The Auditor General’s report states that information security at the Passport, Immigration, and Citizenship Agency (PICA) is vulnerable. The agency was identified to be open to security breaches and even identity theft.
PICA manages the personal information of millions of Jamaicans. Given that PICA holds confidential information for its customers and employees. The expectation is that the entity will have strong controls in Information and Communication Technology (ICT.) The Auditor General, in its report, found that the staff in charge of managing access to certain information were non-consistent in observing what is called the principle of least privilege.
The principle refers to an information security concept in which a user is given the minimum levels of access or permissions needed to perform his/her job functions. Within PICA it was found that ICT staff was added in groups for an application that is used to verify the identity of someone in a picture before the creation of a passport. The audit found that three senior officers still had access to the facial recognition system though they were reassigned to other departments where access to the system was not needed.
This means the possibility exists that user accounts could be comprised or changed.
Additionally, it was found that pica did not host sensitization sessions to improve security awareness among its users. Within PICA, it was found that all ICT members and a director staff did not have their password changed for up 6 years. A violation of the agency’s password policy.
After the audit, the passwords were changed but there still is no requirement for periodic changes by the officers. In a post-Cabinet press briefing, Minister of Information Fayval Williams addressed the ICT issue within PICA.
More in this CVM Live story from Jhanielle Powell: