The Office of the Auditor General presented three reports to the Legislative Assembly on May 19, 2020 which reviews three critical pieces of information management solutions in use across the public service of the Government of Montserrat.
The OAG conducted a Post-Implementation Benefits Study of the Alexandria Library Management Software used by the Montserrat Public Library, an Information Security Audit on Montserrat Ferry Online Booking Application, and an Information Security Audit on Overseas Territories Regional Criminal Intelligence Systems (OCTRIS) managed by the Royal Montserrat Police Service (RMPS).
In the first report, the Auditor General assessed whether the benefits identified for investing in the Alexandria Library Management Software, were achieved and determined whether the Montserrat Public Library (MPL) have any plans for future enhancement of the Alexandria Library Management Software.
Key Finding & Recommendations coming out of the study were
- The MPL will shortly be utilising Cloud technology; however, the organisation is governed by the Central Library Act, which does not make provisions for future Information Technology initiatives that the MPL intends to implement; specifically jurisdictional issues.
- In the audit report, the Office of the Auditor General strongly recommended that the Government of Montserrat should establish and enact an Information Communications Technology Bill and Regulations to address the new ways of doing business using technology and any other data security issues that could potentially arise with the Cloud hosting option and intended future initiatives.
In the security audit on the online ferry booking system, the report assessed whether there were, and are, appropriate policies and procedures and effective controls in existence, to ensure the security of the Montserrat Ferry Online Booking software and sensitive and personal information entered and stored in it. The audit focused on areas such as Outsourcing, IT Operations, Application and Information Security controls, and Business Continuity.
Key Findings were:
- There are adequate input and output validation controls in place that ensures the data being input or output are accurate, reliable, and complete when accepted by Montserrat Ferry Booking application, in a timely manner. The application’s information is also properly protected and secured and there have not been any reports of security related incidents or breaches since its initial debut in 2016.
- The Office of the Premier’s Access Division does not have a Service Level Agreement or contract that defines what functions are to be outsourced, what must remain in-house, or the ownership of the application and the stored data. This is a very high-risk issue should the software vendor fail to maintain the software, goes out of business, or folds, as the GoM does not retain business knowledge or ownership of the ferry online booking application and data.
The report recommends strongly that:
- The GoM should develop a clear outsourcing policy that documents the IT functions that can be outsourced and what remains in-house. All of the roles and responsibilities between GoM and future vendors and contractors should be identified and defined. This includes a Service Level Agreement that defines the services the contractor will be expected to accomplish, and the technical parameters for those services, i.e., items critical to the GoM.
- The Access Division should assess the feasibility of purchasing the software and maintaining it, in-house. Should this option not be accepted by the supplier, then they should request that the software be lodged in an escrow agreement where the source code is stored with an independent third party.
The final report tabled assessed whether the OTRCIS software used by the RMPS and the related computer and communication systems are properly secured against unauthorised access and modification of information whether in storage, processing, or transit, and against denial of service to authorised users.
Key Findings And Recommendations were:
- OTRCIS software is very robust and secure with very stringent policies, procedures, and controls in place that ensure the safeguarding of OTRCIS-related computer equipment; and the data that is inserted in the forms, stored on the server, and transmitted across the network; against unauthorised access and modification.
- However, they found that there were a number of non-operational systems at Police Headquarters and recommended that the RMPS renew their efforts to procure systems to ensure the full security of the building.
- Inspections revealed missing or no electrical fire extinguishers in some areas. It noted the existence of an emergency system comprising of fire alarms, smoke detectors, and temporary lock-up cell buzzers, installed at the Headquarters that was disconnected years ago by the vendors, after it malfunctioned.
- Efforts should be made to replace and reinstate these equipment and systems to ensure the safety and security of personnel and GOM’s assets.
Read the complete audit reports below
Information Security Audit – RMPS OTRCIS – Final Report February 2020