Auditor general calls security of Alberta's computer data 'insufficient'
Last Updated: Thursday, October 2, 2008 | 12:27 PM MT
CBC News
Alberta Auditor General Fred Dunn holds a copy of his latest report that he released Thursday in Edmonton. (CBC) Security on the Alberta government's computer networks is inadequate, and immediate action must be taken so personal information is no longer at risk, Auditor General Fred Dunn says in his latest report.
The report, released Thursday in Edmonton, calls the current systems, procedures and policies for ensuring data security "insufficient."
That conclusion was reached after three separate system audits were run on the government's web application and network security, wireless access point security and physical protection of data facilities.
Dunn said his staff was going to look at the security of 400 Alberta government websites when it started an audit in April.
They stopped when they hit 69, Dunn said Thursday, because they found problems that were so frequent and severe, they had to alert the government immediately so it could start to take action.
It appeared intruders had already gotten into the systems, Dunn said.
"We found footprints. Others have been there before us, and we don't know who and what they took … but it was available. That is what was of concern to us," he said.
Dunn said he held off reporting on the problems until now to give the government time to fix them before the information was made public.
Slams decentralized approach
The problem with data security, the report says, is the government's "decentralized approach to information technology," in which each ministry and department is responsible for its own IT policies, practices and infrastructure.
"A decentralized approach may work well for program delivery, but it poses significant challenges for security," the report says, underlining the findings of a semi-annual report in April. "The [government's] existing distributed computing environment creates inherent vulnerabilities and risks.
"Information security is only as strong as the weakest link — if one part of the organization doesn't have adequate security controls in place, it can affect other parts of the organization that have well-designed security controls."
Dunn wants the Alberta government to create a central security office to tackle the problem immediately because confidential financial and personal information about every Albertan is at risk, he said. Other provinces have already created such an office, he noted.
Dunn wasn't just concerned about the online security of data. The report also noted many instances where rooms containing equipment and data weren't secured as well as they should be.
In one case, Dunn said Thursday, the password at an access point was taped to the side of a device.
While data facilities were locked, the report said, there were examples where walls and door hinges weren't adequately designed, windows lacked proper protection, and access to rooms wasn't monitored sufficiently.
"Albertans expect government websites to be secure from potential attack," the report says.
"They expect that adequate physical controls will be in place to protect government information systems and information, and that newer technologies, like wireless networks, are properly managed, and implemented in a manner that adequately safeguards confidential information."
No evidence information at risk: minister
Heather Klimchuk, the minister of Service Alberta, which is responsible for the government's computer infrastructure, said there is no evidence Albertans' personal information was at risk, and said her staff has worked with Dunn to fix the problem, "updating, and checking and tightening security ... through all the departments."
"Because of the proactive measures of this new ministry, working with the auditor general, we have made huge strides since he began his work in January," Klimchuk said.
She downplayed the evidence Dunn found of "footprints" on the government's websites.
"Essentially someone went in there and tried to mess around with the website. They tried to upload some graffiti on a website page. That's the only access they had," she said.
"It's like a house in a garage. They may have gotten into the garage. They did not get into the house."
Klimchuk said she has the support of the premier and cabinet to hire a chief security officer to handle computer security for the entire Alberta government.
Green plan slammed
Elsewhere in the report, Dunn slams the Alberta government's plan to reduce greenhouse gases, saying that while the province has targets to reduce emissions, it still can't show how it will meet those targets.
Seventy per cent of the plan is pinned on hopes technology can be developed to capture carbon and store it underground, Dunn pointed out, while raising concerns about the remainder of the plan.
"It's described in our appendices there, from the strategy where the other 30 per cent is to come from, but that has not yet been identified or modelled, corroborated [or] evidenced in any way as to be achievable," he said.
Dunn also made recommendations for the delivery of mental health services in Alberta, calling on the Department of Health and Wellness and the newly created Alberta Health Services Board to draft provincewide standards.
He also recommended the government improve how it discloses salaries for chief executives of its agencies.
