August 20, 2019 by Greg Meckbach
If your client has a formal process to disable computer network access for employees and contractors who no longer work there, that client’s cybersecurity is better in at least one respect than some of British Columbia government departments.
The province’s Office of the Auditor General recently audited five government departments on how well they follow controls set by the Office of the Chief Information Officer’s (OCIO) to restrict unauthorized access to computer data, the Auditor General’s office said in the report released Aug. 13.
With its Internal Directory and Authentication Service (commonly known as IDIR), the B.C. government gives user accounts to employees and contractors so they can log on to workstations and access online services.
The audit found that for 538 IDIR accounts still in use, the corresponding user’s employment status was “non-active.”
The audit did not go so far as to look for inappropriate use of accounts or actual security breaches that could result from improper accounts.
The audit asked whether the ministries were formally reviewing employees’ and contractors’ IDIR access rights at regular intervals to ensure their access rights are current and valid.
The answer for all – except the corporate accounting services branch of the Ministry of Finance – was no. In addition to finance, the departments that were audited were citizens’ services, health and attorney general, plus the department of forests, lands, natural resource operations and rural development.
“Users that should no longer have access may still have access to government computer resources and information. This could result in unauthorized access and sensitive information being used for fraudulent activities,” the Office of the Auditor General said in the report.
“Keeping electronic data safe requires a robust method for identifying users, determining what they can access and then controlling access appropriately,” B.C’s Auditor General Carol Bellringer wrote in the report.
The B.C. government collects sensitive information such as personal health records, social insurance numbers, birth records, and personal and government financial information.
“Even a single poorly managed IDIR account could lead to fraud or to compromised government information and systems,” the Office of the Auditor General wrote.
Some but not all ministries had their own documented procedures for removing IDIR accounts.
It is important to have this kind of procedure because employment status and contractor terms change often, the Office the Auditor General suggested in the report.
For example, employees get terminated or retire. Others get promoted or move to different departments. For some vendors with IDIR access, their contracts end and while other contractors may see their jobs change.
“Some government employees have significant access to and abilities within government systems,” the Office the Auditor General said Aug. 13 in a release. “For example, a system administrator often has the ability to create or alter accounts for their organization’s users.”