Public Sector's IT Systems Weaknesses As Flagged by AGO (PQ Reply by Senior Minister Teo Chee Hean)

Managing user access and controls and using AI (Artificial Intelligence) and analytics to monitor and flag irregularities and derive insights

Fourteenth Parliament of Singapore – First Session for the Sitting on 14 September 2021

Question

Ms Jessica Tan Soon Neo asked the Prime Minister with regard to the observations of weaknesses in IT controls highlighted in the Report of the Auditor-General for the Financial Year 2020/2021 (a) to what extent has technology been used in public sector entities to administer and manage user access and controls; and (b) how is artificial intelligence and analytics used to monitor and flag irregularities and to derive insights.

Answer

Written answer by Mr Teo Chee Hean, Senior Minister and Coordinating Minister for National Security

The Report of the Auditor-General for FY 2020/21 highlighted observations of weaknesses in IT controls, including the management of account and user access rights.

The root cause of these observations is human error. To help address this, the Government has progressively introduced tools to automate processes in IT controls. For account management, since November 2020, 33 agencies have implemented a tool that automatically notifies system managers of employee movements, so that they can be prompted to close the relevant user accounts. This is an interim measure. SNDGG will be implementing a technical solution that also automates the removal of accounts. Agencies will onboard onto this technical system, known as the Central Accounts Management (CAM) system, from January 2022 onwards, with all applicable systems onboarded by end-December 2023.

Similarly, we are automating the log management processes. The log of privileged users’ activities can accumulate to over 100,000 records within weeks. SNDGG is implementing the Automated Baseline Log Review (ABLR) system across Government. ABLR uses analytics to sieve out a much smaller set of potentially irregular events, allowing reviewing officers to focus their efforts. As of 1 August 2021, over 600 systems have already been onboarded onto this system. All high priority systems will be onboarded by December 2022, with the remaining systems a year later.

We will continuously improve our IT control tools, to make better use of automation, analytics and AI. That said, not all processes can be fully automated. The use of automated tools will enable agencies to dedicate more bandwidth and management attention to processes that require human intervention. The Government has also stepped up training for officers in ICT roles to equip them with the requisite competencies to perform their duties well, such as determining the appropriate level of rights needed for vendors and officers in different job roles.