PAC to hear from PICA bosses about information security breaches
Auditor General Pamela Monroe Ellisfound weaknesses in the administrationof user accounts at PICA, aninsufficiently enforced passwordpolicy, and unauthorised modificationof records, which might result in useraccounts being compromised, and couldfacilitate identify theft.

THE Public Accounts Committee (PAC) is expected to get answers from the leadership of the Passport, Immigration and Citizenship Agency (PICA) today based on an auditor general information technology audit which found critical information security weaknesses that could put records and Jamaicans' identities at risk.

The discussions should focus on issues surrounding the lack of a robust access control system at PICA that Auditor General Pamela Monroe Ellis is concerned could cause unauthorised access and use of confidential information.

The audit report covering the period 2015 to 2020 was tabled in the House of Representatives in September 2021.Monroe Ellis found weaknesses in the administration of user accounts, an insufficiently enforced password policy, and unauthorised modification of records, which might result in user accounts being compromised, and could facilitate identify theft.

Between April 2018 and March 31, 2020, the agency spent over $469 million on information and communications technology (ICT).

According to the auditor general's report, PICA could not provide any evidence of management's review and approval of a nine-point ICT policy document.

“We also noted that though the policies were made available to staff, PICA did not conduct periodic sensitisation sessions to improve security awareness, culture and compliance of all users. The ICT policy was also not comprehensive as information security requirements related to access control, incident response and information backup were not addressed,” the report said.

Note was also made of a breach of the agency's password policy, where all ICT staff and a director had their passwords set to never to expire for up to six years and four months.

Monroe Ellis further pointed out that since the audit, the passwords were changed, but there is still no requirement within the active directory for periodic changes by the officers, which means if the users have privileged access to PICA's systems, “intentional or unintentional password disclosure” may result in unauthorised modification of data and identity theft going undetected over an extended period.

Additionally, the auditor general found that ICT staff were assigned access rights as end users, as well as administrators, on the information system used to assess the validity of applicants' photograph prior to the production of a passport — a practice which runs counter to the recommendation that a user should only be granted the rights and permissions needed to perform their specific tasks.

Another security red flag raised was that user accounts were not urgently disabled when employees were separated from PICA. This resulted in notifications relating to eight employees with access to sensitive information being sent to the ICT unit between 29 days and over a year after they no longer worked at the agency.

The investigation also revealed that the user accounts of 12 former PICA employees were used to log on to the network for periods of up to 171 days after their employment ended.

Theleadershipof the Passport,Immigration and CitizenshipAgency is expected to provideanswers to the Public AccountsCommittee about an auditor generalinformation technology audit, whichfound critical information securityweaknesses that could putrecords and Jamaicans'identities at risk.

HOUSE RULES

  1. We welcome reader comments on the top stories of the day. Some comments may be republished on the website or in the newspaper; email addresses will not be published.
  2. Please understand that comments are moderated and it is not always possible to publish all that have been submitted. We will, however, try to publish comments that are representative of all received.
  3. We ask that comments are civil and free of libellous or hateful material. Also please stick to the topic under discussion.
  4. Please do not write in block capitals since this makes your comment hard to read.
  5. Please don't use the comments to advertise. However, our advertising department can be more than accommodating if emailed: advertising@jamaicaobserver.com.
  6. If readers wish to report offensive comments, suggest a correction or share a story then please email: community@jamaicaobserver.com.
  7. Lastly, read our Terms and Conditions and Privacy Policy