South Africa's municipalities are vulnerable to data leaks or hack attacks because more than two-thirds of the 319 entities recently audited by the auditor-general (AG) lack both user access and security controls.
The AG's latest report, which was released this week and covers the 2012-13 financial year, finds controls have had to be implemented at 97% of municipalities when it comes to IT governance; 68% had yet to develop security management controls; 62% had not developed IT service continuity controls; and 68% had no user access management controls.
In the report, the AG explains controls are needed to "ensure the confidentiality, integrity and availability of state information, enable service delivery and promote national security". However, among the municipalities that have findings relating to audit controls, "little improvement has been made since the previous year".
Untenable
IDC analyst Mark Walker notes municipalities have holes in their IT systems, especially when it comes to user access and security. He notes the lack of controls leaves government vulnerable, and municipalities' IT systems are "wide open".
The AG notes IT security parameters were not effectively configured to prevent unauthorised access because of the "lack of adequately designed and implemented security policies and procedures".
It also notes users are granted access to systems without management approval, and user access rights are not always reviewed. Other issues include most municipalities having challenges designing and implementing "appropriate" business continuity plans and disaster recovery plans, and some municipalities neither testing backups nor storing them at secure offsite facilities.
This, says Walker, is an "absolutely untenable" situation. He notes the AG's report highlights the biggest issues as a lack of budget and the skills required to implement the necessary controls.
No accountability
However, there are several initiatives under way to resolve the situation, including a working group set up by the Cooperative Governance and Traditional Affairs Department - which will address root causes - as well as a draft IT best practice manual being developed.
The AG recommends budgets be reallocated to upskill IT staff so key controls can be implemented, consequences levied for repeat root causes, and audit units should play a more effective role in monitoring progress.
Cabinet has approved a corporate governance of ICT policy framework, but this has yet to be implemented, the report notes. The framework is set to be installed over the next three years, but the AG recommends the first aspect be prioritised this year. It adds a task team has been set up to aid implementation.
Walker says municipalities cannot continue to have bad audits, and there is a general lack of accountability and co-ordination within government to resolve the situation, which goes back to the vacant CIO post. The post - a year overdue in being filled permanently - has seemingly been held by Walter Mudau on an acting basis, since Michelle Williams resigned in April 2011.
The lack of a central leader, skills, funds and collaboration sets up municipalities for failure "from the word go", and affects the quality of data and the ability to track and report on financial aspects, says Walker. Overall, the report notes 9% of the entities scrutinised obtained clean audits, compared to 5% a year ago, but a "significant breakdown in controls" led to irregular expenditure of R11.6 billion.
Share