Report 12: 2017

Information Systems Audit Report

Laboratory Information Management Systems – Chemistry Centre

Introduction

ForLIMS and SIGNA are the two laboratory information management systems used by the Chemistry Centre (ChemCentre) to manage laboratory operations. These systems contain highly confidential information and if not managed properly could compromise the reliability and accuracy of important laboratory results.

Audit conclusion

ForLIMS and SIGNA allow ChemCentre to manage the operations of its laboratories and helps ensure the integrity of its analysis and reporting.

However, system integrity is at risk from a range of weaknesses in application, database and network security controls. These include weak passwords, unpatched software and inadequate access controls and disaster recovery plans.

Background

ChemCentre provides analytical services to government agencies and industry for forensic science and medicine, public health and safety, environmental protection, and crisis and emergency response and management.

It delivers these services through two independent laboratories: the Forensic Science Laboratory (FSL) and the Scientific Services Division (SSD). Each laboratory manages its operations through bespoke Laboratory Information Management Systems.

The FSL provides forensic services to WA Police, state and district coroners, and other government agencies. Analysis results reported by FSL are sensitive in nature and confidential until released to the public by the relevant agency. Inaccurate reporting could result in misreporting of results to clients.

ChemCentre created ForLIMS in the early 1990s specifically to meet FSL’s needs for managing and reporting of forensic cases. FSL has continually updated ForLIMS and it now contains over 130,000 cases. In the year to June 2016, FSL processed over 9,500 cases and tested almost 58,000 samples.

ChemCentre’s other laboratory, the SSD, provides a wide range of scientific services to government and industry clients including emergency response to chemical incidents. Its stated aim is to safeguard the state from chemical risks to health and safety and facilitate sustainable economic development. Its services including testing of soil, water, air, and other materials for harmful chemicals.

SIGNA is a major in-house redevelopment of a legacy laboratory application, which SSD uses to manage laboratory operations. In the 12 months to June 2016, SSD performed over 510,000 tests on approximately 2,600 jobs for over 500 clients.

Audit findings

Poor policies and procedures compromise data security

ChemCentre lacks many of the information security policies and procedures needed to ensure the security of applications. The policies that do exist are outdated and may no longer be suitable. Policies and procedures set senior management expectation and responsibilities for configuration of security controls to meet security requirements. They also inform employees of their responsibilities for security.

ChemCentre applies many technical controls to ensure the security of its applications and information. However, many of these controls may not meet its security objectives, as the policies are lacking or outdated.

For example, the password policy, last reviewed in 2010, allows users to set simple passwords such as ‘password’ or ‘12345678’. In addition, the policy does not require stronger passwords for highly privileged network, database and application accounts. As a result, we were easily able to guess passwords for the database system administrator account and for accounts within ForLIMS.

ChemCentre does not have a policy for the logging and monitoring of key events in its applications. While key events in SIGNA and ForLIMS are recorded in ChemCentre’s IT systems, there is no requirement to proactively monitor or act on these. This means ChemCentre may not recognise or respond to attempts to compromise its applications or data until after the fact. We also noted that key database events are not recorded, such as access attempts, account administration and changes to database configuration.

Out of date and unpatched software leave applications exposed

We identified out of date and unpatched software on the server that runs ForLIMS and SIGNA as well as other core systems and workstations. In particular, the database software is an out of date unsupported version. These patches were missing because ChemCentre does not have a process to identify and act on vulnerabilities in its software. Without regular updates, attackers could exploit known vulnerabilities and may gain access to ChemCentre’s systems and data.

ChemCentre uses specialist scientific equipment to perform analysis on the samples it receives from clients. This specialist equipment is connected to ChemCentre’s network to allow the transfer of data with its applications. In addition, to allow monitoring of long running jobs ChemCentre enables remote access to some of the equipment.

Due to hardware and/or software limitations, much of the specialist equipment runs on legacy unsupported operating systems with known exploitable vulnerabilities. An attacker exploiting an unpatched workstation in ChemCentre’s corporate network may gain access to the specialist equipment rendering it inoperable. ChemCentre needs to use layered security controls such as network segmentation to make it as difficult as possible for attackers to gain access. The Australian Signals Directorate considers network segmentation to be an excellent control to limit cyber-attacks.

Sensitive data is at risk of unauthorised access

ForLIMS and SIGNA have access restrictions in place; however, these applications store electronic documents on the network, which is not subject to the same access controls. This may allow a user with network access to gain unauthorised access to the reports.

ChemCentre generates backup tapes of application data for future recovery, which a third party collects for off-site storage. These tapes are unencrypted, which creates the risk of unauthorised disclosure of information if they are lost or stolen. Encryption of backup media is advisable where confidentiality is important, as outlined in the international standard for information security (ISO27002/2013).

The work performed by ChemCentre may be sensitive particularly where the Forensic Services Lab is involved in ongoing investigations on behalf of the police or coroner.

Inadequate continuity planning increases risk of data loss and disruption

Government agencies and commercial entities depend on the results of timely and accurate analysis provided by ChemCentre. The ForLIMS and SIGNA applications allow ChemCentre to manage the volume and priority of jobs within the laboratories. While ChemCentre would be able to manage urgent cases through manual procedures, an outage to ForLIMS or SIGNA would likely result in delayed reporting to clients, reputational damage to ChemCentre and loss in clients.

ChemCentre has limited understanding of the potential impact of a disaster. In 2011, ChemCentre conducted some analysis on the potential impact of an extended outage of its applications. However, the scope was too limited and it has not revisited it since. Understanding this impact is essential; it allows ChemCentre to invest the right amount of money and effort into planning for system recovery, as well as the manual processes required to maintain operations during an outage.

Because of this limited analysis, ChemCentre’s current disaster recovery plans are not sufficient to recover the applications. These plans should be written with enough detail so that any person with the right skill set can recover the systems if required. A high level of detail also ensures that during a high-pressure recovery event, recovery steps are not missed and are performed consistently and correctly.

Backup tapes are kept but are not well managed. A key component of the recovery effort will be restoration of data from backup tapes. We found that the tapes are not removed from the tape library for up to 5 days after a backup is taken, increasing the chance of both original and backup tapes being destroyed in the one disaster event. In addition, the tape library is located in the same room as the production servers so both would be destroyed if flooding or fire for example occurred in that room. These issues expose ChemCentre to significant data loss in the event of a major incident or disaster.

We also noted that while there is an alternative facility available to run essential systems, ChemCentre has not purchased key hardware and would need to rapidly acquire and install this equipment following a disaster.

ChemCentre has not properly assessed risks to its laboratory information systems

ChemCentre’s current risk framework addresses the safety of its staff, but does not consider broader strategic and operational risks, including technology risks.

There is no guidance for the identification, assessment and treatment of technology risks, which can include information security incidents such as malware and unauthorised access or computer outages. As a result, the ICT team conducts technology risk assessments in isolation to business objectives and strategies. While the ICT team will have good technical knowledge of the applications, they are unlikely to understand fully the impact of risks to business objectives.

ChemCentre also does not review how effectively its controls are operating. It is important to conduct regular reviews of controls to be sure they continue to address identified risks within business requirements. In addition, ChemCentre does not record control and risk treatment information in its risk register. A risk register helps communicate risk within an organisation. Without this information, ChemCentre cannot be fully aware of its technology risk, exposing it to a range of potential security, integrity and access issues.

Lack of strategic planning means applications may not meet future requirements

ChemCentre invests significant money and resources in the continued development of ForLIMS and SIGNA. A lack of short and long term planning along with inadequate documentation may jeopardise the ability for these applications to meet the organisation’s future needs.

ChemCentre has not properly planned for the long-term future of the applications. Strategic planning for applications is critical and should consider ChemCentre’s corporate strategy as well as issues such as technology changes, the need for two laboratory systems and buy versus build. A lack of sufficient strategic, forward thinking has seen ForLIMS and SIGNA developed using unsupported environments, thereby increasing the risk to IT and business operations.

ForLIMS and SIGNA are bespoke applications, created and maintained in-house by ChemCentre’s developers. This team is making continual enhancements to the systems to meet the changing needs of ChemCentre. However, ChemCentre does not have a formal software development process to ensure it is selecting the most suitable, cost-effective and timely enhancements.

ChemCentre does not have a change management procedure. This is necessary to ensure that it appropriately plans and approves changes to its applications. A key step in the development process is to test that the enhancement meets business requirements and does not introduce errors. ChemCentre has development and test environments in place. However, we found these to be on the same server as the production environment. In this configuration, development and/or testing activity could affect the production environment.

Recommendations

  1. By August 2017, ChemCentre should:

a. develop new and review existing security policies

b. update its risk management framework and conduct a risk assessment of ForLIMS and SIGNA. Update the risk register with the results of the assessment and develop treatment plans if required

c. conduct a business impact assessment and develop a disaster recovery plan for its key applications and services

d. review the process for managing software vulnerabilities, patches and updates

e. develop an IT strategic plan, software development process and update application documentation

f. ensure appropriate controls are in place to protect sensitive information.

Response from ChemCentre

ChemCentre welcomed the performance review of application controls for the two Laboratory Information Management Systems (LIMS) in operation within the organisation; Signa and ForLIMS. As a small agency (118 FTE in 2016-17) with limited IT staff resources, ChemCentre is appreciative of the assistance by the Auditor General’s office to improve its IT systems in this manner.

ChemCentre accepts fully the recommendations and has made significant progress to date in addressing each of the items raised. Issues with a higher risk designation (‘significant or ‘moderate’) have been given due priority and all items rated ‘significant’ have been completed.

In May 2017 ChemCentre absorbed the operations of the Commonwealth National Measurement Institute’s (NMI) Perth laboratory, along with 20 additional FTEs. This has required an exceptional investment in IT time and resources for the integration of new functionality into the existing Signa LIMS.

This one-off event has impacted the progress in addressing all the issues identified in the report.

Many of these remaining items will be addressed by the August deadline however, despite recruiting additional IT staff resources, it is anticipated that some items will not be completed until shortly after this date.

 

Back to Top