Council computer criticisms

Audit New Zealand is demanding Tauranga City Council take urgent action over a host of security issues with its computer network.

The audit received by the Finance and Risk Committee notes computer security issues and points to the lack of a number of management systems.


The city council's computer system management has been criticised by Audit NZ. Photo: Supplied.

Security issues include too many people having access, and no system to approve or track those who do have access.

Auditor Ben Halford also has issues with the city council's management of its own server room, saying card access is not being effectively managed.

Over 80 staff and third parties appear to have access to server room areas according to the report provided by the Property Department.

Ben recommends regular reviews of users on the network, and applications should be performed, including checking levels of access.

Council management's comment on the report acknowledges the comments and says regular reporting and review process have been discussed.

A Security Access Project is underway, says the council. Access is being reviewed by the Property Department which is responsible for security access across all council property.

Card access to the primary production server room has been restricted to essential personnel only.

There is also no formalised reporting of major incidents and security incidents.

Subsequent to the auditors' visit, council systems were affected by "Cryptowall" ransomware.

An incident report written about the ransomware doesn't explain to the auditor's satisfaction why no action was taken until 18 hours after the council systems were infected.

The Cryptowall was introduced through a USB and was immediately detected by the system, says council management.

The initial incident report was completed within an hour, but it was not actioned until the following morning because the Council doesn't have staff rostered overnight.

The council has a history of being shy about its IT investments. One of the last decisions made just days before the 2013 elections that saw seven previous councillors ousted, was to spend an unbudgeted $1.34 million on computers.

The confidential decision wasn't revealed until it appeared in financial statements in June 2014. Then in January this year it was revealed the council spent another $900,000 late 2015 on system upgrades.

You may also like....

21 comments

Hmmmm

Posted on 28-08-2016 10:56 | By How about this view!

Secret squirrel is maybe not so secret! spend some more money and fix it, I say!!


Small %

Posted on 28-08-2016 11:05 | By waiknot

80 staff having access this only a small percentage of council staff.


Can't be correct

Posted on 28-08-2016 12:05 | By Murray.Guy

The auditor MUST be wrong.The finding is a direct reflection on the integrity and ability of The Chairperson of the Finance and Risk Committee, none other than self proclaimed expert in all things, John Robson.The same John Robson who, within days of being on the Tauranga Council made grand statements of concern in regards the IT Systems, the incompetence and secrecy of the previous Council.


System upgrades?

Posted on 28-08-2016 12:08 | By Crash test dummies

Sounds more like he management have not done the job they are paid mega dollars to do. Result they are trying to patch it up by throwing money at it ... ratepayers money on a random, throw and hope scenario.


And The CEO was meant to be in Charge

Posted on 28-08-2016 13:45 | By tabatha

How can this system happen in such a big organisation without the CEO being aware. Accountability needed, those seeking election need to ask questions. Our so called expert on administration who is a councillor knows all about this type of thing or so he says. This is why we need people who query and come from a mixed range of styles not all from world wide businesses.


Cliff Bottom?

Posted on 28-08-2016 14:26 | By Crash test dummies

Looks to me that decisions made are not planned, just on a knee-jerking reactions when something appears to be going wrong, and by then its to late. Just throw some more money at it and hope ...


Like a fish it rots from the top

Posted on 28-08-2016 14:58 | By ROCCO

This is an indictment of the whole TCC bureaucracy culture and I would lay dollars to donuts elected members have not got a clue about the IT issues. As with most things they are on a need to know basis and the pointy heads resolve that they don't need to know.


SPEND SPEND SPEND

Posted on 28-08-2016 15:04 | By kellbell

It's gotta be bad if the bozos at Audit NZ can pick it up.Secretly the wombles spend money and it doesn't even start to address the problem.Someone's head has to roll over this load of garbage surely.


@MURRAY GUY THAT'S CHOICE

Posted on 28-08-2016 17:57 | By kellbell

Are my eyes deceiving me surely Mr. Guy you were still on TCC Council in September 2013 before you were ousted in the Elections. As a Councillor it appears you were part of the secret squirrel IT bale out decision for $1.34m at that time.You can hardly blame those who replaced you for that subterfuge.Memory loss not setting in is it ?


@Murray Guy about Robson

Posted on 28-08-2016 18:40 | By Councillorwatch

Would the same John Robson you criticise be the one who got elected, unlike yourself at the last election? I mean the last full council election not the byelection where you stood for the Mount/Papamoa ward. Which one will you try for this time, one where you actually live?


The buck stops

Posted on 28-08-2016 18:45 | By doff

Surely this a management issue. The CEO is City Manager and paid mega bucks. He has taken his eyes off the ball. The last CEO forgot all about building maintenance and look at the mess which ensued. Councillors cannot see management issues if they are kept under wraps!


Computer issues can be addressed easily

Posted on 28-08-2016 18:51 | By r|1

If they had the right policies in place and a system that scans the USB sticks before they can bring them into the office would stop most of the threats via usb and user education is the key to stop most of the threats in a network so that ransomware problem could of been stopped easily. Also having 80 staff access to a server room when only people that need access should, isn't a good practice. Some places don't take IT security seriously until its too late.


Oh NO! surely not

Posted on 28-08-2016 21:32 | By CC8

How unusual! Computer issues at TCC! I seem to recall some questions asked a couple of months ago...largely, in spite of all assurances, no answers were forthcoming then, I can't imagine anything will change now.


Re Mr Guy...

Posted on 28-08-2016 22:39 | By john robson

It's worthwhile reading report DC186. This confirms Murray's era was a period of mismanagement. But none of the problems were Murrays responsibility in his view. In fact, (he claims) he was unaware of the problems as were his colleagues As a result, the public knew nothing. Contrast the current situation. I am aware of the IT problems. My colleagues are aware. The auditor is aware. The public is aware. And the CE is under pressure to address them. As he should be. Its worth noting that the IT issues are a legacy of Murrays era. As are the building issues, the staff morale and capability issues, the Te Maunga issues, etc. For this legacy, I estimate that Mr Guy cost ratepayers more than of a million dollars. I, true to my word, have not taken a dollar. Perhaps Murray should offer the ratepayers their money back.


Computer Carelessness Will Cause Chaos

Posted on 29-08-2016 08:03 | By ROCCO

Apparently from reports I have the only issues here are software issues and the failure by TCC to acknowledge and address these in a timely manner.Throwing huge amounts of money at the wrong thing won't help. If the so called "experts" can't or won't deal with it then dispense with their services.Security issues with access to servers are appalling and should be watertight -whose USB was it anyway and what action taken on this breach????


@Murray.Guy

Posted on 29-08-2016 08:08 | By dbunk

Pure class standing for Mayor and throwing stones and mud. The city needs a leader not a finger pointer.


@John Robson

Posted on 29-08-2016 17:03 | By kellbell

Yes the issues you refer to were there in Mr Guys tenure and as far back as 2000 and beyond. You can blame that on all EMs particularly those that wielded the power and at the very top.Staff morale at lower levels is poor and capability at the upper levels questionable.Building issues have been there forever and bad attitudes and a bad culture don't help.All these things are still present today and you are joking if you think the CEO is capable of sorting or will sort them out.


Crazy world

Posted on 31-08-2016 13:07 | By Crash test dummies

Denial, claims made that don't exist, latching onto something simply because it is there, playing with the time line as suits 24/7


@JAFFA

Posted on 31-08-2016 20:09 | By kellbell

WHAT on earth are you rabbiting on about here .If you mean it is bad you have hit the nail on the head but OMG spell it out in plain English.


IT spending

Posted on 03-09-2016 11:59 | By Crash test dummies

Looks like they are lining up another massive spend of millions attempting to fix and remedy what is not a hardware issue.


Another council spend on the horizon

Posted on 16-09-2016 13:46 | By flyingtoaster

I have been in the IT industry for 17 years, and find it hard to believe that any reputable IT professional, would roll out an IT solution, with so many security issues. This leads me to believe, either, the auditors have it wrong, or the council network administrator is a muppet.


Leave a Comment


You must be logged in to make a comment.