Investigation summaries

Operation Barron

12/11/2020

In April 2016, IBAC commenced an investigation into allegations a VicRoads employee engaged in serious corrupt conduct by accessing, altering and disclosing sensitive vehicle registration and licensing information without authorisation, and this information was then being disclosed to associates from outlaw motorcycle gangs.

In April 2016, IBAC commenced an own motion investigation into allegations that a VicRoads employee engaged in serious corrupt conduct by accessing, altering and disclosing sensitive vehicle registration and licensing information without authorisation.

It was alleged the employee was disclosing this information to a family member who then shared it with associates from outlaw motorcycle gangs. IBAC commenced Operation Barron to identify the extent of this alleged offending.

Outcome

IBAC substantiated the allegations of unauthorised information access, alteration and disclosure, and identified more than 40 instances of this having occurred.

In March 2018, the VicRoads employee pled guilty to misconduct in public office, and was convicted and sentenced to a two-year Community Corrections Order.

IBAC publishes responses to our investigations to inform the community about actions agencies advise they are taking, and to share learnings that may help other agencies improve their systems and practices to prevent corruption and misconduct.

  • Operation Barron identified a number of corruption vulnerabilities that enabled the employee to conceal their conduct at VicRoads. IBAC identified opportunities for VicRoads to strengthen its information security practices and auditing processes to address the corruption vulnerabilities identified in this investigation. These included:

    • review systems, policies and procedures in relation to auditing user access to registration and licensing systems, responsible use of VicRoads' information (including recording reasons for accessing and altering reasons), and the role of managers and supervisors in supervising employees’ access to databases.
    • provide training and education to ensure all employees understand the requirements regarding the appropriate use, access and alteration of information across VicRoads platforms, and that supervisors and managers are trained regarding their obligations.

    In January 2019, VicRoads provided a response to IBAC, outlining the key actions it had taken to address the corruption vulnerabilities identified in Operation Barron.

  • Auditing of user access to all registration and licensing systems including how supervisors monitor employee usage

    VicRoads has taken a comprehensive approach to profiling its existing systems, policies and practices for user access in relation to all Registration & Licensing systems, including how supervisors monitor employee usage. VicRoads has undertaken several system and asset reengineering process improvements including:

    1. Developed and implemented a role-based access control framework for system users
    2. Established a review and control program for high-risk business transactions
    3. VicRoads’ 2019/20 Internal Audit Program includes a review of all role based access controls within Registration & Licencing systems and ongoing review of high-risk business transactions,
    4. Registration & Licencing core business systems continue to have a predefined set of exception reports which are distributed monthly to all supervising staff for review and action.

    Victorian Protective Data Security Framework

    VicRoads has received confirmation from the Office of the Victorian Information Commissioner that its Protective Data Security Plan (PDSP) complies with the Victorian Protective Data Security Framework, pursuant to Part 4 of the Privacy and Data Protection Act 2014.

    VicRoads' PDSP contains a comprehensive and detailed hierarchy of planned information security uplift activities and access control strategies for implementation in 2019/2020.

    Some of the corruption vulnerabilities identified in Operation Barron around information security access may be mitigated by measures VicRoads is progressing under its PDSP.

    Responsible use of VicRoads information, including recording reasons for accessing and altering information in registration and licensing databases

    VicRoads commissioned an assessment on the functionality and design standards required to strengthen staff accessing and/or altering information in Registration & Licensing databases.

    VicRoads has received a proposed solution to address the recommendation, however, significant cost associated with implementing the solution and its overall value has led to VicRoads to exploring other alternatives.

    In addition, VicRoads' PDSP security uplift program of works will strengthen the organisation’s personnel security framework across 2018/2019, supported by the development of operational policies and procedures to screen all current and potential employees, and provide ongoing assurance standards for handling of security clearances.

    Other information security issues associated with VicRoads databases, including Lotus Notes databases

    VicRoads is undertaking a program of work to improve the organisation’s knowledge and capabilities in target domains, and will implement solutions in business Quarter 1, 2019.

    In addition, VicRoads' PDSP security uplift program of works includes a security risk profile assessment of the organisation’s critical information assets, including the development of treatment plans for implementation across 2018/19. Work will also commence on undertaking a security risk profile assessment of VicRoads' non-critical information assets post 2019.

    The role of managers and supervisors in supervising employees' access to VicRoads databases to ensure access is for legitimate purposes and complies with VicRoads requirements

    VicRoads has a zero-tolerance approach to incidents of fraud and corruption and is strengthening its Fraud Risk Management strategies and awareness programs across the organisation.

    VicRoads has revised and updated its fraud risk assessment framework to enhance awareness of potential fraud exposure and treatment plans, including hierarchy of control standards at the manager and supervisory level that includes, legitimacy codes, access commands and a transaction review and control program across VicRoads databases.

    IBAC also identified opportunities for VicRoads to provide training and education to employees to ensure:

    All employees understand the requirements regarding the appropriate use, access and alteration of information across VicRoads systems, including registration and licensing information and Lotus Notes platforms

    VicRoads maintains a comprehensive employee awareness and training framework underpinned by the Code of Conduct for Victorian Public Sector employees. The framework entails a confluence of specific training packages in 'Information Security Awareness' and 'Acceptable IT Use' for all VicRoads employees. The successful completion of training and support modules is monitored by VicRoads and exception reports are provided to line-management for resolution.

    In addition, VicRoads provides training in 'Responsible IT Use' governed by policy, that clearly outlines VicRoads' protocols and standards for accessing core Registration & Licensing systems for all permanent and contract staff across the organisation.

    Supervisors and managers responsible for monitoring other employees' access to VicRoads registration and licensing information are adequately trained regarding their accountabilities and associated systems, policies and procedures

    VicRoads are supporting the Registration & Licensing leadership team to develop a targeted role-based training platform aimed at managers, team leaders and operational staff who perform supervisory functions. It is expected that the revised training framework and program of support services will add an explicit focus on communication, ownership and responsibility for actively finding opportunities to strengthen business operations. The program of work will be rolled-out to Registration & Licensing managers in early 2019.

    In addition, VicRoads' PDSP security uplift program of work includes a dedicated security training and awareness strategy for 2018/2019, with planned implementation by 2019/2020.

    IBAC asked VicRoads to advise of any management action in relation to inadequate supervision

    VicRoads has discussed the findings of the Operation Barron report with the named supervisory staff. VicRoads advise that appropriate steps have been taken to support and enhance the employees' awareness, skills and approach to managing information security issues across the business.