In their report, made available recently, the committee members noted several instances where the central bank's IT integrity was vulnerable to breach owing to the slackness of existing checks.One instance pointed out by the committee involved an ex-employee who remained active on the bank's network domain and even once logged on at least four months after her employment ceased."The risk to the organisation is that unauthorised access to programmes and data may occur," the MPs noted in their assessment covering the year ended 31 March 2011.
"It is recommended that users that leave employment of the bank should be deactivated from all applications including the Bank of Botswana network domain immediately on termination of their employment."
The committee also noted that a user ID, bob01, on the BoB's domain was shared by five users, although it was only used for the purposes of logging on and not for other applications."The risk to the organisation is that unauthorised changes made by the Admin user ID may not be easily traceable as it is not used by one individual," the MPs' report reads."It is recommended that user IDs should be unique and be restricted to one user each. In the event that there is need to share user IDs, controls should be put in place to ensure accountability and traceability of the individuals who make use of the shared user ID".The legislators also found that IT system incidents were not being resolved as quickly as laid down in the BoB's service level agreement with providers. From a sample of five incidents which were to be resolved within 30 minutes and two hours according to the agreement, three were open and two had not been closed on time, during the audit."It is recommended that reported calls should be closed timeously as per the service level agreement," the MPs said.
