A3 ICT Infrastructure for Paperless Trade

A3.2.1 (If A3.2 is yes) Is it integrated and secure?

Background

The systems of several agencies, e.g. e-Customs, e-Ports, e-Licenses, e-Certificates and e-Permits, should be integrated via this common or single network. The primary function of this network is to serve also as a secure channel for information exchange between the participating parties.

Expected Answers

• Yes - The systems mentioned in section A2.1 “Electronic systems” are integrated via a common or single network. The communication channel in this network is secure.
• No - The systems mentioned in section A2.1 “Electronic systems” are not integrated via a common or single network, or if they are integrated but the communication is not secure, e.g. using the open Internet network without secure channels to connect among different government agencies.

Good Practices

In many countries, a common or single network of interconnectivity among different regulatory agencies are established with a dedicated or secure network infrastructure. The network supported by cables/fiber optics and network equipment can be developed and used only for connecting government agencies, and they are not open to the public.

Other secure hardware and software technologies should be deployed to ensure the security and integrity of the system, e.g. using Virtual Private Network (VPN) software, HTTPS/SSL, and other encryption software/hardware equipment.

References and Case Studies

• Case Example: Government Information Network (GIN), https://www.dga.or.th/en/content/872/234/
• ICT for Trade and Transport Facilitation, https://www.unescap.org/sites/default/files/ICT%20for%20Trade%20and%20Transport%20Facilitation.pdf

A3.2.2 (If A3.2 is yes) Is it able to provide a high availability rate of minimum 99.9 percent in terms of service level agreement for trade data exchange in paperless environment?

Background

The availability and reliability of paperless systems including the network infrastructure is very important for the continuity of trade transactions. High availability should be the key characteristic of these systems, which aims to ensure an agreed service level. A high availability of minimum 99.9 percent of service level agreement is normally recommended which ensures the percent of uptime or the amount of time that the services are available and operational. A 99.9% uptime equates to 43 minutes and 50 seconds of downtime per month.

Expected Answers

• Yes - The network infrastructure and the paperless trade system can provide a high availability of minimum 99.9 percent in terms of SLA for trade data exchange in paperless environment.
• Partially Yes - The network infrastructure and the paperless trade systems cannot provide a high availability of minimum 99.9 percent in terms of SLA. It includes the scenario where the SLA conditions are maintained but for some systems but not all.
• No - The network infrastructure and the paperless trade system can offer an availability less than 99.9 percent in terms of SLA for trade data exchange.

Good Practices

High availability is a characteristic of a system which aims to ensure an agreed level of operational performance. It is usually measured by uptime or an amount of time that a system and its network remain operational even if one or more components fail.

There are several tactics to achieve high availability, e.g. using high quality hardware and backups, increasing fault tolerance with redundant equipment (e.g. two power supplies in the server, multiple internet connection, two firewalls, and two servers) and keeping spare parts available.

References and Case Studies

• Planning for network availability, https://www.ibm.com/support/knowledgecenter/en/POWER5/iphae_p5/highavailability.htm
• Creating a High Availability Strategy, https://searchservervirtualization.techtarget.com/tip/Create-a-high-availability-strategy-to-prevent-system-failure

A3.2.3 (If A3.2 is yes) Is it able to support various communication protocols?

Background

There are various options of communication and network protocols used by different systems, such as multi-protocol label switching (MLPS), Internet protocol (IP), virtual private network (VPN), and secure hypertext transfer protocol (HTTPS). The network infrastructure for paperless environment should support those various communication protocols to enable connectivity and interoperability between heterogeneous platforms.

Expected Answers

• Yes - The network infrastructure can support various communication protocols.
• Partially Yes - The network infrastructure can support only some communication protocols.
• No - The network infrastructure cannot support only one or two communication protocols.

Good Practices

In order to streamlining international trade supply chain operations among different stakeholders, the paperless trade systems need the capability to connect and interoperate with diverse ICT platforms of public and private stakeholders. Therefore, the network infrastructure and associated equipment must support multiple communication protocols in order to accommodate some specific protocols already used by the existing stakeholders' ICT platforms.

The multiple communication protocols should also cover several abstraction layers (e.g. transport layer or presentation layer). At least, international well-known and open protocols based upon the needs and requirements of the relevant agencies are normally included, for example, TCP/IP, HTTP, FTP, SSL, ebXML Messaging Services, SOAP, JSON, etc.

References and Case Studies

• Communication Protocols, ISO 26000 Communication protocol.
• The 7 layers of Open System Interconnectivity (OSI) model, https://www.iso.org/ics/35.100/x/
• Case Examples: Using ICT Infrastructure for cross-border paperless trade in Asia and the Pacific Region, http://www.apmenet.org/wp-content/uploads/2016/07/Practices-on-Using-ICT-Infrastructure-for-Cross-border-Trade-and-Supply-Chain-Connectivity-by-APEC-Economies.pdf

A3.2.4 (If A3.2 is yes) Is it able to provide secure information exchanges that ensure confidentiality and data integrity?

Background

When a document or information is exchanged between users using electronic systems, or between any two electronic systems, the system must ensure confidentiality (i.e. the information is private only for two parties of communications) and data integrity (i.e. the accuracy and consistency of data is maintained and assured over its entire life cycle).

Good Practices

Confidentiality and data integrity of the electronic information exchange between and among public and private stakeholders are very crucial for reliable and trust-worthy cross-border trade transactions.

The ICT infrastructure of the paperless trade system must ensure the confidentiality or privacy of data exchange only with the two intended parties. The communication infrastructure must also have the ability to ensure the exchanged data will not be tampered or un-intendedly changed during the communication.

It is also expected that the network be robust enough to safeguard from hacking.

Several measures to ensure secure information change normally include:

• Dedicated network infrastructure separating from the open-public network for some sensitive connectivity, e.g. government-to-government network connection.
• Virtual Private Networks, or other software measures to ensure security of communication channels for information exchange.
• Using encryption protocols, e.g. SSL, and also special hardwares and specific software to keep users' digital identities, to provide additional encryptions and authentication services.
• The ICT infrastructure should be designed with the defense-in-depth strategy, e.g. multiple ring-based zoning design, to increase the security level of the system.

References and Case Studies

• Confidentiality, Integrity and Availability, https://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components-of-the-cia-triad/
• Cryptography Concept, https://www.cryptomathic.com/news-events/blog/applying-cryptographic-security-services-a-nist-summary
• A Security Architecture Framework for Critical Infrastructure with Ring-based Nested Network Zones, https://ieeexplore.ieee.org/abstract/document/8426099
• Case Example: Privacy and Confidentialigy in EU, https://www.cr-online.de/17-06-29_vzbv-amendments_eprivacy-regulation.pdf

A3.2.5 (If A3.2 is yes) Is it designed to take into account future requirements such as device and technology upgrades?

Background

The current ICT infrastructure must be designed by talking into account future requirements such as mobile devices and technology upgrades as much as possible.

Expected Answers

• Yes - The ICT infrastructure especially its network equipment is designed with the ability of future device and technology upgrades and extension.
• No - The ICT infrastructure especially its network equipment is not designed with the ability of future device and technology upgrades.

Good Practices

The ICT infrastructure including its servers and supporting network equipment is normally designed with the possible future device and technology upgrades to a certain point. Scalability should be the property of the system to handle a growing amount of work by adding resources to the system. The potential of future expansion that should be considered, for example, increased number of users of the systems, increased number of ICT nodes of connectivity, future requirements of higher performances and throughput of electronic services.

It is also suggested that the network and equipment be free from vendor locking.

References and Case Studies

• Scalability, ISO/IEC 25010:2011 - Systems and software engineering - Systems and software Quality Requirements and Evaluation - System and software quality models.
• WCO Single Window Architecture, http://www.wcoomd.org/-/media/wco/public/global/pdf/topics/facilitation/instruments-and-tools/tools/single-window/compendium/swcompendiumvol2partvii.pdf

A3.3 Is the single window system, if implemented, interoperable with other systems?

Background

A single window (SW) system is generally defined as “a facility that allows parties involved in trade and transport to lodge standardized information and documents with a single-entry point to fulfill all import, export, and transit-related regulatory requirements. If information is electronic, then individual data elements should only be submitted once.” The World Trade Organization (WTO) Trade Facilitation Agreement, which entered into force in February 2017, has dedicated provisions on single window. This digital trade facilitation measure aims at reducing the regulatory burden for traders when completing import, export and transit-related procedures. It has emerged more than a decade ago and has become a core component of trade facilitation reforms. A single window system is considered as an important component of Cross border paperless trade initiative.

Expected Answers

• Yes - A single window system has been implemented to electronically connect eCustoms of Customs Authority, and e-Licenses, eCertificates and ePermit services of other regulatory agencies together. This SW enables cross-border traders to electronically submit regulatory documents at a single facility. Such documents are typically customs declarations, applications for import/export permits, and other supporting documents such as certificates of origin and trading invoices.
• Partially Yes - A single window system has been partially implemented to electronically. It connects only to some relevant government agencies, e.g. with e-Customs of Customs Authority, and some other regulatory agencies.
• No - A Single Window system has not been implemented to electronically connect e-Customs, e-Licenses, e-Certificates or e-Permits services.

Good Practices

The main value proposition for having a single window for a country is to increase the efficiency through time and cost savings for traders in their dealings electronically instead of physically with government authorities for obtaining the relevant clearance and permit(s) for moving cargoes across national borders.

The single window facility aims to deliver specific benefits to the main communities and stakeholders in cross-border trade, e.g. government (customs, permit-issuing agencies, Ministries and other trade monitoring bodies), shipping and forwarding community, shippers and traders, banking and insurance community.

In a cross-border environment, SW can facilitate single point authenticated data sharing with counterparts in other jurisdictions in trusted environment.

References and Case Studies

• UN/CEFACT Recommendation No. 33 - Recommendation and Guidelines on Establishing A Single Window, http://www.unece.org/fileadmin/DAM/cefact/recommendations/rec33/rec33_trd352e.pdf
• UNNExT Single Window Planning and Implementation Guide, https://unnext.unescap.org/content/single-window-planning-and-implementation-guide-0
• Single Window Repository, https://www.unece.org/cefact/single_window/welcome.html

A3.5.1 Is there a policy for the establishment of a disaster recovery plan at the agency level?

Background

A disaster recovery plan (DRP) of any electronic systems, including for example a data center that houses ICT infrastructure and paperless trade systems, is a business plan that describes how work can be resumed quickly and effectively after a disaster. When the paperless trade systems are in operations, a DPR is essential to ensure that the effects of operating disruptions are properly mitigated. A policy for a disaster recovery plan must be established at the agency level for its electronic system.

Expected Answers

• Yes - There is a disaster recovery plan for all ICT systems supporting paperless trade at the agency level, e.g. at the Customs Authority, and at other regulatory agencies.
• Partially Yes - There is a disaster recovery plan for some ICT systems supporting paperless trade at the agency level.
• No - There is no policy and no mitigation plan for disaster recovery at the agency level.

Good Practices

Disaster recovery focuses on the ICT or electronic systems supporting critical business functions of the organization, as opposed to business continuity, which involves keeping all essential aspects of a business functioning despite significant disruptive events. Disaster recovery can therefore be considered as a subset of business continuity.

Disaster Recovery involves a set of policies, tools and procedures to enable the recovery or continuation of the vital ICT infrastructure and systems following a natural or human-induced disaster. The tools and procedures include, for example, routine backups, having spare parts and redundancies, and also having a disaster recovery data center at a different seismic zone along with a primary data center.

References and Case Studies

• ISO 22301:2012 Societal security - Business continuity management systems - Requirements.
• ISO/IEC 27031:2011 Information technology - Security techniques - Guidelines for information and communication technology readiness for business continuity.
• Steps for Disaster Recovery Plan, https://www.softchoice.com/blogs/advisor/uncategorized/9-steps-to-building-a-disaster-recovery-plan

A3.5.1.1 Please indicate level of implementation for the disaster recovery plan (specify percentage of agencies).

Background

It is important that a disaster recovery plan established at the agency level has been tested and practices to ensure successful recovery when really facing the actual disaster.

Expected Answers

• Yes - all agencies having trade-related electronic systems have established and implemented the agencies' disaster recovery plan, e.g. developing and testing/practicing the DRP of each individual agency.
• Partially Yes - Some agencies have implemented, conducted and tested their own DRP, but some agencies have not so yet.
  • Description expected - please specify % of agencies which have implemented and tested their DRPs.
• No - No agency has implemented nor tested its own DRP yet.

Good Practices

Disaster recovery policies, procedures and plans must be carried out routinely, e.g. backups. It is important to test and practice those disaster recovery plans at specified frequencies, e.g. testing/practicing shutting down the primary data center (PDC) and operating on the disaster recovery center (DRC), and then switching back to PDC. This is to ensure that the system could be recovered successfully whenever any actual disaster occurs.

References and Case Studies

• ISO 22301:2012 Societal security - Business continuity management systems - Requirements.

• ISO/IEC 27031:2011 Information technology - Security techniques - Guidelines for information and communication technology readiness for business continuity.

A3.5.2 Is there a policy for the establishment of a disaster recovery plan at the national level?

Background

A national policy must be put in place for the establishment of a disaster recovery plan for any critical electronic systems in the country. It is essential to ensure the effects of operating disruptions on any of those electronic systems are properly mitigated.

Expected Answers

• Yes - There is an established disaster recovery plan at the national level for coordinating among different government and business stakeholders of the national paperless trade platform.
• No - There is no disaster recovery plan for the paperless trade system at the national level.

Good Practices

A disaster recovery plan (DRP) for the paperless trade systems of a country is a business plan that describes how work can be resumed quickly and effectively after a disaster.

Disaster recovery policies, procedures and plans at the national level should be established. Normal steps for building disaster recovery plan include: perform a risk assessment, define criticality of applications and data, define recovery objectives, evaluate and update your plan, determine the right tools and techniques, get stakeholder buy-in, document and communicate the plan, test and practice the DR plan, and evaluate and update the plan regularly.

References and Case Studies

• ISO 22301:2012 Societal security - Business continuity management systems - Requirements.
• ISO/IEC 27031:2011 Information technology - Security techniques - Guidelines for information and communication technology readiness for business continuity.
• Steps for Disaster Recovery Plan, https://www.softchoice.com/blogs/advisor/uncategorized/9-steps-to-building-a-disaster-recovery-plan

A3.5.2.1 Please indicate whether the disaster recovery plan is implemented at the national level.

Background

It is important that a disaster recovery plan established at the national level has been tested and practices to ensure successful recovery when really facing the actual disaster.

Good Practices

Disaster recovery policies, procedures and plans established at the national level must be the mandate for all government agencies having critical electronic systems. Those agencies should conduct testing and practicing of these disaster recovery plans in a regular basis.

References and Case Studies

• ISO 22301:2012 Societal security - Business continuity management systems - Requirements.

• ISO IEC 27031:2011 Information technology - Security techniques - Guidelines for information and communication technology readiness for business continuity.

A3.6 Does your country have a business continuity plan for paperless trade systems?

Background

Business continuity planning (BCP) is the process of creating systems of prevention and recovery to deal with potential threats to the normal operations. In addition to prevention, the goal is to enable ongoing operations of government and business users before and during execution of disaster recovery. The country should establish a business continuity plan for paperless trade systems since the systems are very important for the continuity of operations of traders and controlling agencies.

Good Practices

A Business Continuity Plan outlines a range of disaster scenarios and the steps the government and business stakeholders will take in any particular scenario to return to regular trade and regulatory operations. BCP's are written ahead of time and can also include precautions to be put in place. Usually created with the input of key staff as well as stakeholders, a BCP is a set of contingencies to minimize potential harm to businesses during adverse scenarios.

Business continuity is the intended goal of proper execution of Business continuity planning and Disaster recovery before and during the real disaster incidents, therefore it is very important that the BCP plan should be tested and practiced before the real incidents’ occurrence.

References and Case Studies

• Steps for business continuity exercises, https://www.continuitycentral.com/feature1290.html
• Best Practices for Business Continuity, https://www.thebci.org/training-qualifications/good-practice-guidelines.html
• A Case Example, http://www.bousai.go.jp/kyoiku/kigyou/pdf/guideline03_en.pdf

A3.6.1 (If A3.6 is yes) Is it regularly tested at defined frequency?

Expected Answers

• Yes - The business continuity plan for paperless trade systems has been established, and regularly tested and practiced.
• No - The business continuity plan has been established but never been nor regularly tested.