Many British Columbia government organizations lack a strong enough line of defence against hacking, system threats and disruption, according to the province’s auditor general.
Carol Bellringer released a new report Tuesday examining general computing controls, or the policies and practices that protect government information technology systems from threats.
“We can’t stress enough the importance of these controls,” she told reporters.
“Without strong general computing controls, government risks loss of public trust in its ability to safeguard our most sensitive data and ensuring critical services are always up and running.”
General computing controls include restraints on who can access systems, how to make changes to systems and backup and recovery of systems.
Bellringer asked all 148 government organizations, including ministries, health authorities and colleges, to rate their general computing controls and audited 13 of those self-assessments.
Many organizations assessed themselves at a higher level than in a previous report in 2013. But of the 13 organizations she audited, 69 per cent over-rated their level of achievement.
“They didn’t have sufficient evidence to support their self-assessments. Many of them didn’t have documented policies and procedures, which are the foundation of strong general computing controls,” she said.
Bellringer recommended that organizations review their business and IT goals, set a target for how strong controls must be, analyze the controls necessary, then determine what needs to be done to meet the target and monitor their progress.
The report comes amid renewed scrutiny of the province’s implementation of IT systems.
The Opposition NDP said last week that BC Hydro intentionally misled a regulatory agency about its spending of hundreds of millions of dollars on information technology.
Earlier this year, Bellringer released a blistering report on the $182-million Integrated Case Management system used by the Children’s Ministry. She found in March it was just one-third complete, prone to crashes and failed to adequately protect sensitive personal information.
Over the past decade, 78 per cent of recommendations from IT audits conducted by the auditor general have been about improving general computing controls, Bellringer said.
She said there is a rigorous process to monitor how recommendations are implemented, but the report did not say how many had been adopted.
While her report didn’t examine specific instances of hacking or lost information, Bellringer said poor controls automatically mean systems are exposed to these types of threats.
“If you don’t lock the front door of your house, don’t be surprised that someone tries to open the door and they can get in.”
The report included a response from the Office of the Chief Information Officer, a branch of the Ministry of Technology, Innovation and Citizens’ Services.
Bette-Jo Hughes said she accepts a recommendation pertaining to her role in promoting strong controls and assisting organizations with implementing them.
She said the office has completed an annual information security review and created a vulnerability and risk management team to respond to relevant incidents, among other initiatives.
In the coming months, it plans to implement critical security infrastructure and continue its efforts to ensure compliance with government standards and policies, she said.