The Passport, Immigration and Citizenship Agency (PICA) says assessment of its data has found no unauthorised disclosure of customers’ personal information, and that none of the former employees referred to in a recent auditor general’s report had access to the agency’s network after they were separated from the entity. Head of PICA Andrew Wynter and his team appeared before the Public Accounts Committee (PAC) on Tuesday to provide a point by point response to the auditor general’s report of an information technology audit of the agency, which was released in September 2021.Wynter explained that all the agency’s systems are part of a closed network, with all servers being on site and protected by firewall and other systems that ensure access through any nefarious means is “reduced to an absolute minimum”.

“We also check our networks regularly, and monitor our networks to ensure that any attempts are captured and also checked. We have done several checks over the years to ensure that our networks and security systems are kept in a very sterile environment, and only ICT personnel have access. And ordinary employees, including myself, do not have access to these facilities, except through whatever permission we are granted,” he outlined.

In its further response to the auditor general’s findings, PICA said it accepts the fact that without a structured approach to the management of ICT risks, the exploitation of vulnerabilities may exist, and that this is why the agency established a risk management committee from as far back as 2014, which identified significant ICT risks.

However, PICA said, an assessment of its databases and stored data has so far indicated that there is no unauthorised disclosure of customers’ personal data.

According to the auditor general’s briefing to the PAC, these assessments of the agency’s databases and data were in relation to the finding about the accounts of 12 former employees being used to log on to PICA’s network after their separation.

“The entity did not provide any evidence of assessments conducted to identify internal and external risks of unauthorised disclosure,” Auditor General Pamela Monroe Ellis maintained. Wynter noted that the audit did not identify any breaches of its network. He said PICA recognised the importance of risk management for ICT operations and had started a number of initiatives, including the restructuring of the ICT unit, and recruiting an information security officer.

As it relates to poor control access increasing the risk of security breaches, PICA pointed out that no employee, or any other individual outside of the agency, can access its network without being given authorised access through a virtual private network (VPN).

Additionally, access to application systems and files is secured through another level of control governed by password protocols: “In alignment with the above, checks by the agency revealed that none of those 12 former employees had VPN access and as such, they were not able to access the agency’s network after their departure,” the management assured the PAC.

In response to that claim, Monroe Ellis noted that her report does not refer to the former staff members obtaining access via a VPN, and that examination of the active directory had shown that the last log on date for the 12 employee accounts occurred after they were no longer employed to PICA.

“It should be noted that where access is gained to the network while on the entity’s premises, access via a VPN is not required,” Monroe Ellis said.

She added, “The AuGD was presented with a report on the assessment of the databases and data store performed by the CIO [chief information officer] on October 1, 2021. The investigation, inter alia, sought to determine whether the 12 separated employees whose accounts were active after separation had VPN access or whether the users authenticated from the active directory to the VPN access list. The assessment concluded that there was no unauthorised access by the separated employees.”

In the meantime, PICA said it has been implementing almost all of the recommendations made by the auditor general, including the establishment of a risk management committee which was formed in August 2021, specifically for IT.

Wynter also pointed to implementation of a risk register, which is a structured approach to address areas such as risk identification, status, impact, mapping, and response strategy. The agency head also outlined to the committee the security changes already effected, along with those being implemented as a result of the audit, complete with completion timelines.

He said persons being employed by PICA must present criminal records, and that a social enquiry is conducted on these individuals.