B.C. government employees aren’t consistently following directives restricting unauthorized access to citizens’ sensitive and personal information, an auditor general’s report released Tuesday said.
And, Carol Bellringer said in her report on the B.C. government’s internal directory account management, hundreds of accounts of people who had left their jobs or were on leave remained active.
Further, she said, employee information and system user account information are stored in two separate databases. Those need to be compared and coordinated for security and efficiency, she said.
Bellringer explained that each government employee or contractor has a user name and password to log into government systems. The government’s internal directory system (IDIR) authenticates each user’s identity to ensure it is legitimate. Only government employees and contractors who need access to government systems containing sensitive information should have access, Bellringer said.
“The IDIR service is the first defence against unauthorized access to government resources,” Bellringer said. “All it takes is one poorly managed user account to compromise government systems.”
“There is a risk of unauthorized access to some government systems,” Bellringer told a media conference call.
She said some users may have left the government but accounts still operative. She said 712 users are on leave. Some 508 people had left the roles for which accounts were created yet their accounts were still active.
“We’re not talking about hacking and cybersecurity,” Bellringer said.
Her office audited five ministries and found that some of them were not consistently following the Office of the Chief Information Officer’s (OCIO) established key controls to restrict unauthorized access.
She said the number of accounts does not match the number of government employees. That may be due to some users having multiple accounts for differing tasks or accounts created for technological items such as printers.
Her office also found a lack of understanding regarding the information officer’s role versus those of individual government organizations in the responsibility for maintaining central account records.
That officer’s role, she explained, has overall responsibility for managing the internal directory service, and each ministry and government organization manages its staff IDIR accounts.
Bellringer expressed concern about the level of access to information of some government employees without sufficient oversight.
“The office found that the activities of these employees were not reviewed consistently to ensure appropriate use,” Bellringer said.
And, the report found, employee information and account information are stored in two separate databases.
The report said the OCIO has responsibility for the IDIR system, but the Public Service Agency holds and maintains the list of current government employees.
Bellringer’s office recommends that the agencies compare the lists to ensure legitimacy.
“A strong co-ordination and commitment to key controls and management of IDIR user accounts between the OCIO and across ministries is fundamental to controlling access,” Bellringer said.
She said the OCIO should remind government departments of their responsibilities.
Read the report at: www.bcauditor.com
Reporter Jeremy Hainsworth can be contacted at firstname.lastname@example.org