Most public sector agencies are reliant on information technology (IT) systems for operational functions and many for their service delivery. It is important to ensure that the information maintained on these systems is accurate and complete. It is also critical that this information is easily accessible for legitimate purposes and at the same time protected from misuse.
It should be noted that not all IT security risks arise from corrupt conduct and this information is not intended as a complete guide to these risks.
The improper use of a public sector agency's IT systems can constitute corrupt conduct as defined by the Independent Commission Against Corruption Act 1988.
A risk assessment of the management of resources in a public sector agency may identify some or all of the following corruption risks:
- An employee falsifying electronic records to obtain financial benefit (eg. inappropriate overtime or reimbursement payments).
- An employee electronically creating fraudulent documentation and providing it to a member of the public (eg. licenses, educational documents).
- An employee altering or deleting electronic data to prevent evidence of other wrongdoing from being detected or to aid a third party.
- An employee taking advantage of temporarily inoperative (or partially operative) IT systems to act in a corrupt way (eg. exceeding delegation when electronic controls are temporarily not functioning).
- An employee placing malware (eg. viruses, spyware) on an agency's IT systems in an attempt to damage them.
- An employee providing log-in details to a member of the public, who uses them to remotely access the agency's IT systems.
- An employee using another employee's computer and/or log-in to act in a corrupt way.
- A member of the public obtaining mobile computing/removable storage devices (eg. laptops, memory sticks) containing agency data (eg. intentionally provided by an employee).
- An IT contractor providing information about the agency's IT systems to a third party who uses this information to launch a successful attack on these systems.
- A contractor copying electronic data and providing it to third parties for their benefit.
- An IT contractor building a 'back door' into IT systems that allows inappropriate secret access to alter or delete electronic data.
- An IT contractor damaging IT systems to prolong their employment (eg. to get system recovery work).
- An employee or consultant developing an IT proposal that creates deliberate system vulnerabilities.
Managing corruption risks
As a minimum your agency should:
- Introduce policy and procedures on information security
- Include in the policy sanctions for any breach of the policy and procedures.
- Review the policy every two years.
- Refer to information security in all relevant corporate documents such as codes of conduct
- Train all relevant employees in the policy and procedures to ensure they are aware of their accountabilities.
- Include information security as a risk to be assessed in the agency's internal audit and corruption risk management processes.
- Establish an electronic audit trail recording details of attempts to create, access, print, copy, alter and/or delete electronic documents, and regularly audit this trail.
Risk management strategies
Following your risk assessment of the information security you should consider these risk management strategies:
- Ensuring outdated electronic records, including emails, are stored in formats, and on media, that are accessible to modern IT systems.
- Ensuring employees are made aware of their electronic recordkeeping requirements, including those pertaining to emails of business value.
- Implementing an electronic records system (eg, TRIM).
- Including secrecy provisions in IT-related contracts.
- Including secrecy provisions in written agreements when IT services are shared with, or used by, another organisation.
- Incorporating IT provisions into any disaster recovery/business continuity plan.
- Requiring password access to IT systems which is changed on a regular basis.
- Limiting access to IT systems to current employees with a legitimate need to access the relevant information or service.
- Governing the rights to alter or delete electronic data by operational necessity.
- Implementing programs to protect databases against irregular activity.
- Regularly testing firewalls and other security systems.
|Case study 1: Poor access controls|
A 2006 ICAC investigation examined the actions of a local court registry section manager responsible for managing the workflow of five courts. This involved administrative tasks such as recording the results of listed matters, dealing with requests from members of the public and processing payments.
As such, the employee was entitled to access internal databases relating to court proceedings. However, he improperly accessed confidential information from court databases on several occasions, sometimes providing this information to members of the public. Findings of corrupt conduct were made against the employee in relation to this unauthorised access and he was suspended without pay by the relevant department pending prosecution.
The ICAC identified several areas of weaknesses in terms of how electronic data was managed and provided recommendations relating to the:
|Case study 2: Theft of password|
A public sector project officer used a USB device to log the keystrokes of another employee, obtaining her password. He then waited until she was not at work and logged-in to her account from his work computer.
He accessed both her personal files and emails, which he sent to either his internal or external email address. In addition, he used internal databases to search for her home address. As a result of an internal investigation, the officer resigned.
Frequently asked questions
Why is IT security considered a corruption issue? Isn't IT security just about preventing external attacks?
Each year, the ICAC receives multiple allegations of employees tampering with electronic agency resources both to commit corrupt acts and to prevent the discovery of other corrupt acts.
The number of such allegations has recently been increasing and several published ICAC investigation reports have identified IT system weaknesses as key corruption risk factors for the relevant agencies.
It is important to remember that the users of IT systems are critical to their integrity. Many ICAC inquiries have exposed corruption opportunities as simple as password sharing and computers left on.
How can the risk of internal misconduct be managed given that agency employees have legitimate reasons to access agency databases?
Employees need to have access to agency databases but it is important to ensure that, broadly speaking, they only have access to information needed to perform their duties.
An audit trail should also be monitored to review access and any modifications to the information in these databases.
What specific steps can be taken when agency employees have to access IT systems from external locations (eg. when travelling or working from home)?
- AS/AZS ISO/IEC 27001:2005 Information technology - Security techniques -Information security management systems - Requirements (ISO 27001), Standards Australia, 2005
- Information Security Guidelines for NSW Government Agencies V1.1, NSW Department of Commerce Government Chief Information Office, February 2007
- Managing Digital Records, NSW Department of Commerce State Records Authority, January 2009
- Security of Electronic Information, Premier's Circular M2007-04, NSW Department of Premier and Cabinet, Sydney 2007.
Relevant ICAC investigation reports
- Department of Housing - allegations of corrupt conduct in allocation of public housing (Operation Greenway) (January 2008)
- Attorney General's Department - corrupt offers of assistance to defendants by an officer of the Local Court Registry, Penrith (Operation Hunter) (February 2006)
NSW Department of Premier and Cabinet www.dpc.nsw.gov.au
NSW Government Chief Information Office www.gcio.nsw.gov.au
NSW Department of Commerce State Records Authority www.records.nsw.gov.au