A report from Alberta’s Auditor General flags loose network controls in three Government of Alberta departments as potential risks for unauthorized access to government data and Albertans’ personal information.
In its audit of the province’s consolidated financial statements, the auditor general made recommendations to the Ministries of Technology and Innovation, Children and Family Services (CFS), and Seniors, Community and Social Services (SCSS) to improve network security procedures after finding the departments failed to promptly remove ex-employees access privileges.
For both CFS and SCSS, the auditor found that terminated employees retained access to IT applications.
Previous reports in 2014 and 2020 made the same recommendation to tighten controls for department information systems, and the auditor said it is repeating that direction because it continues to find “user access exceptions.”
“Unauthorized individuals may access the department’s systems and be able to use or change critical personal, business, and financial information. This could result in privacy breaches for the department or create opportunities for identity theft.
“If information in the financial systems was manipulated, this could impair the integrity of the department’s financial reporting and results,” the auditor general’s report warns.
Within Information and Technology, the auditor tested 25 sample accounts, and found 13 of these accounts weren’t removed from the network. Five of the 13 accounts “were used to log into the government’s network after the account holders’ employment ended with government.”
Department management verified that the users “mainly accessed their own employment data.”
An additional 48 ex-employees held on to logins for 11 departmental IT applications, resulting in one unauthorized access to an IT system.
The audit also found the department didn’t complete effective reviews of user access rights for 12 of its IT applications, including three where no review was performed during the 2023-24 audit period.
Jonathan Gauthier, press secretary to the Ministry of Technology and Innovation, said the department is working to implement the network security recommendations.
“Alberta’s government takes security seriously and is committed to continuous improvement to ensure better user experience and provide common, secure, and streamlined access to government services,” Gauthier said.
Many of the concerns outlined in the report have already been addressed, Gauthier said. Contractor accounts are set to be automatically terminated at the end of the contract period, and as of spring 2024, employee account removal has been aligned with payroll termination processes.
“The existing access controls policy has been updated to increase the frequency of reviews of user account access; from annually to quarterly,” he said.
“Technology and Innovation is also developing a tool to track compliance to the policy and provide regular reporting. This is expected to be rolled out in the upcoming months. Further improvements to the periodic review of users’ access rights are underway and will be implemented over the coming years.”