WCED on actions following recommendations of Provincial Forensic Services in respect of all fraud cases; Department of Premier on mechanisms in place to protect ICT information government departments

Public Accounts (SCOPA) (WCPP)

14 August 2020
Chairperson: Mr L Mvimbi (ANC)
Share this page:

Meeting Summary

Video: PUBLIC ACCOUNTS COMMITTEE, 14 AUGUST 2020, 09:00

The Western Cape Education Department briefed the Committee on the Provincial Forensic Services’ recommendations for Quarters 1 and 2 of the 2019/20 financial year, focusing on implemented and outstanding recommendations. This was a virtual meeting. Many of the cases in the education sector were related to incidents that happened at schools and school governing bodies. Of the seven disciplinary recommendations, three were not implementable. Of the 15 control or other recommendations, only five were implemented. The Department cited insufficient evidence and resignations by witnesses or perpetrators for the failure to conclude the cases.

The Department of the Premier also updated the Committee on the information technology (IT) security of the provincial departments, describing the mechanisms in place to protect their information and the interventions in place should an external threat to information security occur. For improved IT security, the Department would focus on security organisation structure and resourcing. It also indicated that for IT security to be effective, it needed people, technology and processes. This had to be underpinned by legislation, governance and controls. It highlighted that cyber attacks were a growing risk to businesses in South Africa and globally. A lack of skills was also an obstacle to tackling cyber crime. Employees and former employees were seen to be the biggest threat to cyber security, and the government was not dealing adequately with cyber threats.

In order to deal with internal and external threats, the Western Cape government had established a dedicated team that focused on information security. This team comprised a dedicated IT security unit, an IT governance unit and a network management unit. Most applications and systems had been moved into the cloud, where IT security was far better, far stronger and affordable.

Members asked for an explanation regarding the challenges around the conclusion of Education Department cases, and if all the cases had been finalised within the 90-day period; enquired about the impact of the school governing board-related cases on the stability of the schools, and how that stability was being managed; wanted to know how many other categories of offences there were, besides those classified as Category A; and wanted to establish what the Department had done to ensure on-line investigations were fair, because Covid-19 had forced people and businesses to go on-line.

Members commented that the prevention measures were providing comfort with regard to the security provided to the province, seeing that the IT security environment was very complex. They asked what the Department was doing to ensure the government at large, as well as the public, got educated about what 5G was in South Africa and the Western Cape, because people in communities were getting fake news through social media on 5G. The Department was requested to provide the Committee with information about the lack of capacity and disgruntled employees, so that this did not impact negatively on the government.

 

Meeting report

Western Cape Education Department: Provincial Forensic Services recommendations

Mr Brian Schreuder, Head of Department (HOD): Western Cape Education Department (WCED), said the focus of the presentation was on Quarters 1 and 2 of the 2020 financial year. The briefing was based on the report of Provincial Forensic Services (PFS) given to the Committee on May 2020 regarding controlled and completed issues. Many of the cases in the education sector were related to incidents that happened to schools and school governing bodies (SGBs). It had not been found easy to report these cases due to the complexities involved. Sometimes when schools were closed, it was hard to gather evidence because there were no people to provide it. This also applied to SGBs and auditors, where it was not always easy to obtain information for cases.

Mr Leon Ely, Chief Financial Officer (CFO): WCED, took the Committee through the status report on the recommendations of the PFS, and the WCED status report on outstanding recommendations. Of the seven disciplinary recommendations, three were not implementable. Two witnesses had resigned from the Department, while there was not sufficient evidence to charge on the other recommendation. This had made it difficult to continue with the cases. There was sometimes incongruence in information received. Those who were charged usually got a chance to be represented by a legal practitioner or union representatives. High priority was given to Category A cases, which dealt with fraud and corruption. The Department tried to finalise cases within 90 days, while some petty cases were finalised within 30 days. It all depended on the complexity of the case.

Of the 15 control or other recommendations, only five were implemented. Six of the ten recommendations nor implemented were finalised, while the remaining four were in progress. One case required further consultation with the SGB. All the other cases would be completed when the schools were fully operational, and all role players would be consulted.

Information Technology (IT) security update

Mr Hilton Arendse, Deputy Director General (DDG): Centre for e-Innovation, Department of the Premier (DotP), told the Committee that information security was a serious matter and would remain top of mind. The Department was trying at all times to improve information security services. Even when Covid-19 hit, the Department had decided not to drop its guard. It had therefore decided to send the Committee a comprehensive presentation on the issue because it had raised a concern when it engaged with the Cape Agency for Sustainable Integrated Development in Rural Areas (Casidra) and learnt of the existing breach in its IT security protocol. This had negatively impacted on its audit outcome when it had submitted information to the Auditor General of South Africa (AGSA) for the verification of its predetermined objectives.

Mr Augi de Freitas, DDG: DotP, said the purpose of the briefing was to advise the Committee on the mechanisms in place to protect information communication technology (ICT) information of the Western Cape governments’ departments, including any mechanisms it had got in place should a security threat occur through an external threat.

He said that most breaches or incidents were found to have been caused by employees and contracted parties. As a result, there were recommendations that had been put forward, and areas of focus for the improvement of IT security:

  • Security organisation structure and resourcing -- insufficient skilled IT security staff;
  • Establish the target security governance structure and enablement processes, and roadmap the IT maturity dependencies;
  • Optimisation of capabilities, tools and service to support a cloud first and digital transformation strategy;
  • Establish a data security and privacy programme;
  • Establish a security risk assurance function.

It was noted that all of these recommendations required more staff. The State Information Technology Agency (SITA) and the Western Cape Government (WCG) had a very good IT security track record, but IT security could be compromised through “mistakes” and “people” or very sophisticated attacks. He indicated that the hype that had been created by the media had sometimes, after investigation had been found not to be as bad as it had been reported. In the event of a cyber attack, some of the following needed to be done:

  • Remove the hype, minimise emotionalism, and isolate noise;
  • Focus on facts and evidence;
  • Find and isolate the root cause of the incident;
  • Work closely with the key technology providers (Microsoft, CISCO, Opentext, etc);
  • Work closely with SITA and other agencies;
  • Monitoring of the total IT spectrum;
  • Analysis of access logs and audit trail.

He also indicated that for IT security to be effective, it needed people, technology and processes. This had to be underpinned by legislation, governance, and controls. The following processes had to be in place:

  • IT security framework, policy, standards, controls and procedures;
  • IT security risk management supporting the IT risk management, and feeding into the Enterprise Risk Management (ERM);
  • Incident and breach management;
  • Change control management;
  • IT security forum.

The following personnel challenges had been identified:

  • Lack of capacity and skills;
  • Lack of awareness, responsibility, accountability and consequences;
  • End-user behaviour, work culture and attitudes;
  • Mistakes, errors and negligence;
  • Deliberate leakage and sabotage.

When it came to technology, areas that had been identified included physical devices such as memory sticks, the operating system (OS), application software, poor systems design and architecture, database platforms, programming languages, poor data structures and protection, and IT tools

Mr De Freitas highlighted that cyber attacks were a growing risk to businesses in SA and globally. A lack of skills was also an obstacle to tackling cyber crime. Employees and former employees were seen to be the biggest threat to cyber security, and the government was not dealing adequately with cyber threats.

Looking at recent global cyber trends, he pointed out that cyber threats would stay the same or worsen in 2020, and the top three industry sectors to be likely targets of a cyber attack were finance and banking, technology and government. The biggest concerns during a cyber attack were the loss of sensitive data, the impact on customers, and business operation disruptions. The most likely attribution for the attacks were hacker groups, individual hackers and criminal organisations. Most organisations were now planning cyber security budget increases for 2020, with the average spend being 6% to 7% of the overall IT budget. From the R71.19 billion Western Cape Provincial Budget, R24 million went to the IT security budget.

In order to deal with internal and external threats, the WCG had established a dedicated team that focused on information security. This team comprised a dedicated IT security unit, an IT governance unit, and a network management unit. Most applications and systems had moved into the cloud, where IT security was far better, far stronger and affordable.

Mr De Freitas concluded that IT security was very complex and expensive, and all organisations were grappling with it. That was why the Department of the Premier was currently focusing, amongst other things, on the implementation of Multi-factor Authentication (MFA), continuous IT security awareness campaigns aimed at key areas and primarily at users to influence behaviour, the monitoring of alerts and logs, software patch update management, and IT security patch management.

Discussion

PFS Recommendations

Ms N Nkondlo (ANC) asked for an explanation regarding the challenges around the conclusion of cases. She wanted to know if all the cases had been finalised within the 90-day period. She further enquired about the impact of the school governing body (SGB) related cases on the stability of the schools and how that stability was being managed. She also wanted to find out if a case was closed when an implicated person resigned from the Department.

Mr Schreuder said that not all cases had been finalised within 90 days. It was difficult to do investigations when the schools were closed. The Department of Education was the biggest employer in the province. The 90-day period was mainly for disciplinary cases. Not all cases involved fraud, but high priority was placed on sexual and fraud cases. Other cases were important as well. The Department had to follow proper procedures when dealing with the cases. Some were taking longer than 90 days because of their complexity, and school holidays were proving to be a challenge as well.

Mr Ely added that they were trying to deal with cases based on the recommendations received. Provisions had been made for school principals to assist SGBs in the management of finances. The training had been on-going when it came to the resolution of cases by the SGBs. It was usually taking time to finalise matters because of administrative procedures that had to be followed.

Mr S Fakier, Director: Internal Control, WCED, added that people who resigned when faced with disciplinary or fraud cases were not getting away with anything. An implicated person was given a charge sheet. For Category A offences – fraud and corruption – a person got dismissed when found guilty. High priority was given on Category A offences.

Ms M Maseko (DA) wanted to know how many other categories of offences were there besides Category A. She asked if the block-on system for those who had resigned had been in place for the first time, because it was not the first time Members had heard of employees resigning when they faced consequences, or if the block system was just a reaction to these cases. She also enquired at which point evidence became sufficient to charge or not to charge.

Mr Fakier replied that there were other two categories besides Category A. Category B was for late coming and not following processes and procedures, and Category C was for minor cases. The block-on system had been implemented in the Western Cape 20 years ago. A person who had been found guilty and dismissed was recorded in the system. There was a block against that person’s name. The block-on system was in use in the public service nationally, not exclusively in the Western Cape. With regard to sufficient and insufficient evidence, the same principles used in courts of law were followed. When a report was received, evidence was gathered and a person was charged. However, if there was not enough evidence, it became difficult to charge.

Ms D Baartman (DA) wanted to establish how, in terms of procedures and processes, the Department had used on-line methods of investigation, and what it had done to ensure on-line investigations were fair, because Covid-19 had forced people and businesses to go on-line.

 

Mr Schreuder explained that the conclusion of cases had been compounded by Covid-19. Most cases would have to be completed by March 2021. The Department had referred some cases to the PFS, especially those that had to do with fraud. The PFS usually gave advice on what should be done and reports cases to the SA Police Service (SAPS). This also applied to on-line processes and procedures. On-line investigations were done when there were documents that provided evidence. This was an on-going process, and nothing would change post-Covid-19. The Department was busy at the moment utilising a hybrid system due to Covid-19. Sometimes it did not work when they had to conduct a disciplinary case virtually.

Ms Maseko asked how the Department was dealing with cases of a sexual nature when the perpetrator had resigned and had gone to another province.

Mr Schreuder said that when a person had resigned, the Department had no legal control over the person. The victim was advised to lay a charge with the SAPS against the person. Sometimes there would be allegations which were unfounded. It was not a good idea to label a person as a perpetrator for unfounded reasons. There must be sufficient information before labeling a person. If an investigation was being carried out, the Department sometimes put a block on the person while investigating the matter.

The Department considered fraud as a serious matter. For instance, if the allegations or cases were found not to be of a fraudulent nature by the PFS, they were referred to as financial mismanagement. When the Department received a report which had been referred to the PFS by a whistleblower, the PFS would deal with the case. Some cases went to the WCED, while other cases were referred to the PFS by the Department. Cases referred to the PFS usually took longer to be finalised, whereas when they were referred to the Department, they would be resolved quickly.

IT Security Update

Mr D America (DA) remarked that the prevention was providing comfort with regard to the security provided to the province, seeing that the environment in which IT security was operating was very complex. First, he wanted to know if it had been established where the threat emanated from, seeing that the presentation was a result of what had happened at Casidra. Second, he asked if there was a new security risk that would emanate from the new platform that they operated from, because the new work environment was a result of Covid-19. Third, he wanted to establish what the relationship of the Department was with SITA regarding the IT system environment. Fourth, he asked if there had been an education programme in place for disgruntled employees due to the lack of knowledge about IT security.

Mr Harry Malila, Director-General: Department of the Premier, said their duty as the DotP was to present what they were doing to prevent a recurrence of what had happened with Casidra.

Mr Arendse said the Department had strong working relations with SITA, and was monitoring the corporate environment to ensure stronger controls. He also indicated that thesecurity risks were high, especially with home wi-fi, seeing that many people were working from home. That was why the Department had put interventions in place. The matter of disgruntled employees rested with the line managers of the employees. Training had been provided to empower employees on this matter. They had got firewalls systems internally, but the staff was not allowed to download applications to their laptops. That had to be done by IT personnel.

Ms Baartman wanted to find out what the Department was doing to ensure the government at large and the public were educated about what 5G was in South Africa and the Western Cape, because people in communities were getting fake news through social media regarding 5G.

Mr Arendse said his Department did not have a focus on 5G, and that was something as a Department they would have to look at.

Ms Nkondlo wanted to know what the latest had been on the hotspot project to ensure each community was getting a wi-fi, because the project had later been changed to focus on schools. She also wanted to establish what the state of the broadband infrastructure in the province was, in order to connect government departments to communities. She asked if the government was getting value from the high costs of IT security, and if there were state protocols in place, because IT security solutions were always provided by third parties. These third parties were sitting with state information about state projects and programmes. The danger was the possibility that these private companies could pitch the very same projects and programmes to the state.

Mr Arendse said the Department could have a discussion with the Committee on these matters. There were many broadband sites that had been rolled out. A presentation should be arranged with the Committee on these issues.

Ms Maseko asked the Department to provide the Committee with information regarding the lack of capacity and disgruntled employees so that this did not impact negatively on the government’s side.

Mr Arendse explained that the issue of disgruntled employees was the responsibility of managers, and his Department was more than willing to assist managers. The managers had to drive the process. There were controls in place. The lack of capacity was not an indication the Department was over-exposed. Rather, it was the responsibility of each and every IT person to protect the information of the organisation. Highly technical skills were used only when they were required.

The Chairperson requested the Department to provide the Committee with detailed updated information on Casidra in writing for the benefit of the Members.

The Committee then resolved that the Department should send it policy documents on 5G and cyber security, and that a prepared presentation by the Department on broadband should be shared with the Committee.

Adoption of Minutes

The minutes of 22 May and 12 June were adopted, without amendment.

The meeting was adjourned.

Audio

No related

Present

Download as PDF

You can download this page as a PDF using your browser's print functionality. Click on the "Print" button below and select the "PDF" option under destinations/printers.

See detailed instructions for your browser here.

Share this page: