The Jamaica Gleaner posted an article on February 26, 2021, about securing Jamaica’s IT data. Below are some key highlights:
- (iii) Availability (A) – ensure that the platforms that hold your data in place are at all times accessible, especially for mission-critical systems like JamCOVID which needs to be available 24/7
- As a part of the accountability requirement there has to be a separation of duties and concerns relating to the developer of the applications used by Government and those who provide the continuous security service level requirement to these Information Technology (IT) systems, which should have been in place from the project outset
- Trust degrades with time and repeated experiences of data breaches, real or perceived, if there is no statement of action or accountability from the Government, and from the actors responsible for managing these systems will increase the public tensions, especially when the alleged data breaches affect persons both inside and outside of Jamaica at the same time
- I would like to reiterate the need for authorised access control through passwords with strong encryption, using X.509 encryption certificate transactions afforded through an internationally established Digital Certificate authority for which the Government would have in place as a part of it service level contractual agreements for these system roll-out
- If on investigation the case is that the transactions were digital signed transactions and there was a data breach, this assumes that there are inherent vulnerabilities that may warrant further forensic investigations against the critical technical infrastructure that was put in place, and the required remedial action and countermeasures for strengthening the security controls be urgently understood and addressed to avoid any further occurrences
Reference(s):