Data Management Authority in shambles

Dec 16, 2021 News

—AG says systems weak; info for COVID-19 Voucher Programme can be altered, corrupted or destroyed

Kaieteur News – Following his completion of a comprehensive performance audit on the COVID-19 Pandemic Assistance Voucher Programme for the period March to September 2020, Auditor General, Deodat Sharma found several red flags with some of the agencies that were central to the execution as well as the preservation of the integrity of the programme.
The agencies which were involved included the Ministries of Finance, Communities and Social Protection; the National Data Management Authority (NDMA) and the Civil Defence Commission.
Of particular concern for Sharma was the role as well as the state of affairs of NDMA, the country’s sole data management agency. He noted that NDMA was responsible for assessing applications for vouchers valued between $25,000 and $32,000 in accordance with approved criteria established in the COVID-19 Pandemic Assistance Guidelines to ensure only eligible individuals received assistance.
Sharma stated however that the National Data Management Authority did not have adequate input controls to prevent inaccurate, incomplete and/or invalid data from being entered into the system. Sharma said this resulted in more than one application being processed for an applicant.
He further noted that an examination of the database revealed 71 instances where the accepted forms of identification, that is to say, a national identification card, a passport or a driver’s licence, were not entered in the system. In addition, there were twenty-five instances where duplicate applications were processed by the system.
Though NDMA did not respond to the audit finding, Sharma still made key recommendations which included that management ensure appropriate controls are implemented for Programmes of a similar nature so that all information accepted by the system is complete and in the required format, and applicants are uniquely identified to prevent duplicate entries being accepted by the system.
With special emphasis on General Information Technology and Application Controls, Sharma said it was expected that NDMA would have systems in place to ensure that access to the hardware, software, database and network established for the COVID-19 Pandemic Assistance Voucher Programme were “controlled, protected and secured.”
Much to his dismay, the AG discovered that NDMA did not ensure all applications and platforms were secured. As a result, Sharma said the information system related to the multi-million dollar voucher programme was exposed to security threats, which could alter, corrupt or destroy data.
While NDMA , once again, did not reply to the audit finding, Sharma still recommended that yearly security assessments of the management system are conducted to ensure continued security.
Citing another area of gross weakness, Sharma said it was found that not all users of the voucher database were programmed into the system according to their legal names. He said an examination of the database logs revealed that individuals had accessed the database using passwords ‘Administrator’ and ‘Analyst’. The Auditor General said this resulted in weakness of the controls established for the database. Therefore, unauthorised persons could have access to change or delete information. Sharma said this essentially left the voucher programme exposed to grave risk.
Speaking to other controls, the AG’s report states that NDMA is expected to have physical security controls in place for the facilities, which house the servers and other information technology equipment to ensure its proper functioning is maintained. In this regard, Sharma highlighted that NDMA has three layers of physical security in place to control access to its servers and other critical information technology equipment. He said the servers and equipment were only accessed by management’s approval and in the presence of a member of the Data Centre Services Unit.
He further noted, “We observed that the servers were housed in a specialized facility. They were placed on a concrete base that is elevated 3½ feet from the ground. This would be deemed inadequate taking into consideration that the city is prone to flooding. Industry best practices recommend that servers are located away from ground level to mitigate the risks of natural disasters, such as flooding.”
His report therefore recommended that NDMA, ensure that the location housing the server room meets international best practices specifications to mitigate the risk of damage.
In conclusion, Sharma said, “…Although there were controls to protect the information technology equipment, these were not sufficient to ensure the confidentiality and integrity of the information system. This was evident as users shared common passwords.”
He added that no yearly security assessment was conducted on the online portal, which houses the COVID-19 Pandemic Assistance database, while highlighting that there were no Business Continuity and Disaster Recovery Plans in place. Also, Sharma highlighted that the servers were not fully protected from disasters.
Sharma and his office therefore concluded that the controls in place at NDMA were not adequate to ensure the security of the information system was maintained.
Pic saved as logo