Alberta’s Auditor General has reported significant concerns regarding the network security controls implemented within three provincial departments—Technology and Innovation, Children and Family Services (CFS), and Seniors, Community and Social Services (SCSS). The audit revealed a worrisome trend exposing these departments to the risk of unauthorized access to government data and the personal information of Albertans, primarily due to the departments’ inability to promptly revoke access privileges of ex-employees. Notably, this issue had previously been flagged in reports from 2014 and 2020, yet it continues to persist, leading the auditor to issue repeated recommendations for tighter control of user access.
Persistent Problems with User Access Controls
Terminated Employees Retaining System Access
One of the most alarming findings of the audit was the discovery that 13 out of 25 sampled accounts in the Information and Technology department had not been removed after the employment of their users had ended, and five of these accounts were actively used post-termination. This presents significant security vulnerabilities, with the potential for unauthorized activities that could compromise sensitive data. Further, the audit uncovered that 48 former employees retained logins for 11 different departmental IT applications, resulting in at least one known instance of unauthorized system access. Such lapses in user access control are not only a breach of protocol but also a serious threat to data integrity and the privacy of individuals’ information stored in government systems.
Additionally, the audit pointed out that proper reviews of user access rights were not conducted for 12 IT applications, exacerbating the risks and underscoring a systematic failure in ensuring compliance with security policies. This failure essentially leaves the door open for unauthorized access, increasing the likelihood of data breaches and misuse of information. Given the repeat nature of these findings, the necessity for more stringent and proactive measures to address these issues is clear, as is the electronic tracking and revocation of system access for all forms of employee separation, ensuring no lapses occur during transitions.
Implications for Data Security and Privacy
The persistent failure to address these access control issues poses a significant threat to the security and privacy of sensitive data managed by these departments. Unauthorized access not only endangers data integrity but also has far-reaching implications for public trust in the government’s ability to safeguard personal information. The repeated failure to revoke access privileges of terminated employees signifies broader concerns about internal control mechanisms and their enforcement within the departments. It raises critical questions about the efficacy of policy implementation and highlights the need for a more systematic approach to user access management, involving regular audits and robust monitoring processes.
Furthermore, the audit findings suggest that part of the issue may be attributed to a lack of adequate systems or tools to track and manage user access efficiently. Without proper mechanisms in place, the risk of oversight remains high, thereby perpetuating vulnerabilities. As technology continues to evolve and the reliance on digital systems intensifies, the importance of safeguarding electronic data becomes even more paramount. Addressing these issues is not only about compliance but also about upholding the principles of privacy and security that underpin public confidence in governmental operations.
Steps Taken to Address Security Concerns
Implementation of Auditor’s Recommendations
In response to the concerning audit findings, Jonathan Gauthier, press secretary to the Ministry of Technology and Innovation, stated that the department is actively working on implementing the auditor’s recommendations to mitigate the identified risks. Key measures include the automatic termination of contractor accounts at the conclusion of their contract periods and aligning the removal of employee accounts with their payroll termination processes by spring 2024. This automation aims to reduce human error and ensure a seamless revocation of access rights as soon as employment ends.
Moreover, the department has updated its access control policy to increase the frequency of account reviews from an annual to a quarterly schedule. This adjustment reflects a more vigilant approach to monitoring user access and helps to promptly identify and address any unauthorized access. The periodic reassessment of user access rights, coupled with an automatic termination system, is poised to considerably enhance the security framework within the departments. The department is also planning to develop a tool that will track compliance with the updated policy, offering regular reporting to ensure consistent enforcement and oversight.
Future Improvements and Ongoing Efforts
The Auditor General of Alberta has raised significant alarm about the network security measures in place across three provincial departments: Technology and Innovation, Children and Family Services (CFS), and Seniors, Community and Social Services (SCSS). The audit highlighted a disturbing trend that puts these departments at risk of unauthorized access to sensitive government data and the personal information of Albertans. This issue stems from the departments’ repeated failure to promptly revoke access privileges of former employees. This critical weakness had already been identified in the Auditor’s reports from 2014 and 2020, yet it remains unaddressed. The persistent nature of this problem has led the Auditor General to continue issuing recommendations for stricter user access controls. The repeated nature of these findings underscores a troubling lack of progress in addressing critical IT security vulnerabilities, emphasizing the urgent need for more effective measures to protect sensitive information in the province’s governmental departments.
