ICT professionals, security and governance teams have a duty of care to ensure that the systems people depend on are properly patched and updated, and failure to do so might be seen as a failure of both ethics and internal controls.
So says the Institute of Information Technology Professionals South Africa (IITPSA), which was responding to recent breaches and glitches caused by organisations failing to keep software appropriately patched and updated.
Moira de Roche, Independent consultant, IITPSA non-executive director, social and ethics committee chair, chair of IFIP IP3, and IFIP board director, says several high-profile breaches, such as the 2017 Equifax hack that exposed the data of over 147-million people, were due to vulnerabilities for which patches were available.
“Unpatched systems are a major governance and security risk,” says de Roche.
SARS fail erodes trust
“At the same time, we are seeing failure to update and patch systems resulting in massive inconvenience, as in the case of the recent SARS failure to migrate all of its forms from the Adobe Flash Player platform before the termination of support last month. Updates and migration should have been part of the IT, governance and security project plan years ago,” she notes.
De Roche says ICT professionals have a duty of care to ensure that the basics – such as patching and updates – are attended to timeously to avoid risk to their organisations, and the individuals entrusting those organisations, with their data.
SARS has said that it prioritised the migration of major tax types with the highest volumes from Adobe Flash Player to the HTML5 platform, and planned to complete the migration of the rest of its forms this year. However, it conceded it had erred in its interpretation that functionality would continue beyond the date for discontinuation of Adobe Flash Player support. The organisation then announced that it had published its own web browser, with support for Adobe Flash, to allow taxpayers to continue submitting tax forms electronically.
Carolynn Chalmers, IT governance advisor at Candor Governance, a previous director of IITPSA and an IITPSA designated professional CIO (Pr.CIO), says the recent SARS issue might be seen as a failure of the organisation’s system of internal controls. “Instances such as these are clear indicators of IT management lapses,” Chalmers says.
She says IT governance responses to such indications of ineffective IT management could include activities such as reviewing the organisation’s IT governance policies to ensure that they remain suitable and meet the context in which the organisation finds itself (e.g. increased cybersecurity risk context) and taking action on the basis of management and assurance reports. Such reports include:
* Executive report on the management of the IT department, including performance management and remuneration policy;
* Audit Committee / Chief Audit Executive report on the performance of associated internal controls; and
* Risk Committee report on the effectiveness of the organisation’s IT risk management in the context of the organisation’s Enterprise Risk Management.
IITPSA past president and non-executive director Ulandi Exner says failing to attend to basic patch management, or failure to migrate from applications nearing end of support, raises major concerns about overall security and erodes trust in an organisation such as SARS.
“There is no convincing reason why this SARS oversight occurred,” she says. “It raises questions about their new browser too. How can taxpayers trust a browser that was launched virtually overnight and only works on Windows? From a security perspective, we don’t know whether it has gone through the right levels of testing and acceptance, and there are no indications of how patch management will be handled on that application.”
Why updates and patches are neglected
Installing patches and updates can be time consuming and laborious, and can disrupt operations, Exner says. “We all know the frustration of seeing our own laptops updating when we have urgent work to attend to. In a large enterprise, there are far more complex and intricate environments at play.
“Many IT teams are loath to risk disrupting these systems with a patch or update that might cause unexpected changes, so they take the approach ‘if it ain’t broke, don’t fix it’. But patches and updates have to be attended to, in a controlled environment. You need a proper patch management programme to mitigate risk,” she says.