PAC to hear from PICA bosses about information security breaches
THE Public Accounts Committee (PAC) is expected to get answers from the leadership of the Passport, Immigration and Citizenship Agency (PICA) today based on an auditor general information technology audit which found critical information security weaknesses that could put records and Jamaicans’ identities at risk.
The discussions should focus on issues surrounding the lack of a robust access control system at PICA that Auditor General Pamela Monroe Ellis is concerned could cause unauthorised access and use of confidential information.
The audit report covering the period 2015 to 2020 was tabled in the House of Representatives in September 2021.Monroe Ellis found weaknesses in the administration of user accounts, an insufficiently enforced password policy, and unauthorised modification of records, which might result in user accounts being compromised, and could facilitate identify theft.
Between April 2018 and March 31, 2020, the agency spent over $469 million on information and communications technology (ICT).
According to the auditor general’s report, PICA could not provide any evidence of management’s review and approval of a nine-point ICT policy document.
“We also noted that though the policies were made available to staff, PICA did not conduct periodic sensitisation sessions to improve security awareness, culture and compliance of all users. The ICT policy was also not comprehensive as information security requirements related to access control, incident response and information backup were not addressed,” the report said.
Note was also made of a breach of the agency’s password policy, where all ICT staff and a director had their passwords set to never to expire for up to six years and four months.
Monroe Ellis further pointed out that since the audit, the passwords were changed, but there is still no requirement within the active directory for periodic changes by the officers, which means if the users have privileged access to PICA’s systems, “intentional or unintentional password disclosure” may result in unauthorised modification of data and identity theft going undetected over an extended period.
Additionally, the auditor general found that ICT staff were assigned access rights as end users, as well as administrators, on the information system used to assess the validity of applicants’ photograph prior to the production of a passport — a practice which runs counter to the recommendation that a user should only be granted the rights and permissions needed to perform their specific tasks.
Another security red flag raised was that user accounts were not urgently disabled when employees were separated from PICA. This resulted in notifications relating to eight employees with access to sensitive information being sent to the ICT unit between 29 days and over a year after they no longer worked at the agency.
The investigation also revealed that the user accounts of 12 former PICA employees were used to log on to the network for periods of up to 171 days after their employment ended.