Audit New Zealand is demanding Tauranga City Council take urgent action over a host of security issues with its computer network.
The audit received by the Finance and Risk Committee notes computer security issues and points to the lack of a number of management systems.
The city council's computer system management has been criticised by Audit NZ. Photo: Supplied.
Security issues include too many people having access, and no system to approve or track those who do have access.
Auditor Ben Halford also has issues with the city council's management of its own server room, saying card access is not being effectively managed.
Over 80 staff and third parties appear to have access to server room areas according to the report provided by the Property Department.
Ben recommends regular reviews of users on the network, and applications should be performed, including checking levels of access.
Council management's comment on the report acknowledges the comments and says regular reporting and review process have been discussed.
A Security Access Project is underway, says the council. Access is being reviewed by the Property Department which is responsible for security access across all council property.
Card access to the primary production server room has been restricted to essential personnel only.
There is also no formalised reporting of major incidents and security incidents.
Subsequent to the auditors' visit, council systems were affected by "Cryptowall" ransomware.
An incident report written about the ransomware doesn't explain to the auditor's satisfaction why no action was taken until 18 hours after the council systems were infected.
The Cryptowall was introduced through a USB and was immediately detected by the system, says council management.
The initial incident report was completed within an hour, but it was not actioned until the following morning because the Council doesn't have staff rostered overnight.
The council has a history of being shy about its IT investments. One of the last decisions made just days before the 2013 elections that saw seven previous councillors ousted, was to spend an unbudgeted $1.34 million on computers.
The confidential decision wasn't revealed until it appeared in financial statements in June 2014. Then in January this year it was revealed the council spent another $900,000 late 2015 on system upgrades.
21 comments
Hmmmm
Posted on 28-08-2016 10:56 | By How about this view!
Secret squirrel is maybe not so secret! spend some more money and fix it, I say!!
Small %
Posted on 28-08-2016 11:05 | By waiknot
80 staff having access this only a small percentage of council staff.
Can't be correct
Posted on 28-08-2016 12:05 | By Murray.Guy
The auditor MUST be wrong.The finding is a direct reflection on the integrity and ability of The Chairperson of the Finance and Risk Committee, none other than self proclaimed expert in all things, John Robson.The same John Robson who, within days of being on the Tauranga Council made grand statements of concern in regards the IT Systems, the incompetence and secrecy of the previous Council.
System upgrades?
Posted on 28-08-2016 12:08 | By Crash test dummies
Sounds more like he management have not done the job they are paid mega dollars to do. Result they are trying to patch it up by throwing money at it ... ratepayers money on a random, throw and hope scenario.
And The CEO was meant to be in Charge
Posted on 28-08-2016 13:45 | By tabatha
How can this system happen in such a big organisation without the CEO being aware. Accountability needed, those seeking election need to ask questions. Our so called expert on administration who is a councillor knows all about this type of thing or so he says. This is why we need people who query and come from a mixed range of styles not all from world wide businesses.
Cliff Bottom?
Posted on 28-08-2016 14:26 | By Crash test dummies
Looks to me that decisions made are not planned, just on a knee-jerking reactions when something appears to be going wrong, and by then its to late. Just throw some more money at it and hope ...
Like a fish it rots from the top
Posted on 28-08-2016 14:58 | By ROCCO
This is an indictment of the whole TCC bureaucracy culture and I would lay dollars to donuts elected members have not got a clue about the IT issues. As with most things they are on a need to know basis and the pointy heads resolve that they don't need to know.
SPEND SPEND SPEND
Posted on 28-08-2016 15:04 | By kellbell
It's gotta be bad if the bozos at Audit NZ can pick it up.Secretly the wombles spend money and it doesn't even start to address the problem.Someone's head has to roll over this load of garbage surely.
@MURRAY GUY THAT'S CHOICE
Posted on 28-08-2016 17:57 | By kellbell
Are my eyes deceiving me surely Mr. Guy you were still on TCC Council in September 2013 before you were ousted in the Elections. As a Councillor it appears you were part of the secret squirrel IT bale out decision for $1.34m at that time.You can hardly blame those who replaced you for that subterfuge.Memory loss not setting in is it ?
@Murray Guy about Robson
Posted on 28-08-2016 18:40 | By Councillorwatch
Would the same John Robson you criticise be the one who got elected, unlike yourself at the last election? I mean the last full council election not the byelection where you stood for the Mount/Papamoa ward. Which one will you try for this time, one where you actually live?
The buck stops
Posted on 28-08-2016 18:45 | By doff
Surely this a management issue. The CEO is City Manager and paid mega bucks. He has taken his eyes off the ball. The last CEO forgot all about building maintenance and look at the mess which ensued. Councillors cannot see management issues if they are kept under wraps!
Computer issues can be addressed easily
Posted on 28-08-2016 18:51 | By r|1
If they had the right policies in place and a system that scans the USB sticks before they can bring them into the office would stop most of the threats via usb and user education is the key to stop most of the threats in a network so that ransomware problem could of been stopped easily. Also having 80 staff access to a server room when only people that need access should, isn't a good practice. Some places don't take IT security seriously until its too late.
Oh NO! surely not
Posted on 28-08-2016 21:32 | By CC8
How unusual! Computer issues at TCC! I seem to recall some questions asked a couple of months ago...largely, in spite of all assurances, no answers were forthcoming then, I can't imagine anything will change now.
Re Mr Guy...
Posted on 28-08-2016 22:39 | By john robson
It's worthwhile reading report DC186. This confirms Murray's era was a period of mismanagement. But none of the problems were Murrays responsibility in his view. In fact, (he claims) he was unaware of the problems as were his colleagues As a result, the public knew nothing. Contrast the current situation. I am aware of the IT problems. My colleagues are aware. The auditor is aware. The public is aware. And the CE is under pressure to address them. As he should be. Its worth noting that the IT issues are a legacy of Murrays era. As are the building issues, the staff morale and capability issues, the Te Maunga issues, etc. For this legacy, I estimate that Mr Guy cost ratepayers more than of a million dollars. I, true to my word, have not taken a dollar. Perhaps Murray should offer the ratepayers their money back.
Computer Carelessness Will Cause Chaos
Posted on 29-08-2016 08:03 | By ROCCO
Apparently from reports I have the only issues here are software issues and the failure by TCC to acknowledge and address these in a timely manner.Throwing huge amounts of money at the wrong thing won't help. If the so called "experts" can't or won't deal with it then dispense with their services.Security issues with access to servers are appalling and should be watertight -whose USB was it anyway and what action taken on this breach????
@Murray.Guy
Posted on 29-08-2016 08:08 | By dbunk
Pure class standing for Mayor and throwing stones and mud. The city needs a leader not a finger pointer.
@John Robson
Posted on 29-08-2016 17:03 | By kellbell
Yes the issues you refer to were there in Mr Guys tenure and as far back as 2000 and beyond. You can blame that on all EMs particularly those that wielded the power and at the very top.Staff morale at lower levels is poor and capability at the upper levels questionable.Building issues have been there forever and bad attitudes and a bad culture don't help.All these things are still present today and you are joking if you think the CEO is capable of sorting or will sort them out.
Crazy world
Posted on 31-08-2016 13:07 | By Crash test dummies
Denial, claims made that don't exist, latching onto something simply because it is there, playing with the time line as suits 24/7
@JAFFA
Posted on 31-08-2016 20:09 | By kellbell
WHAT on earth are you rabbiting on about here .If you mean it is bad you have hit the nail on the head but OMG spell it out in plain English.
IT spending
Posted on 03-09-2016 11:59 | By Crash test dummies
Looks like they are lining up another massive spend of millions attempting to fix and remedy what is not a hardware issue.
Another council spend on the horizon
Posted on 16-09-2016 13:46 | By flyingtoaster
I have been in the IT industry for 17 years, and find it hard to believe that any reputable IT professional, would roll out an IT solution, with so many security issues. This leads me to believe, either, the auditors have it wrong, or the council network administrator is a muppet.
Leave a Comment
You must be logged in to make a comment.