Security Lapse

An information technology audit of the Passport, Immigration and Citizenship Agency (PICA) has uncovered critical information security weaknesses which could put records and people’s identity at risk for theft.

A report on the information technology audit com3issioned by Auditor General Pamela Monroe Ellis for the period 2015/2016 to 2019/2020 was tabled in the House of Representatives yesterday.

“Absence of a robust access control system may result in unauthorised access and use of confidential information. Additionally, weaknesses in the administration of user accounts, combined with an insufficiently enforced password policy, may result in the compromise of user accounts, unauthorised modification of records and enable identify theft,” she reported.

Monroe Ellis said because the agency did not apply a structured approach to its management of information risks there was no assurance that the likelihood and impact of significant risks were appropriately evaluated and control mechanisms put in place.

“The exploitation of the vulnerabilities may result in reputational damage, loss of life, financial loss, and legal actions where there is unauthorised disclosure of customers’ personal data,” she said.

The auditor general noted that, although international best practice recommends that a user should only be granted the rights and permissions needed to perform their tasks, PICA’s information and communications technology (ICT) staff were assigned access rights as end users as well as administrators on the information system used to assess the validity of an applicant’s photographic image prior to the production of a passport.

“We further noted that user provisioning procedures were inconsistently followed as authorisation requests for seven or 30 per cent of the employees recruited between 2017 and 2020 could not be located by PICA,” the report said.

Furthermore, user accounts were not urgently disabled when staff were separated, resulting in notifications relating to eight employees, with access to sensitive information being sent to the ICT unit between 29 days and over a year after they were separated from the agency.

“Our analysis also revealed that the user accounts of 12 former employees were used to log on to the network for periods of up to 171 days after the relevant officer’s separation,” Monroe Ellis said.

The report also noted that PICA engaged a company between 2015/2016 and 2019/2020 to deploy network devices and perform network configurations without requiring the entity and its employees to sign a formal confidentiality or non-disclosure agreement, according to the report.

“We also found that four new employees were given access to government information and personal data without completing the Official Secrets Act Declaration, while standard security vetting procedures were not performed for three individuals employed for up to three years,” Monroe Ellis reported.

The agency has since indicated that a confidentiality agreement will be implemented for all existing stakeholders by the end of the third quarter, and that preliminary steps taken to have the network design documented were put on hold due to financial constraints.

PICA spent over $469 million in ICT between April 2018 and March 31, 2020.