NIRA has put Uganda as a country and Ugandans in a very hazardous situation as far as Information security is concerned. All the concerned agencies; NITA, UCC and Ministry of ICT need to up their game and invoke their mandate to bring NIRA to order. It seems to me that all the investment by government in the National ID project is a complete waste. I wish to substantiate my contention. But before going into details, I wish to capture your attention to NIRA outlets, see those long queues of Ugandans suffering to secure an authentic ID, do you know why those queues never reduce day in, day out?
I am aware of the fact that the Ugandan National ID platform depends on large-scale database and bio-metrics technology. These are critical aspects to the countries surveillance, security and citizenship.
I followed all laid procedure and obtained a National ID which expires on 09th November 2024. On 15th May 2018, I went to buy a new sim-card at one of the telecom shops. I was subjected to the new procedure of scanning my national ID to verify validity. I found that alright. My shock was when the biometric device tried to verify my left thumb print. It could not match which what was scanned on my national ID. The telecom staff tried several devices but none could match. This was around 1pm in the afternoon. I later found out that almost all verification that day were not successful. The telecom staff simply told me to go to NIRA for data recapture. This was the same solution they were giving to all clients that day. As an information security specialist, many things run in my mind but most importantly was if the data on these National IDs is authentic. Definitely it is not.
This I can prove to NIRA if given chance. Solution is I have to get a new ID because the current technology in use cannot even edit this data. A new one has to be produced. Question is, of all National IDs that have been given out since project started, how many have accurate data? This can be proved by the queues of Ugandans at NIRA who wish to do ID replacements, simply because the biometric data found on their IDs does not match with actual data. What does this mean, all ID produced are a waste. How much money was spent for this process before National ID issuance? All that I am trying to say above is what we call data integrity in Information security.
Data integrity is the assurance that data records are accurate, complete, intact, and maintained within their original context, including their relationship to other data records and aims to prevent unintentional changes to information. It refers to maintaining and assuring the accuracy and consistency of data over its entire life-cycle, including the usage of any system which stores, processes, or retrieves data.
Ensuring data integrity means protecting original data from accidental or intentional modification, falsification, malicious intent (fraud), or even deletion (data loss). Data integrity and security are closely linked because Integrity as an attribute of Information Security TRIAD (CIA – Confidentiality, Integrity and Availability).
Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can in fact get it: Access must be restricted to those authorized to view the data in question. It is common, as well, for data to be categorized according to the amount and type of damage that could be done should it fall into unintended hands. More or less stringent measures can then be implemented according to those categories.
Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people or data must be kept accurate from capture stage to usage stage.
Availability is the situation where information is available when and where it is rightly needed. The main concern in the CIA triad is that the information should be available when authorized users need to access it. Availability is maintained when all components of the information system are working properly. Problems in the information system could make it impossible to access information, thereby making the information unavailable.
What is the implication of the above 3 Information security goals?
The CIA triad goals are basic factors in information security. Information security protects valuable information from unauthorized access, modification and distribution. The CIA triad guides information security efforts to ensure success. There are instances when one of the goals of the CIA triad is more important than the others. It is up to the ICT team, the information security personnel, or the individual user to decide on which goal should be prioritized based on actual needs. Thus, the CIA triad requires that organizations and individual users must always take caution in maintaining confidentiality, integrity and availability of information.
For the case of NIRA in my situation, data Integrity was breached. I have not taken time to examine the other 2 information security goals (Confidentiality and availability). But in most cases a breach in one goal breaches all the goals. This means all the investment in this project is a waste and Ugandan cannot benefit. This could be the reason why the government has completely failed to offer e-services to the citizens. In my opinion, it is one organization that has successfully achieved the e-services goal that is Uganda Revenue Authority. But with NIRA as the central point for citizen database, Uganda has a long way to achieve e-services. Nothing can be achieved with such a mess at NIRA. My situation also proves what I have been reading in the media about NIRA management. Most likely there is a competence issue in that place.
As of now, I and millions of Ugandans cannot enjoy any service in Uganda whose prerequisite is a national ID. How shall we attain middle income with such situations in government entities? Uganda is blessed with a large number of technical human resource, why can’t they be used to clean up this mess? Ugandans are the ones making countries shine elsewhere, why not Uganda. NIRA needs a thorough overhaul if that investment that government made is to be seen as worth the effort and value for money.
In conclusion, for Ugandan Information and Communication Technology regulators to maintain their reputation if any and move this country forward, Data integrity is one of the most important parameter. I will in future take time and examine other attributes about citizen’s data at NIRA. These could be some of the reasons why for long Uganda does not score well on the Global ICT development Index.
The Writer is an ICT specialist with 15 years of experience in ICT management, ICT Infrastructure, Information Security and Project management.
No comments:
Post a Comment