Singapore is in the midst of rolling out tools and measures to plug several “IT weaknesses” highlighted in a report, including weak controls and inadequate reviews of privileged user activities. The report also stresses the need to mitigate new risks and vulnerabilities brought about by the accelerated rate of digital transformation amidst the global pandemic.
Efforts already were underway to address the IT loopholes over the past year, with automation tools taking centrestage, according to the latest report by the Public Accounts Committee. These measures had been planned since last year, when the committee had chided the public sector for recurring IT lapses In its 2020 report. It then had also pointed to a lack of good standard operating procedures in user access rights management, with the logging and review of privileged user activities carried out manually.
The committee added that controls over third-party vendors and partners could be beefed up. “Given the increasing pace of digitalisation and outsourcing of IT operations in the public sector, IT-related risks such as data security and cybersecurity risks will remain key risks for the government,” it noted in its report released Monday.
Efforts to plug the gaps were led by the Smart Nation and Digital Government Group (SNDGG), which underscored the importance of human supervision, changes in processes, and the adherence of these new processes alongside the implementation of automation and technological tools.
The government agency said it was developing a centralised tool that would include the automation of the removal of user accounts that were no longer in use, which currently still needed to be checked manually despite the implementation of a new application that alerted agencies of staff movement and role changes. This platform had been deployed across 38 agencies since October 2019.
Development of the centralised tool was targeted for completion by end-2021, after which agencies would integrate all existing systems with the centralised platform over the next three years. This would be deployed across high-priority systems by December 2023 and all remaining systems by December 2024, according to the SNDGG.
Another tool to aid in the review of privileged users’ activities also was slated to be deployed on high-priority systems by December 2022, following a pilot — launched last April — involving 15 government agencies. SNDGG reported that it was “refining” detection rules to monitor different types of logs, including operating systems, databases, networks, applications, and security as well as logic to improve the efficiencies of the detection system. Implementation would be progressively scaled up to all agencies from January 2021.
Steps also had been taken to beef up organisational structures processes, which aimed to facilitate greater ownership so IT lapses would be addressed. In the area of data and cybersecurity, for instance, an agency’s chief security officer and chief data officer were required to report major cybersecurity and data issues directly to the agency’s head.
In addition, all government agencies would tap audit and incident data to predict potential governance risks to IT systems. An initial batch of agencies were expected to begin a pilot for this in the first quarter of 2021, with deployment across the sector targeted for the second quarter.
According to the Public Accounts Committee, new processes also had been put in place across the public sector to facilitate a “more coordinated and effective response” to data incidents. These included the establishment of the Government Data Security Contact Centre last April as an avenue for members of the public to report data incidents involving public agencies.
From March 2021, all public agencies also would be required to conduct annual cyber and data security incident exercises.
Moving forward, the Public Accounts Committee noted that the accelerated digital transformation brought about by the COVID-19 pandemic could introduce risks and vulnerabilities. It said the SNDGG was probed about such risks and how the agency was mitigating them.
In response, the smart nation group said it currently was setting up a government-wide “ICT and Smart System” enterprise risk management system, which would comprise a central office, risk owners, and integration of the framework with each agency’s own enterprise risk management processes.
The SNDGG had identified 10 potential risks, but noted that most had been or were in the process of being addressed with ongoing efforts, including strengthening of agencies’ management of data security and cybersecurity risks as well as managing human capital risk.
The Singapore government in February 2020 said it would invest SG$1 billion to beef up its cyber and data security systems, noting that this was essential as its agencies increasingly adopted technologies such as artificial intelligence, cloud, and Internet of Things. To be spent over the next three years, the funds would go towards readying the country to deal with cyber threats as digitisation efforts intensified.