All IT systems in B.C. vulnerable to threats: Auditor General

Less than three months after a hard drive containing student information from about 3.4 million education records in British Columbia went missing, the province’s Auditor General has found that “all IT systems are vulnerable to threats.”

Auditor General of British Columbia Carol Bellringer released her latest audit report, titled The Status of Government’s General Computing Controls: 2014, on Tuesday. For government IT systems, the stakes are often high because these systems hold substantial and sensitive information and are critical for delivering essential services, the Office of the Auditor General of British Columbia said in a press release. [click image below to enlarge]

In late September, a misplaced unencrypted back-up hard drive containing student information over a 23-year period prompted a cross-government review of how B.C. government ministries manage personal information

“Strong general computing controls are government’s first line of defence against potential threats, like hacking, theft and system disruption,” Bellringer said in the release. “Without them, they risk loss of personal data or not even being able to access the system.

In late September, a misplaced unencrypted back-up hard drive containing student information over a 23-year period prompted a cross-government review of how B.C. government ministries manage personal information. The missing hard drive contained about 3.4 million education records tied to individuals between 198 and 2009, including names, postal codes, grades and personal education numbers, Canadian Underwriter reported at the time.

Similar to the Auditor General’s report released in 2013, all 148 government organizations were asked to rate their general computing controls on a scale of 1 to 5, known as a maturity level, the auditor general’s office explained in the release. Compared to 2013, organizations assessed themselves at a higher level. However, of the 13 organizations whose self-assessments were audited this year, 69% overrated their level of achievement, the release said, adding that many organizations lacked documented policies and procedures – hallmarks of strong general computing controls.

“We encourage all organizations to take a critical look at their IT processes and be realistic about their level of maturity,” Bellringer said. “Over the last 10 years, 78% of our IT audit recommendations were about improving general computing controls.” The report recommends that organizations review their business and IT goals, determine which level is best suited for their needs and then achieve and maintain that desired level.