DPSA addresses IT security
The Department of Public Service and Administration (DPSA) has put measures in place to prevent the commission of fraud and corruption in its IT environment.
The auditor-general's report, contained in the DPSA Annual Report of 2011/12, says the department has “not implemented appropriate risk management activities in the information technology environment to ensure that regular risk assessments, including consideration of risks and fraud prevention, are conducted and that a risk strategy to address the risks is developed and monitored”.
Responding to a question at the National Assembly regarding the action being taken by the department to tackle this issue, minister Lindiwe Sisulu said measures taken include the implementation and tightening of access controls in the server room.
“Over and above the biometrics and video surveillance, there is an access register for accessing the server room.”
She added that a draft IT governance framework, which includes risk management that is specific to the DPSA, has been developed.
“The department is also currently finalising the government-wide IT governance [framework] which, once adopted, will be implemented by all departments.”
The department has developed an IT risk register as part of the enterprise risk management framework.
It also routinely conducts risk assessments on the IT environment with the assistance of an internal risk management unit. Sisulu added that an IT risk management framework draft is being developed to address IT risk across the department.
The DPSA last month said it is developing a strategy to deal with information security in the public sector.
Sisulu explained that the department is working on a three-pronged strategy to deal with information security, which is synonymous with cyber security, in the public service.
The first element sees the DPSA working with the State Security Agency, the Special Investigations Unit and the State IT Agency to jointly develop a common vulnerability assessment methodology for the public service.
Secondly, the department has identified the need for a common policy on information security across the public service. It is currently developing the Public Service Information Security Policy, aimed at ensuring the protection of government, business and citizen information in its custody, or safekeeping by safeguarding its confidentiality, integrity and availability.
It is envisaged that this policy will be presented to Cabinet for approval within the first quarter of the 2012/13 financial year.
The final prong in the strategy is that the policy will be complemented by an information security standards framework.