The Department of Corrective Services (DCS) aims to provide safe, secure and meaningful corrective services that contribute to community safety and reduced offender involvement in the justice system. Over 4,000 staff work across the state at approximately 50 locations in Western Australia, managing adults and young people in prisons, detention centres and in the community.
DCS heavily relies on a custodial information application – Total Offender Management Solution (TOMS), to meet its responsibilities.
TOMS is the main information source for management of adult prisoners and young people in the community. If TOMS data is unavailable or incorrect, there is an increased risk to the safety of offenders, DCS staff and the community.
A number of other agencies, including the Prisoners Review Board, Department of the Attorney General and WA Police also rely on specific data from TOMS, such as location of prisoners, demographic details, discharge information and assessment reports. Oversight bodies such as the Corruption and Crime Commission and the Office of the Inspector of Custodial Services also rely on data from TOMS as evidence of activities.
On a typical working day, around 1,400 users access TOMS. The total number of users, located throughout Western Australia, is in excess of 4,600. Implemented in 2001, the TOMS database contains records generated since 1954 including:
- 78,000 prisoners (6,000 active)
- 10,000 young people in detention (150 active)
- 77,000 young people in the community (1,700 active)
- 500,000 persons who visited offenders in prison.
These records contain large amounts of sensitive information including personal identification, sentence details, health, counselling and incidents (including serious assaults), for adult and young offenders. TOMS is the primary source of information for DCS reporting. This includes key performance indicator data, operational reports and information for third parties including Parliament, the Ombudsman and the Australian Bureau of Statistics.
Overall, TOMS meets the needs of DCS staff to manage offenders in correctional facilities and the community.
However, several manual processes cause data integrity issues that require continuous correction by DCS. One of the causes of the data integrity problems has been addressed, which should ensure greater accuracy of data, but historical inaccuracies remain and will only be resolved with time. In addition, we identified a number of system and database vulnerabilities that increase the risk of unauthorised access to electronic information relating to prisoners and young offenders.
The integrity of the system is at risk from inaccurate information
Users of the TOMS application identify large numbers of data integrity issues on a daily basis. For instance, between 9 November 2014 and 8 November 2015, more than 2,350 data integrity issues were recorded. These issues are primarily caused by manually entered data. Given the large volume of data manually entered it is likely that many errors remain unidentified.
Examples of integrity issues, many of which occur when prisons first receive offenders, include:
- offenders entered multiple times
- incorrect offender details such as name or date of birth
- incorrect recording of incidents involving offenders
- missing photos or the photo of a different person is recorded
In some cases these errors occur because the documentation the Department relies on when it receives offenders contains incorrect information.
DCS staff advised that some types of error such as medical, behavioural and mental health information, including self-harm potential can increase the risk to DCS staff and offenders. Incorrect information can also have a negative impact on staff efficiency and DCS operations. However, there are compensating controls outside of TOMS that mitigate this risk.
Some recent automation will help improve accuracy
Various manual processes for data entry, data manipulation and reporting have adversely affected the accuracy and reliability of TOMS information and reports. Some automation has occurred but problems remain.
Figure 4 is an example of manual processes that contribute to data errors.
DCS is working to improve the data integrity issues. For example, a main cause of inaccurate information was the manual input of warrant information. Warrants detail the identity of the offender, charges and the sentences imposed. Until October 2015, this information was manually entered into TOMS. DCS automated the process and introduced a manual check back to the hard copy warrant form. These controls are expected to increase the accuracy of warrant information in TOMS, although it will take time for historical errors to be identified and corrected.
DCS also manually extracts TOMS records and manipulates the data to provide information and reports that TOMS has not been designed to produce.
Sentence details are extracted from TOMS and manually entered into a spreadsheet. The spreadsheet uses the sentence information to calculate dates for various reviews and release of prisoners. These dates are then manually entered back into TOMS. Incorrect dates mean that DCS relies on other manual processes to ensure prisoners are released on time. The initial sentence calculation is audited by a second person who checks all of the calculations involved in a prisoner’s current term from start to finish before it is entered into TOMS.
DCS reports its key performance indicator and operational statistics using a largely manual process:
- to ensure all reports use the same point in time information, data in TOMS is automatically transferred to a data warehouse
- accurate delivery of overnight data is validated by cross referencing with source systems when producing reports
- the statistical analyst runs queries that generate reports and information on the warehoused data
- the numbers generated by these queries are manually entered into a spreadsheet, for example, daily prison population at midnight
- the spreadsheet is used to collate and calculate various daily statistics
- DCS uses the data in the spreadsheet as the source of official KPI and operational statistics
- DCS advised that the data is compared for consistency against previous quarterly and annual statistics.
Manual processes are inefficient and increase the risk of inaccurate and/or incomplete information and reports. DCS may also report inaccurate KPI information and operational statistics.
Security of sensitive information
We performed a vulnerability assessment and database security check on the TOMS application and the supporting IT environment. These tests identified a range of weaknesses which increase the risk to the confidentiality, integrity and availability of sensitive DCS information.
Some of the weaknesses we noted were:
- Software updates not applied – we found that software updates released by the software vendors to fix known security issues and weaknesses were not applied to the TOMS database, application and other critical servers. Without these updates, attackers could exploit known vulnerabilities and may gain access to systems and information. An effective patching process that keeps software up-to-date is vital protection against cyber threats and data loss.
- Unsupported operating systems – servers run operating systems that the vendor no longer provides security updates for or supports. This increases the risk of DCS’s IT systems and information being compromised.
- Vulnerability assessments are not conducted – DCS does not perform vulnerability assessments across their IT systems and therefore cannot give assurance that its software updates are applied correctly and are not vulnerable to threats.
- Account sharing – the highly privileged database administrator account is shared by 15 different people including 12 contactors that support the TOMS application. This sort of arrangement is inconsistent with accepted good practice as the use and activities of this account cannot be traced back to specific individuals.
- Database passwords do not expire – database user account passwords are not set to expire. We found a number of users had not changed their passwords in over 5 years, including the password for the database administrator account. DCS runs a significant risk that individuals who are no longer authorised to access TOMS information may do so through the shared administrator account. Configuring passwords to expire periodically reduces this risk.
- Database activities not logged – DCS has not established database logging and auditing to monitor and record system changes made at the database level. As a result, changes to the database cannot be traced back to individuals and any suspicious modification or access to data will go unnoticed.
- Backups not encrypted – TOMS backups are not encrypted. Backups are stored on tapes that are collected and managed by a third party contractor. This creates a risk of unauthorised access and inappropriate disclosure of DCS information if tapes stored offsite are misplaced or stolen. Encryption of backup media, where confidentiality is of importance, is also in line with the international standard for information security (ISO27002/2013).
Sensitive information is stored in insecure locations
DCS has inadequate security over both the hard copy and electronic copy of confidential Court warrants.
DCS stores the hard copy warrants in unlocked cabinets in an open plan office. The electronic copies are stored in a shared email system that lacks proper document management. These records contain the identity of the offender (including that of young offenders) the criminal charges and the sentences imposed.
Inadequate security creates the risk of unauthorised access and distribution.
Controls to ensure ongoing operations
TOMS is crucial to DCS day-to-day operations. If TOMS was unavailable, DCS would be forced to use paper-based records to manage critical functions including prisoner counts and movements such as between prisons and courts, visitor information and prisoner risk/threat assessments. The unavailability of TOMS would increase the safety risk to DCS staff, visitors and offenders.
We identified a number of issues that may impact the availability of TOMS:
- DCS has not performed a risk assessment of TOMS and its supporting business processes. Without an adequate risk assessment, DCS will not be able to identify, assess and treat risks that affect the successful operations of TOMS.
- DCS has not yet developed an IT disaster recovery plan for TOMS and other key systems. This means that DCS may be unable to recover the TOMS application in a timely manner to ensure minimal disruption to operations.
- DCS has not tested the backup tapes it plans to use to recover TOMS in the event of an incident. It is therefore uncertain that TOMS can be recovered if required.
- Although each DCS facility has its own business continuity plan, it does not have a BCP for DCS head office. The majority of TOMS support and administration staff are based at this office. In the event that systems become unavailable, there is no documented plan on how the department will operate.
- The DCS change management process does not adequately capture and assess the impact of changes to TOMS. Changes can be made at the request of an end user without appropriate stakeholder oversight and approval, thereby creating a risk to the availability and security of TOMS.
- By August 2016 the Department of Corrective Services should:
a. Undertake a risk assessment of TOMS to identify risks associated with information handled within TOMS and related business processes. This should inform the corporate risk register for senior management to consider.
b. Ensure that appropriate controls are in place to protect the information stored in databases and systems to prevent exposures that could lead to the compromise of information. This should include a process to identify and apply software updates to all information systems in a timely manner. Consideration should be given to risks with outdated and unsupported operating environments.
c. Ensure sensitive hard copy information is adequately secured.
2. By December 2016 the Department of Corrective Services should:
a. Ensure all data entry processes have appropriate controls to ensure the accuracy and integrity of information.
b. Review the existing data integrity issues within TOMS to ensure accuracy and completeness. This can also be used to identify the source of errors.
c. Produce a business continuity plan for head office and a disaster recovery plan to ensure the ongoing operations of key applications and IT services. These plans should be tested to ensure they will operate effectively.
3. By June 2017 the Department of Corrective Services should:
a. Appropriately control sensitive electronic information. These controls should ensure that the information is appropriately stored and access is restricted to authorised users only. As part of an overall information security strategy, DCS should implement good access control practices that include all users and roles.
Response from the Department of Corrective Services
The Department of Corrective Services welcomes the application controls review by the Office of the Auditor General. The Department notes that overall the Total Offender Management Solution system was found to meet the needs of the Department’s staff to manage offenders in correctional facilities and the community. The Department thanks the Office of the Auditor General for its advice and recommendations on how it can continue to review and improve its systems and processes.
The Department accepts the recommendations and notes that a number of findings have been addressed by the Department prior to the completion of this audit. The Department is acting on all remaining recommendations as a matter of priority and is committed to the continued improvement of its information systems.