Information communication technology systems
Most public sector agencies are reliant on information communication technology (ICT) systems for operational functions or to deliver services. For these reasons, data in ICT systems needs to have integrity; that is, it needs to be accurate, complete, and impossible to change without good reason and authority. Electronic data typically also needs to be easily accessible for legitimate purposes, but at the same time protected from misuse, such as dissemination for corrupt purposes.
ICT security involves more than just preventing external attacks, such as from hackers. The ICAC has investigated public officials who have tampered with ICT systems both to commit corrupt acts or to cover up corruption. Some ICAC public inquiries have exposed practices, such as password sharing and computers left unlocked, that have facilitated corruption.
This advice focuses on corruption risks in ICT systems only. Other security risks for ICT systems, unrelated to corrupt conduct, are not discussed here.
|Use of prior ICT delegations
| A public authority reported to the ICAC that, over a four-year period,
an employee’s account was repeatedly used to improperly access numerous,
secure recruitment files. The specific documents accessed included
talent pool listings, recruitment panel questions and information about
During this period, the employee in question
received a promotion, and an internal investigation concluded that it
was highly likely that he had accessed, and possibly amended, files
relating to his own promotion.
The employee was able to access
these documents because he had previously been seconded to the
recruitment business unit. During his secondment, he was given access to
the shared computer drive of the human resources unit but this access
had not been turned off once the secondment had been completed.
Source: Complaint to the ICAC.
Common corruption risks around ICT systems include:
- a public official falsifying electronic records to obtain financial benefit (for example, records for overtime or reimbursement for expenses)
- a public official using ICT systems to create fraudulent documentation and providing it to a member of the public (for example, licences or education diplomas)
- a public official altering or deleting electronic data to prevent evidence of other wrongdoing from being detected (that is, a cover up) or to aid a third-party
- a public official placing malware, such as viruses or spyware, on an agency's ICT systems
- a public official placing unauthorised programs on an agency’s ICT platform to harness its processing power to conduct personal activities such as crypto-mining
- a public official providing log in details to an unauthorised person, who uses them to remotely access the agency’s ICT systems
- a public official using another person’s computer, and/or username and password, for improper purposes
- a contractor copying electronic data and providing it to unauthorised third-parties
- a contractor building a “back door” into ICT systems that allows unauthorised access to alter or delete electronic data
- a contractor deliberately damaging ICT systems to prolong their employment, such as to obtain “system recovery” work.
ICT system users are critical to the integrity of these ICT systems. Systems should allow the creation and monitoring of an audit trail to review access and any modifications to data.
|Misuse of supplier access to ICT systems
The ICAC investigated the actions of an employee of a property
valuation firm. This firm had been contracted to perform land valuations
on behalf of a NSW public authority, and its staff consequently
received free access to the NSW land titles database.
the firm nor the public authority managed this access well. As a result,
while working for the supplier, the employee used the database to
conduct searches of the property holdings of notable individuals and
personal associates. Passwords were shared around the firm’s office and
the employee’s access was not turned off when she left the firm’s
Things came to a head when the employee commenced working
for a new property valuation firm. Managers in this firm quickly
realised that the employee had free access to property plans. These
managers ordered that this access be used to systematically download NSW
strata plans. This resulted in their ultimately obtaining approximately
74,000 plans for free, something which corruptly saved them an
Source: Investigation into the misuse of access rights to a Land and Property Management Authority database, November 2011.
Developing a strategy
ICT systems are a high-risk area for corruption, and for this reason should be included in internal audit and risk assessment programs. A written policy, with accompanying procedures and guidelines, for each ICT system will help ensure consistency and compliance with the system, but only if staff understand the policy, are able to comply and are motivated to comply. For this reason, a strategy to prevent corruption in ICT systems should extend beyond a policy to additional complementary measures.
Consider the following measures:
- ensure outdated electronic records, including emails, are stored in formats (and on media) that are accessible to modern ICT systems
- ensure staff understand electronic recordkeeping requirements, including the retaining of emails of business value
- implement an electronic records system
- ensure the system is able to generate an electronic audit trail that includes all attempts to create, access, print, copy, alter and/or delete electronic documents, and audit this trail
- include provisions around confidential information in ICT-related contracts
- direct that unique username and password access for ICT systems be required (passwords should also automatically require changing on a regular basis)
- access to ICT systems should be limited to current staff members with a legitimate need to access the relevant information or service (if a staff member does not require access to a certain ICT system for their job, they should not have it)
- ensure that user rights to alter or delete electronic data be allocated by operational necessity
- implement controls to protect databases against irregular activity, such as automatic alerts or automatic blocking of users who attempt irregular activity
- regularly test firewalls and other security systems.
Specific control measures need to be taken when public officials are required to access ICT systems from external locations, a common occurrence when travelling or working from home. Agencies should:
- inform employees that their devices are vulnerable to theft or being misplaced, and remind them that the policies covering ICT systems apply when they are away from the office
- encourage employees to log out after externally checking email or accessing internal ICT systems
- consider the use of encryption and/or multi-factor authentication
- systematically review and audit remote accesses to their ICT systems.
The ICAC report, Investigation into the misuse of access rights to a land and property management authority database (November 2011), deals with unauthorised access to a government database. Managing IT contractors, improving IT outcomes (August 2013) contains advice on preventing corruption around ICT systems.
Additional advice on corruption prevention and ICT systems is available from Standards Australia’s ISO/IEC 27001:2013 Information Technology - Security Techniques – Information security management systems, and the NSW Government’s Digital Information Security Policy (2015). The website of NSW State Archives and Records contains information about the frameworks, principles and objectives underpinning the NSW Government’s approach to records management.
Reviewed November 2018