WINNIPEG – The Province of Manitoba needs to improve some of its cyber security controls to reduce the risk of unauthorized individuals gaining privileged access to its computer systems, says Auditor General Tyson Shtykalo. This finding is contained in a new report, Information Systems — Privileged Access released today.
“The Province of Manitoba relies on information systems to deliver a range of services, including health care, online registrations, provincial program applications, and fee payments,” Shtykalo said. Without the right controls, the Auditor General notes, there is a greater risk that cyber threat actors could gain privileged access to these systems, steal data or funds, disrupt operations, or cause system outages. “These systems contain a considerable amount of personal, health, and corporate information, making them targets for cyber threat actors,” Shtykalo said.
The audit found the Province has inadequate controls to ensure privileged access rights are assigned only to authorized users. Users with privileged access—such as system administrators—can add and remove users, modify privileges, change system configurations and security settings, and alter data tables. The report notes approvals for granting privileged access are not always properly documented and privileged access is not always promptly removed when an employee leaves.
The audit also found identification and authentication controls need strengthening. The report notes, for example, that some information systems are not configured to require quality passwords.
In addition, the audit found the Province doesn’t adequately monitor the activities of privileged users. For most of the systems tested in the audit, there were either no processes in place for logging and monitoring privileged users’ activities, or the processes needed improvements. “Monitoring privileged users’ activities is important because it supports timely detection of malicious or accidental misuse of privileged access,” Shtykalo said.
The report contains 5 recommendations to help the Province strengthen privileged access controls.
Listen to Auditor General Tyson Shtykalo discuss the audit in this short video.
To view the report, please visit https://www.oag.mb.ca/reports
ABOUT THE AUDITOR GENERAL OF MANITOBA
The Auditor General is an officer of the Legislative Assembly mandated to provide independent assurance and advice to Members of the Legislative Assembly. Through its audits, the Office of the Auditor General seeks to identify opportunities to strengthen government operations and enhance performance management and reporting. For more information visit https://www.oag.mb.ca
For more information contact:
Frank Landry, Communications Manager