Report highlights risks with software used to operate freedom of information website
Auditors say processes created risks of privacy violations, lack of regular assessments
An assessment of the software that was used to operate the province's troubled freedom of information website notes high risks.
Those risks are related to the perpetual retention of original documents, personal information and lack of regular assessments and audits.
The province's Internal Services Department commissioned the work by KPMG last October. The final report, which CBC News received through a freedom of information request, was delivered to the department in June.
The report looks at AMANDA 7, which was used to operate the website where people could file freedom of information requests online, receive their documents and see previously-completed requests.
Sandra Cascadden, the province's chief information officer, said Tuesday the report was ordered to do a risk and threat assessment of the freedom of information portal and because the government was planning to move other systems from the AMANDA 6 system to AMANDA 7 and wanted to know about any potential issues.
That migration work was put on hold in April, however, after the discovery someone was able to download the more than 7,000 documents — including several hundred containing personal information that should have been redacted — from the freedom of information website simply by changing the web address.
The website has been offline since then, as the government attempts to correct weak spots.
The KPMG report points to the high level of risk related to original documents being retained perpetually on the freedom of information website, raising concerns about potential privacy violations. It says something similar about the verification information people must submit with a request.
It also notes the high risk related to the "absence of regular third party assessments and/or audits for data centres, application management support and/or program management activities."
It says redacted information retained "could accidentally be published and/or accessed by an unauthorized user" and suggests documents be retained for just five years, in keeping with the Freedom of Information and Protection of Privacy Act.
Despite the findings, Cascadden said at no point was the specific flaw that led to the security failure in March identified by auditors.
"The report talks about the things that we need to protect when we think about going to AMANDA 7," she said.
"If any auditor knows of a vulnerability and they really feel strongly about it, they do not hesitate in contacting us."
KPMG also found Unisys wasn't performing "any regular assessments and/or audits" related to its work on AMANDA for the province. Any control assessments that were performed were deemed inadequate.
Adopting a 'zero-trust model'
It's possible the long-standing relationship between the province and Unisys led to less scrutiny than was required for things to work as they should, said Cascadden. That has changed.
"We are adopting what's now called a zero-trust model," said Cascadden. It essentially means nothing will be assumed and everything anyone does will be verified to make certain it's operating as intended, she said.
Cascadden expects that process to be further aided by audit work being conducted by the province's auditor general and privacy commissioner.
Meanwhile, the public portion of the web portal remains offline.
Initially, Internal Services Minister Patricia Arab estimated it would take a few weeks to get things back up and running. Cascadden said Tuesday that was when it was assumed there was only one flaw with the website.
Other vulnerabilities discovered
Since then, she said, other problems have been detected and, as changes are made, code needs to be rewritten and multiple security assessments are performed.
"The process that we're going through is extremely rigorous on this because we know as soon as we stand any of this back up, kind of the whole world is going to be testing it."
Cascadden said a website is in the works that will list all disclosed requests. People will then be able to request the documents via email. That should be ready by the end of the month, she said. The portion that allows people to make requests online is hoped to be ready by late October or early November, she said.