Committee Reports::Special Report - Computer Security in Government Departments and Offices::30 November, 1990::Report

Report of the Committee of Public Accounts on Computer Security in Government Departments and Offices

The Committee have considered the report prepared by the Advisory Committee and commends the report to the Dáil. It wishes also to add the following recommendations to those incorporated in the body of the Report.


1.That the Committee of Public Accounts endorses the recommendations of its Advisory Committee on Computer Security in Government Departments and offices.


2.That a more pro-active approach be adopted towards the question of computer security in the Public Service.


3.That a programme for promoting awareness of the need for computer security be developed for public servants.


4.That resources be channelled into bringing computer security in the Public Service up to an acceptable level.


5.That it be established whether the findings have any implications for Departments and Offices regarding their responsibilities under the Data Protection Act bearing in mind the requirement of Section 2 (1) (d) that “appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and their accidental loss or destruction.”


6.That the contents of this Report be brought to the attention of each Accounting Officer.


The Committee of Public Accounts wishes to express its thanks to the members of the Advisory Committee who carried out this review on its behalf.



Gay Mitchell T.D.

 

Chairman

6 December 1990

1 INTRODUCTION AND SCOPE OF REVIEW

1.1 Background

In May 1990 Mr Gay Mitchell TD, Chairman of the Public Accounts Committee issued invitations to the Office of the Comptroller and Auditor General and to a number of consultancy firms to participate in an Advisory Committee on Computer Security. The Public Accounts Committee had, over a number of years, expressed concern about computer security in Government Departments and in October 1989 had requested all Heads of Departments and Offices to furnish a note on the procedures devised and operated in relation to computer security in respect of access, viruses, hackers, correct data input and related areas.


On the 15th May 1990, the Chairman met Mr. P. L. McDonnell, Comptroller and Auditor General and Mr. John Purcell, Director, Office of the Comptroller and Auditor General and representatives of the following consultancy firms:


■ Coopers and Lybrand,


■ Craig Gardner,


■ Deloitte & Touche


and obtained their agreement to participate in the Advisory Committee. Mr. John Purcell agreed to act as chairman of the Advisory Committee, the other members being Mr. Robin Menzies, Mr. Robert Semple, Mr. Richard Mullins and Mr. Brian McLoughlin.


1.2 Terms of reference

The following terms of reference for the Advisory Committee were submitted and agreed:-


(i)To review the documents submitted by Government Departments and Offices with a view to establishing, prima facie,


(a) the existence of data security policies in those organisations,


(b) the adequacy of such policies by reference to accepted standards.


(ii)To draw up and issue appropriate questionnaires on computer security for the different categories of Government Departments and Offices as computer users


(a) small


(b) medium


(c) large


and to evaluate the responses with a view to forming a preliminary opinion on the status of computer security therein.


(iii)On the basis of the information supplied, to determine the scope of a study which would ascertain the extent to which the stated security measures meet the needs of the organisation and are being operated.


1.3 Nature and Scope of work undertaken by the Advisory Committee

The first task undertaken was to review the documents submitted by Government Departments and Offices which had been received in response to the October 1989 request of the Public Accounts Committee. It was agreed that these documents did not provide a sufficient basis for substantive comment and that work should commence immediately on preparation and issue of a new questionnaire on computer security.


A questionnaire was drawn up in early July and was issued shortly thereafter (see Appendix A). It adopted the following definition of Computer Security.


Computer security is defined as being the protection of the confidentiality, integrity and availability of information provided through a computer system and of the computer system itself.


The questionnaire contained the following sections:-


Part 1


description of organisation, computer facilities and systems;

Part 2


computer system security checklist; and

Part 3


risk assessment and incidence of loss.

Part two of the questionnaire - The Computer System Security Checklist - was designed to assess the adequacy of security under ten different headings. The first heading dealt with security of micro computers and the remaining headings dealt with aspects of security relevant to organisations using computer installations other than standalone micro computers. The Advisory Committee considered that this distinction adequately addressed the requirement to devise questionnaires which would be suitable for different sizes of organisation as set out in the terms of reference.


Completed questionnaires were returned over the summer months and preliminary analysis commenced in early September. By the end of September, all questionnaires had been returned and analysed by the Committee. A listing of Government Departments surveyed is attached on Appendix B. This report contains findings and recommendations based on these analyses.


1.4 Limitations of Approach

The exercise involved personnel from individual Government Departments and Offices providing answers to a series of questions designed to provide an overview of the manner in which security had been addressed over a range of specific headings. A detailed security assessment was not undertaken; nor have the answers provided been independently verified or audited. Accordingly, this report should not be relied upon to reveal all security weaknesses which exist within the public service; however, it does provide an indication of the extent to which particular aspects of security have been addressed.


In analysis the completed questionnaires, certain difficulties were encountered. These, in the main, derived from the differing levels of computerisation within the public service and the submission of some conflicting or inconsistent replies. The committee decided that these difficulties did not significantly impair the overall findings emerging from the survey and that their investigation and resolution would not be justified given the nature of the review.


The difficulties are outlined in Appendix C.


2. SUMMARY OF OVERALL FINDINGS AND RECOMMENDATIONS

2.1 Government Departments / Offices are heavily dependent on the security of their computer systems

The Survey indicated that there is a widespread use of information technology within Government Departments and Offices. There is substantial use of standalone personal computers and local area networks as well as a large number of mini and mainframe computer installations.


The survey indicated that there is also significant dependence on the security of computer systems used within Departments and Offices. For example, over half of the computer systems were identified as containing highly confidential data and one third of Departments and Offices regard their systems as critical to the operation of the organisation.


2.2 Security is poorly organised in many Departments / Offices

Security is poorly organised within many of the Government organisations surveyed. This is illustrated by the absence of formal security policies in many cases, the low level of independent security reviews undertaken by many organisations, and the failure to assign specific responsibility for security to designated individuals. 9 out of 17 organisations who maintain highly confidential data do not have a written security policy. 7 out of the 10 organisations who feared loss or destruction of important data or leakage of confidential data do not have written security policies to protect their systems.


2.3 There is a lack of Contingency Plans

There is a lack of formally documented contingency plans in all but a few of the organisations. Of 21 organisations whose systems are described as having high criticality 13 indicated that they do not have a contingency plan. 10 of 14 organisations who rated organisational disruption as a result of computer fault or destruction of computer equipment as being their greatest risk fail to cover those risks with some contingency plans. This was felt by the Advisory Committee to be of major concern.


2.4 Security of Microcomputers is Poor

Security in relation to microcomputers was highlighted as being poor. In particular procedures for the protection of such computers against disruption by computer viruses appear to be weak.


2.5 Access Controls Need Improvement

There is scope for improvement in procedures which protect computerised information against unauthorised disclosure or amendment.


2.6 Government Departments / Offices do not use formal risk analysis procedures

Formal risk analysis procedures are rarely applied within the Government organisations covered by the survey.


2.7 The Level of Control in Other Areas is Higher

In other areas the level of control seems to be higher. These include:-


Physical Controls


Computer Operations Controls


Back-up and Recovery Procedures


Software Integrity


2.8 Recommendations

Detailed recommendations are set out in Section 6 of this Report. These can be summarised as follows:-


Establish a function within the public service for the promotion of computer security in Government Departments and Offices;


Each Department and Office should implement a short-term security action plan to tackle major weaknesses within their organisations;


Each Department and Office should initiate a study to formally assess risks and to develop appropriate countermeasures;


Establish a timetable for the implementation of recommendations and monitor progress.


3. DESCRIPTION OF ORGANISATION AND COMPUTER FACILITIES AND SYSTEMS

Part 1 of the questionnaire sought to obtain information about the Government Department or Office, together with details of the computer equipment and application systems used by the organisation. Respondents were also asked to indicate, for each application, the relative importance and criticality of the systems in terms of availability and reliability.


The information obtained provides an indication of the nature and scale of investment in Information Technology (IT) within the public service and of the extent of the dependence on the information systems.


Overall investment in IT is very significant. The survey revealed that within Government Departments and Offices there are


over 100 computer centres;


about 1,000 computer staff;


over 1,000 standalone personal computers;


over 6,000 computer terminals;


over 120 local area networks;


a vast array of mini and mainframe computers;


over 300 computer systems;


The proliferation of standalone personal computers and local area networks is particularly noticeable. Increasing dependence on local area networks may pose an additional risk because of the lower level of expertise generally associated with those involved in the operation of such networks as distinct from those involved in mainframe and minicomputer environments.


There was some inconsistency in the classification of systems both as regards confidentiality and criticality. In particular, there were a number of cases where the ratings given by Departments and Offices were lower than might reasonably be expected. This may result in insufficient resources being given to protection of these systems.


4. COMPUTER SYSTEM SECURITY ASSESSMENT

4.1Part 2 of the security questionnaire set out a series of questions with the objective of assessing the adequacy of security under the following headings:-


Microcomputers


Organisational Controls


Physical Security,


Logical Access Controls


Operations Controls


Backup and Recovery


Contingency


Telecommunications


Software Integrity


Database Administration


Basic security guidelines addressing some of these areas were issued by the Central Information Technology Services (CITS) of the Department of Finance in January 1989 to all Departments and Offices. Revised guidelines were prepared in July 1990 to deal with backup and contingency procedures, password policy and computer viruses. CITS has also recently endorsed virus protection software for general use.


The conclusions arising from our assessment of all areas are outlined below. An analysis of the responses received is at Appendix D.


4.2Microcomputers (Questions 1.1 - 1.5)


These questions deal with the procedures and control required for the use of standalone personal computers (PCs) within the organisation.


The need for security of microcomputers arises from their use for storing information which may be sensitive from a confidentiality perspective, and from the dependence of organisations on the availability and integrity of information processed on such PCs. The threat of computer viruses is particularly prevalent in the microcomputer environment.


Security in relation to microcomputer systems is poor. In particular, procedures for the protection of systems against disruption by computer viruses and for periodic checking for evidence of the existence of viruses or unlicensed software appear to be weak; a significant number of respondents do not have procedures or standards relating to back-up of data and in almost 25% of cases security procedures are not reviewed for compliance.


4.3Organisational Controls (Questions 2.1 - 2.7)


These questions deal with the need for an appropriate organisational structure to coordinate and monitor security related activities and with the need to formally identify security priorities (through a security policy) and responsibilities.


Good organisational controls provide a solid platform upon which security procedures and controls can be established and maintained; poor controls in the area undermines the ability of the organisation to maintain a sound and balanced level of security.


Controls in this area appear to be weak and provide no foundation for strong controls in other areas. The replies suggest a lack of commitment to computer security illustrated by the absence of security policies in so many cases, the low level of security reviews undertaken and the failure to assign specific responsibility for security to a designated individual.


It also appears that the integration of computer security with accounting and clerical controls is not well understood.


4.4Physical Security (Questions 3.1 - 3.5)


These questions deal with the need to control physical access to the computer and to protect equipment and storage media such as tapes and disks against natural and man made hazards.


Standards in this area appear reasonable, although some respondents have inadequate protection against the risk of fire and a significant number have not protected themselves against failure or fluctuation of electrical supply by installing an uninterruptible power supply.


4.5Logical Access Controls (Questions 4.1 - 4.4)


These questions deal with the need to control access to information and systems by persons using terminals or other devices connected to the computer.


Weaknesses in this area can expose an organisation to the confidentiality of sensitive information being breached, and to information being subjected to unauthorised change or deletion which, in some cases, could conceal or lead to the perpetration of fraud. This is the control area in which most internal fraud generally originates or is facilitated and therefore particular attention must be paid to the implementation of controls which prevent, locate and detect spurious access attempts.


There is scope for improvement in this area. While the majority of Departments and Offices require all individulas to enter a valid identifer and a unique non-shared password before access to the system is permitted, a few large computer using organisations do not. Although overall awareness of control needs in this area is fairly good, only half of the respondents had procedures in operation to record and review unauthorised access attempts. In some cases access control software was not in use although it appeared appropriate that it should be.


4.6Operations Controls (Questions 5.1 - 5.6)


These questions deal with the need for management procedures and controls in relation to the day-to-day operation of the computer.


Control in this area is generally reasonable, with the major data processing centres exercising proper control over operations. In relation to smaller processing units, it was difficult to assess the degree of need for formal operations controls.


4.7Back-up and Recovery (Questions 6.1 - 6.4)


These questions deal with the need to copy software and data at periodic intervals so that the effect of a processing breakdown or disruption to computer facilities can be minimised by the availability of such back-up copies.


In general, the needs in this area appear to be well addressed. Practically all respondents indicated that production software and data were regularly copied as back-up to enable them to continue processing in the event of problems arising. That said, there was surprisingly a number of cases where no off-site storage was used. In addition, some respondents indicated that stored back-ups were not regularly tested to ensure that they would work in an emergency.


4.8Contingency (Questions 7.1 - 7.3)


These questions deal with the need for formally documented procedures to enable an organisation to recover from a major disruption affecting the availability of its computer facilities.


The absence of formal documented contingency plans in all but a few of the organisations is a major concern. The need for contingency plans and for their regular testing cannot be overemphasised.


4.9Telecommunications (Questions 8.1 - 8.7)


These questions deal with protecting the availability, integrity and confidentiality of information while it is being transmitted across a computer network. This aspect of security is considered to be increasingly important within the IT industry because of the trend towards opening up information systems to third parties, increased interconnectivity of computer systems and more prevalent dial up access to computer systems. The specific threat arising from hackers has also to be countered through telecommunications security.


There appears to be a general lack of appreciation and understanding of the security implications of the telecommunications network as it relates to computer systems. This view is borne out by the responses from many Departments who perceived that this section of the questionnaire did not apply to them. This perception suggests that further investigation may be necessary particularly as this is considered to be an area of high exposure generally and is of special relevance to Government Departments and Offices given the increasing trend towards the networking of systems via telecommunications.


4.10Software Integrity (Questions 9.1 - 9.5)


Software integrity is concerned with the need for formal procedures in relation to the development and implementation of new systems and of changes to existing systems.


Among the Departments who responded to these questions there was a high degree of compliance with the requirement for software integrity. The level of compliance was more prevalent in the Departments with long established data processing facilities and there is probably a need to ensure that the same discipline be fostered in those organisations which have embraced computerisation more recently.


4.11Database Administration (Questions 10.1 -10.4)


Many computer systems nowadays use specialised database technology which provides for greater flexibility in organising and accessing information with concomitant potential for efficiencies in the storage of data. In this environment special security considerations apply to ensure the confidentiality, integrity and availability of information stored on databases.


The responses indicated that the number of significant databases in the public service is small but that will undoubtedly change in the future. As the development of databases increases there will have to be a commensurate increase in the special control requirements for the administration of such databases.


5. RISK ASSESSMENT AND INCIDENCE OF LOSS

5.1 Overview

Risk analysis is a process involving the identification of potential security risks associated with a computer system in order to determine security requirements and select the types of controls needed to satisfy these requirements.


Properly used, risk analysis can raise management awareness of security exposures, provide a particular mechanism for understanding the magnitude of these exposures and assist with the evaluation and selection of appropriate safeguards.


This section of the questionnaire sought to identify the extent to which risk analysis techniques are being used in the public service. In addition, the questionnaire asked for information about the areas perceived to be of greatest risk within the organisation and about any incidents affecting the availability, integrity or confidentiality of information.


5.2 Risk Analysis

The majority of Departments and Offices have identified the potential threats to their computer systems, but only 50% of them have documented the risk these threats pose. Of the twenty-nine respondents two had undertaken formal risk analysis projects.


5.3 Perceptions of Greatest Risk

(See Table on Page 12)


Bearing in mind the subjective nature of these perceptions great care has to be exercised in their interpretation. Within that constraint it is surprising that there is a general perception that fraud, both internal and external is a low risk.


5.4 Incidence of Loss

The majority of reported incidents arose, as expected, from system failures. To a lesser extent the other incidents which resulted in loss were natural hazards, errors, industrial action and malicious acts.


5.5 Security Related Spending

The inability of the vast majority of respondents to identify separately the total expenditure on computer security may be indicative of a lack of emphasis on the need for a focused security function in Departments and Offices.



6. RECOMMENDATIONS

6.1The Terms of Reference of the Advisory Committee required it to determine the scope of a study which would ascertain the extent to which security measures meet the needs of the organisation and are being operated. The Advisory Committee also considered what action should be taken to raise the level of security within Government Departments and Offices to an acceptable standard. Its recommendations are set out below.


6.2A function should be clearly defined and formalised within the public service whose role would be to promote computer security within Government Departments and Offices. Its responsibilities would include:-


(a)to develop a systematic approach to risk analysis which would be suitable for implementation by all Government Departments and Offices;


(b)to develop standards and guidelines to address areas of common concern in relation to security (priority should be given to areas identified as weak by this review);


(c)to identify security techniques which are appropriate to the needs of Government Departments and Offices and to disseminate information about these techniques to the security officers within each organisation;


(d)to co-ordinate the discharge by Departments and Offices of their responsibility to implement an appropriate security function for their organisations.


This function should be incorporated into CITS which has already carried out some work in this area.


6.3 Each Department and Office should immediately develop and implement a short-term security action plan to address the more important and critical areas highlighted in this review.


6.4 Studies should be performed separately within each Department and Office;


(a)to identify and analyse the requirements for security within the organisation;


(b)to assess the adequacy of security measures taken to address the specific requirements within the organisation, and also to satisfy minimum control requirements which would be expected in the organisation;


(c)to make recommendations to enable the organisation to address any exposures identified;


(d)to produce a security improvement programme to ensure that exposures are addressed in a systematic manner and on a timely basis;


(e)to devise a mechanism for regular review of security measures in operation.


This study should be undertaken following the implementation of recommendations 6.2 and 6.3 above. The objective of the exercise would be that every Department / Office would ultimately have security arrangements in operation appropriate to its needs.


6.5In order that proposals 6.2 to 6.4 above would have every chance of improving security consciousness and effectiveness within Departments and Offices a definitive timetable for their implementation should be drawn up by Departments / Offices and notified to CITS.


6.6The Comptroller and Auditor General should report on the implementation of the recommendations in this report in 12 months time.


____________________________


John Purcell, Office of the Comptroller and Auditor General


____________________________


Robin Menzies, Coopers & Lybrand


____________________________


Robert Semple, Craig Gardner


____________________________


Richard Mullins, Deloitte & Touche


____________________________


Brian McLoughlin, Deloitte & Touche


30 November 1990