Sean Thorpe | Robust plans needed to secure IT data
The claims of a second data breach of JamCOVID is not only worrisome about the safeguards of personal data of travellers; it also highlights a significant issue of data security, governance and trust that need to seriously be in place, no matter how real or perceived the problem is. These safeguards must be taken in account with the highest of priority, especially for mission-critical systems like this one.
As basic tenet to the deployment of any mission-critical and sensitive information system run albeit by government or otherwise is the need for data security and governance.
By data security one speaks of the need to enforce the CIA triad.
(i) Confidentiality (C) – authorised access control mechanisms for the use of the data.
(ii) Integrity (I) – implement accurate measures that safeguard the accuracy and consistency of the data.
(iii) Availability (A) – ensure that the platforms that hold your data in place are at all times accessible, especially for mission-critical systems like JamCOVID which needs to be available 24/7.
Hence, by data security the provisions are consistent with this three-point principle of CIA. Any violation of one or more of these three principles highlighted above would constitute a data breach. The issue here with government-supported computer applications is whether one or more of the three outlined principles were violated and this will help the public to understand the scale of the problem.
The Integrity principle in CIA speaks well to the need for strong data governance for Government Information Technology (IT) systems, and underscores the need for strong accountability. As a part of the accountability requirement there has to be a separation of duties and concerns relating to the developer of the applications used by Government and those who provide the continuous security service level requirement to these IT systems, which should have been in place from the project outset. And hence security by design as formal principle has to be a part of the management mindset for those who are responsible for these large-scale implementation projects. In a time such as these where data governance has strong references and implications under the data protection legislation, this concern has to be well managed and handled as it highlights trust or a lack of it as an outcome.
BREACH OF TRUST
A full investigation of the more than one alleged breach that is now reported does not augur well for the trust of government systems, especially when it plays out in a court of public opinion. Trust degrades with time and repeated experiences of data breaches, real or perceived, if there is no statement of action or accountability from the Government, and particularly from the actors responsible for managing these systems will increase the public tensions, especially when the alleged data breaches affect persons both inside and outside of Jamaica at the same time. If the breach is true, the implications of misuse of persons’ digital identity to conduct things like identity theft is a grave concern and underscores further the urgency to cauterise.
I would like to reiterate the need for authorised access control through passwords with strong encryption, specifically using X.509 encryption certificate transactions afforded through an internationally established Digital Certificate authority for which the Government would have in place as a part of it service level contractual agreements for these system roll-out. This is consistent with international best practice and standards that guide the deployment and use of these IT systems on roll-out.
If on investigation the case is that the transactions were digital signed transactions and there was a data breach, then this assumes that there are inherent vulnerabilities (internal and/or external to the organisation) that may warrant further forensic investigations against the critical technical infrastructure that was put in place, and the required remedial action and countermeasures for strengthening the security controls be urgently understood and addressed to avoid any further occurrences. Otherwise, the assumption would be that the applications rolled out by Government have zero security, and that in of itself could erode all trust. In both instances, there is need for public disclosure as a part of the transparency amid the calls for the shutdown of these mission-critical IT applications that we so heavily rely on in this time of a pandemic.
Professor Sean Thorpe is the immediate past president of the Jamaica Computer Society, and also the head of school of Computing and Information Technology, University of Technology, Jamaica. Send feedback to firstname.lastname@example.org