A recent report by Alberta’s Auditor General has revealed alarming security weaknesses in the network controls of three Government of Alberta departments—Technology and Innovation, Children and Family Services (CFS), and Seniors, Community and Social Services (SCSS). This development has raised significant concerns about potential unauthorized access to government data and the personal information of Albertans. The audit of the province’s consolidated financial statements showed how these departments failed to promptly revoke access privileges for former employees, increasing the risk of privacy breaches and identity theft.
Persistent Security Weaknesses Uncovered
User Access Exceptions
One of the most striking revelations of the report was the presence of “user access exceptions” that allowed unauthorized individuals to potentially manipulate critical personal, business, and financial information within the government’s network. Specifically, the auditor found that out of 25 sampled accounts within the Information and Technology department, 13 had not been removed from the network after their users’ employment had ended. Five of these accounts were actively used to log into the government’s network, even though the account holders were no longer employed by the government.
Adding to the severity of the situation, 48 former employees retained access to 11 departmental IT applications, leading to at least one recognized incident of unauthorized access. These repeated incidents of oversight emphasize a significant lapse in maintaining secure access controls. This issue was not new to the departments, as it had been previously highlighted in reports from 2014 and 2020, indicating longstanding and unresolved security vulnerabilities.
Inadequate Reviews of User Access Rights
Another critical finding was the departments’ failure to perform effective reviews of user access rights for 12 IT applications. Specifically, audits of three particular applications were notably neglected during the 2023-24 period. This negligence allowed ex-employees to retain access to sensitive information long after their departure. The persistent delays in removing ex-employee access, despite prior recommendations to establish tighter controls, further underscore the critical need for improved network security practices.
The recurring inability to regularly review and update user access rights has left these departments vulnerable to potential security threats. Such persistent issues jeopardize not only the integrity of government data but also the privacy of personal information entrusted to these departments. These lapses point to a significant gap in network security protocols that requires immediate and decisive action to mitigate ongoing risks.
Measures to Address the Security Gaps
New Access Control Policies
In response to the findings, Jonathan Gauthier, press secretary to the Ministry of Technology and Innovation, affirmed that measures are being taken to address these security gaps. An updated access controls policy has been introduced, requiring more frequent quarterly reviews of user account access instead of the previous annual reviews. This change aims to ensure that ex-employees’ accounts are promptly removed, reducing the chances of unauthorized access.
Additionally, the policy mandates automatic termination of contractor accounts at the end of their contracts. Employee account removals will be synchronized with payroll termination processes, effective from spring 2024. These measures demonstrate a proactive approach towards strengthening network security and minimizing vulnerabilities. By addressing the root causes of the access control issues, the Ministry hopes to significantly reduce the risk of privacy breaches and unauthorized access.
Development of Monitoring Tools
Beyond policy adjustments, the Ministry of Technology and Innovation is also developing a tool to monitor compliance and provide regular reporting on access reviews. This tool, expected to be operational soon, will enhance the ministry’s ability to track and document user access rights, ensuring any exceptions are identified and addressed promptly. Continued improvements in the review processes of user access rights are planned over the coming years.
The development of these monitoring tools and the synchronization of account removal processes highlight the Ministry’s commitment to rectifying the identified security weaknesses. By reinforcing the overall security framework, these initiatives aim to safeguard sensitive government and personal data more effectively, ensuring robust protection against unauthorized access.
Conclusion
A recent report from Alberta’s Auditor General has uncovered serious security flaws within the network controls of three Alberta Government departments: Technology and Innovation, Children and Family Services (CFS), and Seniors, Community and Social Services (SCSS). This discovery has sparked significant worries about potentially unauthorized access to government data and the personal information of Alberta residents. The audit of the province’s consolidated financial statements highlighted these departments’ failure to promptly revoke access privileges for former employees, elevating the risk of privacy breaches and identity theft. These findings suggest that the security measures in place are insufficient, posing a threat to both government integrity and citizens’ privacy. Immediate action is required to rectify these vulnerabilities and ensure the protection of sensitive information. The government must implement stricter access control policies and perform regular audits to mitigate these risks and maintain public trust.