Cyber-security at risk from inaction, watchdog says
The Alberta government is still leaving sensitive personal information potentially vulnerable to computer hackers through a lack of action, provincial auditor general Merwan Saher warned Thursday.
In 2008, the watchdog recommended the Alberta government form a centralized information security office to oversee organizations using the government’s shared computer infrastructure.
While the Corporate Information Security Office was formed under Service Alberta, Saher said in his fall report that it’s still not clear whether ministries and government entities are following the security directives it has issued.
As well, some boards and agencies that use government computing systems aren’t subject to Service Alberta security standards, while other entities have information outside the government’s computing environment.
“Four years after we first identified the need for centralized oversight of information security, the government is still exposed to the risks that come from its decentralized approach,” Saher said in an interview.
“The consequence is that government information, personal information, is at heightened risk of unauthorized risk or exposure.”
The report comes a week after federal auditor general Michael Ferguson reported that Ottawa is vulnerable to cyber-attack because of holes in its information technology security.
In Edmonton, Saher said Service Alberta has reported it was unable to follow all of the auditor’s original recommendations around enhancing computer security.
The was because it lacked the authority over some government agencies.
The newly released report recommends to the premier’s office that it “assess the risk to public information assets across government and to determine how best to ensure risks are properly mitigated.”
Premier Alison Redford’s office referred questions back to Service Alberta.
Ministry spokesman Gerald Kastendeick said the PC government fully accepts the auditor’s latest recommendation.
A deputy minister’s group has already been formed to implement a common, complete security system that cuts across departments, he said.
“The government’s going to work to make sure that it happens,” he added.
NDP Leader Brian Mason said the Redford government has no excuse for not having acted sooner and has jeopardized Albertans’ personal information.
“They have not taken the necessary steps,” he said.
The auditor’s office tested government web applications as a possible entry point for hackers, finding fewer vulnerabilities than in 2008, but inconsistent processes to ensure security.
The report also found 14 school divisions need to improve computer security processes.
This can be done by implementing new password procedures, backing up data at an off-site location and creating a disaster recovery plan.