Page 10 - EngineerIt February 2021
P. 10

ICT - SECURITY


        Failure to patch and update




        software a noteworthy fail








          CT professionals, security and governance teams have a duty of care to  She says IT governance responses to
          ensure that the systems people depend on are properly patched and      such indications of ineffective IT
        Iupdated, and failure to do so might be seen as a failure of both ethics and  management could include activities
        internal controls.                                                       such as reviewing the organisation’s IT
           So says the Institute of Information Technology Professionals South Africa  governance policies to ensure that they
        (IITPSA), which was responding to recent breaches and glitches caused by  remain suitable and meet the context in
        organisations failing to keep software appropriately patched and updated.  which the organisation finds itself (e.g.
           Moira de Roche, independent consultant, IITPSA non-executive director,  increased cybersecurity risk context)
        Social & Ethics Committee chair, chair of IFIP IP3, and IFIP board director, says  and taking action on the basis of
        several high-profile breaches, such as the 2017 Equifax hack that exposed the  management and assurance reports.
        data of over 147 million people, were due to vulnerabilities for which patches  Such reports include:
        were available. “Unpatched systems are a major governance and security risk,”  i.  Executive report on the management
        says de Roche.                                                              of the IT department, including
                                                                                    performance management and
        SARS fail erodes trust                                                      remuneration policy;
        “At the same time, we are seeing failure to update and patch systems resulting in  ii. Audit committee / chief audit
        massive inconvenience, as in the case of the recent SARS failure to migrate all of  executive report on the performance
        its forms from the Adobe Flash Player platform before the termination of support  of associated internal controls; and
        last month. Updates and migration should have been part of the IT, governance  iii. Risk committee report on the
        and security project plan years ago,” she notes.                            effectiveness of the organisation’s
           De Roche says ICT professionals have a duty of care to ensure that the   IT risk management in the context
        basics – such as patching and updates – are attended to timeously to avoid risk  of the organisation’s enterprise
        to their organisations, and the individuals entrusting those organisations, with  risk management.
        their data.
           SARS has said that it prioritised the migration of major tax types with the  IITPSA past president and non-
        highest volumes from Adobe Flash Player to the HTML5 platform, and planned to  executive director, Ulandi Exner, says
        complete the migration of the rest of its forms this year. However, it conceded it  failing to attend to basic patch
        had erred in its interpretation that functionality would continue beyond the date for  management, or failure to migrate from
        discontinuation of Adobe Flash Player support. The organisation then announced  applications nearing end of support,
        that it had published its own web browser, with support for Adobe Flash, to allow  raises major concerns about overall
        taxpayers to continue submitting tax forms electronically.               security and erodes trust in an
           Carolynn Chalmers, IT governance advisor at Candor Governance, a previous  organisation such as SARS. “There is
        director of IITPSA and an IITPSA designated professional CIO (Pr.CIOTM), says  no convincing reason why this SARS
        the recent SARS issue might be seen as a failure of the organisation’s system of  oversight occurred,” she says. “It raises
        internal controls. “Instances such as these are clear indicators of IT management  questions about their new browser too.
        lapses,” Chalmers says.                                                  How can taxpayers trust a browser
                                                                                 that was launched virtually overnight
                                                                                 and only works on Windows? From a
                                                                                 security perspective, we don’t know
                                                                                 whether it has gone through the right
                                                                                 levels of testing and acceptance, and
                                                                                 there are no indications of how
                                                                                 patch management will be handled on
                                                                                 that application.”

                                                                                 Why updates and patches are
                                                                                 neglected
                                                                                 Installing patches and updates can be
                                                                                 time consuming and laborious, and can
        Carolynn Chalmers      Moira de Roche          Ulandi Exner              disrupt operations, Exner says. “We all



                                                 EngineerIT | February 2021 | 8
   5   6   7   8   9   10   11   12   13   14   15