Singapore is in the midst of rolling out tools and measures to plug several “IT weaknesses” highlighted in a report, including weak controls and an inadequate review process of privileged user activities. The report also stressed the need to mitigate new risks and vulnerabilities that are brought about by the accelerated rate of digital transformation amidst the global pandemic.
Efforts have been underway to address the IT loopholes since last year, with automation tools taking centrestage, according to the latest report by the Public Accounts Committee. These measures were planned in January last year, when the committee chided the public sector for recurring IT lapses in its 2020 report. It also pointed to a lack of good standard operating procedures in user access rights management, with the logging and review of privileged user activities carried out manually.
The committee added that controls over third-party vendors and partners could be beefed up. “Given the increasing pace of digitalisation and outsourcing of IT operations in the public sector, IT-related risks such as data security and cybersecurity risks will remain key risks for the government,” it noted in its report released on Monday.
Efforts to plug the gaps were led by the Smart Nation and Digital Government Group (SNDGG), which underscored the importance of human supervision, changes in processes, and the adherence of these new processes alongside the implementation of automation and technological tools.
The government agency said it was developing a centralised tool that would include the automation of the removal of user accounts that were no longer in use, which currently still need to be checked manually despite the implementation of a new application that alerted agencies of staff movement and role changes. This platform has been deployed across 38 agencies since October 2019.
Development of the centralised tool is currently targeted for completion by end-2021, after which agencies will have to integrate all existing systems with the centralised platform over the next three years. This will be deployed across high-priority systems by December 2023 and all remaining systems by December 2024, according to the SNDGG.
Another tool to aid in the review of privileged users’ activities is one that is slated to be deployed on high-priority systems by December 2022, following a pilot — launched last April — involving 15 government agencies. SNDGG reported it was “refining” detection rules to monitor different types of logs, including operating systems, databases, networks, applications, and security as well as logic to improve the efficiencies of the detection system. Implementation would be progressively scaled up to all agencies from January 2021.
Steps have also been taken to beef up organisational structures processes, which aim to facilitate greater ownership so IT lapses can be addressed. In the area of data and cybersecurity, for instance, an agency’s chief security officer and chief data officer will now be required to report major cybersecurity and data issues directly to the agency’s head.
In addition, all government agencies will be able to tap audit and incident data to predict potential governance risks to IT systems. An initial batch of agencies are expected to begin a pilot for this in the first quarter of 2021, with deployment across the sector targeted for the second quarter.
According to the Public Accounts Committee, new processes have also been put in place across the public sector to facilitate a “more coordinated and effective response” to data incidents. These include the establishment of the Government Data Security Contact Centre last April as an avenue for members of the public to report data incidents involving public agencies.
From March 2021, all public agencies will also be required to conduct annual cyber and data security incident exercises.
Moving forward, the Public Accounts Committee noted that the accelerated digital transformation brought about by the COVID-19 pandemic could introduce risks and vulnerabilities. It said the SNDGG was probed about such risks and how the agency was mitigating them.
In response, the smart nation group said it is currently setting up a government-wide “ICT and Smart System” enterprise risk management system, which would comprise a central office, risk owners, and integration of the framework with each agency’s own enterprise risk management processes.
The SNDGG identified 10 potential risks, but noted that most have been or are in the process of being addressed with ongoing efforts, including strengthening of agencies’ management of data security and cybersecurity risks as well as managing human capital risk.
The Singapore government in February 2020 said it would invest SG$1 billion to beef up its cyber and data security systems, noting that this was essential as its agencies increasingly adopted technologies such as artificial intelligence, cloud, and Internet of Things. To be spent over the next three years, the funds are for readying the country to deal with cyber threats as digitisation efforts intensify.