the network and accidentally finds the network folders owned by the Department of Agriculture could modify data, create fictitious data, or delete critical files and information and disable the [system] by deleting critical configuration files.”
Agriculture Department management noted in its response to the audit that the Computer Services Department had since been asked to fix the issue, noting “they are responsible for [the] operation, maintenance and security of the server and network.”