QATAR: Protecting end-user devices – key takeaways from performance audits of government entities in Qatar

12.12.2024

For the past 5 years the State Audit Bureau of Qatar (QSAB) has focused heavily on carrying out IT performance audits at government entities. As part of these audits, while reviewing IT asset management we have also assessed physical security of end user devices. Physical security for end user devices is not only good risk management, but is a value-for-money proposition wherein protection costs less than incident management, and recovery. However, at times value-for-money in security is difficult to assess and quantify, and it might also conflict with an entity’s security objectives. Perhaps an anecdote from one of our audits might highlight this dilemma.

During one of our audits, we went for a tour of the main store and as soon as we entered the building, we observed a large number of used laptops and desktops stacked on top of each other. In certain cases, these went all the way up to the ceiling! The asset tags were missing from a significant number of devices and there was no visible way to trace devices from and to, the IT asset register. We asked the store keeper if there was a way to trace a sample of assets, and he said we could go with the serial numbers (which were also not updated for all assets in the register). We shared with him our sample list, to which he responded “Ok. Give us till the end of the week to find these devices and we will bring them to you!”

In the above scenario, in addition to highlighting poor controls over tracking of end user devices we also reported a large number of used, and in some cases obsolete devices that were being kept in storage for a long time period. Management’s response to this was that they were not comfortable disposing off the used and obsolete assets since some of the devices might still have data on them. Even for those devices that were formatted and sanitized as per industry standards, Management was not keen to dispose these due to the perceived risk of unauthorized data recovery. This raises the question - at what point do you draw the line between over protection and obtaining value-for-money from disposal of end user devices?

The above case was complicated further due to inconsistent data removal practices in the past, and lack of proper tracking of assets; without which there was no assurance that data recovery could be prevented. Fortunately, this is not the current state of affairs in most of the entities we have audited in the State of Qatar. There were a couple of entities who were extra cautious when it came to disposals, but majority had a clear process for destruction of hard drives, and selling or donating the remaining equipment.

There are more than 200,000 government employees in the State of Qatar, and most of these are provided an end user device; at times even an additional one to two devices. Procuring end user devices for such a large workforce is not only a financially significant investment, but also increases the threat vector. Furthermore, we noted that the general practice at government entities is of buying equipment as opposed to leasing. In most cases, there was no cost benefit assessment performed as to why this approach was selected (buy vs lease). In addition to other considerations, such an assessment would have proactively identified upfront any associated security costs and implications across the asset lifecycle.

Qatar pic1

Regarding the asset lifecycle, we also observed that recording and tracking end-user devices was a weak area across multiple entities. We realized that there were a number of issues that contributed to the ineffective tracking of end user devices including but not limited to:

  1. Asset registers not being updated in a timely manner.
  2. Inconsistent or absence of asset tagging.
  3. Lack of integration between Finance’s and IT’s asset registers.
  4. IT adopting Finance’s capitalization policy and thus not recording assets below a certain value.

If entities do not have complete visibility of the devices they own and manage, then there will always be gaps in security, especially physical security – you can only protect what you are aware of. Moreover, if a device goes missing and IT management is unaware of it, this increases the risk of a data breach or the device being used to launch a cyber-attack.

Since these are performance audits, therefore in addition to highlighting weaknesses, we also needed to identify their impact. Some of the impacts included:

  1. Identification of missing devices - staff were unable to locate these and were unaware that these had gone missing.
  2. Gaps between the cost and quantity of devices received as per Finance records and the IT asset registers.
  3. New unused end user devices still in storage; in some cases, up to a period of 10 years.

Generally, indicating the impact of findings in our reports increases the acceptability of our recommendations. This is ever more so pertinent given that senior management is business oriented and less technical, and can therefore easily understand the implications of such findings. By improving this one aspect of physical security, i.e. IT having complete visibility of end user devices, and being able to track them throughout their lifecycle, it is hoped that protection of end-user devices will ultimately improve as well.

Each end user device that connects to an entity’s network increases the entity’s threat exposure. Therefore, it is essential to physically secure these end user devices to improve the entity’s overall security posture. A loss of a device is not just a monetary loss, but also puts the entity’s data (a.k.a new gold!) at risk, which could ultimately lead to loss of repute and competitive advantage. SAIs reviewing cybersecurity at government entities must be aware of the age-old adage that the weakest link in security are employees, then shouldn’t we be more focused on assessing the physical security of devices used by such employees?

Osman Qazi

IT Expert
State Audit Bureau – Qatar
Majlis Al-Ta'awon St., West Bay, Burj Al-Deeble
Doha, State of Qatar

[email protected]
Office:             +974 4020 0682
Mobile:           +974 6698 4799