Audit Findings and Recommendations for PICA's IT Governance

Information Technology Audit Report Information Technology Audit Report PASSPORT, IMMIGRATION AND CITIZENSHIP AGENCY Information Security

The Citizenship responsible for: Passport, Immigration Agency and (PICA) is PICA s Role PICA s Role Accepting applications. Managing process. Handling matters related to applications for and renunciation citizenship. and processing passport the island s immigration of Jamaican

Audit Objectives Audit Objectives To determine whether PICA s information security controls are effective and will prevent or reduce the likelihood of IT security risks and impact on its operations. To determine the effectiveness of PICA s IT governance and compliance with standards that are applicable to its Information and Communication Technology (ICT) operations.

What we found What we found Management structures and processes for proper oversight of the ICT function and effective management of IT risks. did not establish relevant IT Governance Absence of formal access control policies and procedures heightened the risk of security breaches. Information Security Management

IT Governance IT Governance PICA developed a five-year ICT Road Map with ICT investments of approximately US$13.3 M to provide guidance on its ICT governance, enterprise architecture, enterprise systems and the targeted application of its ICT resources . ICT strategic goals were established but the objectives were not clearly defined or aligned to PICA s corporate objectives for the 2018-2023 financial years. Priority projects were not highlighted for each financial year to reduce the risk of conflicts and project delays.

IT Risk Management IT Risk Management PICA Management (ERM) framework in its strategic planning process; this involved an analysis of technological risks to the achievement of its corporate objectives. adopted an Enterprise Risk However, formal risk assessments of its software, hardware, users, data and information were not conducted to identify and evaluate risks from ICT threats and vulnerabilities.

High High dependence dependence on Network Network Administrator s Administrator s knowledge rather rather than than documentation documentation of of the network network topology topology may extensive extensive restoration restoration delays, key key personnel personnel are are separated separated. on a a third third party knowledge party and and the may contribute contribute to to delays, where where

Four Four new given given access information information and without without completing completing the Secrets Secrets Act Act new employees employees were access to to Government Government and personal personal data were data the Official Official Declaration Declaration. . The The standard standard security procedures procedures performed performed for for three employed employed for for up security vetting were were three individuals individuals up to to 3 3 years vetting not not years. . Adequate Adequate controls controls were prevent prevent or or reduce fire fire at at two two of of PICA s with with ICT ICT approximately approximately $ $13 environmental environmental not in in place place to to reduce the the risk PICA s locations assets assets 13. .5 5 M M. were not risk of of locations valuing valuing

Information Security Policies Information Security Policies Critical security requirements related to access control, incident response and information backup were not developed. PICA s Password Policy was not enforced as user accounts of six ICT staff members and a director did not require periodic password changes. PICA s ICT policy document bore no evidence of management review and approval.

Poor Access Control practices increase risk of Security Breaches Separation notifications for eight employees, with access to sensitive information, were sent to the ICT Unit between 29 and 386 days after the respective officer s separation date. User accounts of 12 employees used to access the network periods of up to 171 days after the relevant separation. ICT staff were assigned access rights as end users, as administrators, on the information used to assess the validity of an applicant s photographic prior to the production of a passport. former were Authorization requests for 30 percent of the employees between 2017 and 2020 could not be located by PICA. well as recruited for system officer s image,

What should be done What should be done Information Security Management IT Governance Security policies and procedures should be implemented to ensure confidentiality, integrity and availability of PICA s data and systems. PICA should adopt a governance framework that establishment of formal structures to provide oversight and guide the strategic direction of the IT function to ensure alignment of ICT and business objectives, delivery of value and risk management. promotes the Immediate steps should be taken to review all user rights and permissions to ensure that access is only granted based on the roles and functions performed by employees within the Agency.

A better Country through effective audit scrutiny