A4.1 Is there an information technology security policy for your country?
Background
Computer security, cybersecurity or information technology security is the protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. Security of information technology and the paperless trade systems should ensure the confidence of users to replace paper-based documents with electronic information or data.
A nation wishes to adopt the paperless trade systems should establish an information technology cybersecurity policy at the national level. At the national level, cybersecurity is a shared responsibility which requires coordinated action for prevention, preparation, response, and incident recovery on the part of government authorities, the private sector and civil society. The main purpose of cybersecurity is to ensure Confidentiality, Integrity, and Availability (CIA) of data and services.
Expected Answers
- Yes - An information technology (IT) security policy has been established for the country, e.g. the policy established through a cyber-security law, an IT security policy and guidelines mandated by the Head of Government/the Cabinet or by the ICT/Digital Economy Ministry.
- No - There is no information technology security policy established at the national level.
Good Practices
IT-related security laws along with security policies and practical guidelines should be established at the national level. These cyber-security policies and related practices should be mandated at least for the critical IT infrastructures of the country. Cyber-security policies and guidelines should be promoted and practiced by business and citizens as necessary based on the sensitivity of related usage systems.
An information technology security policy normally includes a framework for setting its objectives by considering all relevant business, legal, regulatory and contractual security requirements; the criteria for the evaluation of risk and its structure.
References and Case Studies
- Information Security Policy (ISO 27001), https://www.isms.online/iso-27001/information-security-policy/
- Information Security Operations Procedures, https://www.isms.online/iso-27001/annex-a-12-operations-security/
- Case Example: Cybersecurity Act, https://thainetizen.org/wp-content/uploads/2019/11/thailand-cybersecrutiy-act-2019-en.pdf
- Case Example: A National Cyber Strategy, https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf
A4.2 If any of the systems mentioned in A2.1 “Electronic systems” have been implemented, what kind of security measures are in place to protect them from unauthorized access?
Background
Security, in the present context, refers to the system's ability to protect data and information from unauthorized access while still providing access to users and systems that are authorized. An action taken against a computer system with the intention of doing harm is referred to as an attack and can take a number of forms. It may be an unauthorized attempt to access data or services or to modify data, or it may be intended to deny services to legitimate users.
Several security measures should be in place to protect the paperless trade systems deployed in the country e.g. e-Customs, e-Ports, e-Licenses, e-Certificates and e-Permits, from unauthorized access and attacks.
Expected Answers
- Yes - Security measures have been extensively established for the systems mentioned in section A2.
- Partially Yes - Security measures have been established but for some systems mentioned in section A2, or only some not all necessary security measures have been established.
- No - Security measures have not been established, or they are partially established so that the systems mentioned in section A2 are not fully protected from unauthorized access or still with high risks of attacks.
Good Practices
It is recommended that a defense-in-depth security strategy should be deployed for this highly-secure paperless trade and single window systems, e.g. using multi-layered secure-zoning architecture for the primary data centers as well as for the disaster recovery data centers. These multi-layered security protection could reduce risks of attacks or unauthorized accesses.
Several security measures with specific hardware and software capability should be deployed, e.g. distributed denial-of-access services (DDOS) protection, firewall equipment, cryptography, advanced persistence threat (APT) protection, secure software design and coding practices, regular risk assessments, penetration testing, and vulnerability assessment.
References and Case Studies
- Defense-in-Depth and Multi-layered Zoning Architecture, https://ieeexplore.ieee.org/abstract/document/8426099
- NIST Cybersecurity Framework, https://www.nist.gov/cyberframework
- ISO 27001 Risk Assessment, https://www.itgovernance.co.uk/iso27001/iso27001-risk-assessment
- Penetration Testing, ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements.
- Vulnerability Assessment, ISO/IEC 29147:2018 Information technology — Security techniques — Vulnerability disclosure.
A4.3 What kind of authentication mechanism is used to ensure security of information transmitted electronically?
Background
Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. There are several kinds of authentication mechanism used to ensure security of information transmitted electronically by a particular identified person.
Expected Answers
- Yes - The authentication mechanism is established for ensuring security of information transmitted electronically between intended parties or systems.
- No - The authentication mechanism has not been established or the security of information transmitted electronically between intended parties or systems is not ensured.
Good Practices
There are generally three recognized types of authentication factors as follows:
- Type 1 - Something You Know - includes passwords, PINs, combinations, code words, or secret handshakes. Anything that the user can remember and then type, say, do, perform, or otherwise recall when needed falls into this category.
- Type 2 - Something You Have - includes all items that are physical objects, such as keys, smart phones, smart cards, USB drives, and token devices. A token device produces a time-based PIN or can compute a response from a challenge number issued by the server.
- Type 3 - Something You Are - includes any part of the human body that can be offered for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.
Multi-factor authentication is normally recommended as a method of logon verification where at least two different factors of proof are required for adding an extra layer of security. Multi-factor authentication is preferred, as it is much more difficult for an intruder to overcome. With just a password, an attacker only has to have a single attack skill and wage a single successful attack to impersonate the victim. With multi-factor authentication, the attack must have multiple attack skills and wage multiple successful attacks simultaneously in order to impersonate the victim. This is extremely difficult and, thus, a more resilient logon solution or digital identification of users or of the servers to be communicated with.
To ensure confidentiality of data exchange between any two intended parties or system, at least a secure transport protocol (e.g. HTTPS) must be employed. If a higher level of confidentiality is required, an additional encryption algorithm at the application software level could be deployed.
References and Case Studies
- Multi-factor authentication, https://www.globalknowledge.com/ca-en/resources/resource-library/articles/the-three-types-of-multi-factor-authentication-mfa/
- Case Example: A guideline for secure data exchange, https://uwaterloo.ca/information-systems-technology/about/policies-standards-and-guidelines/security/guidelines-secure-data-exchange-choosing-information
A4.4 What kind of communication protocol is used for electronic data exchange currently?
Background
There are several kinds of communication protocol that can be used for electronic data exchange in the paperless trade or single window systems. Sharing information about the communication protocol currently used in the country could be useful for future collaboration and lessons learned.
Good Practices
Different communication protocols have been used for electronic data exchange of different countries. Some of those are, FTP (file transfer protocol), SFTP (secure file transfer protocol), HTTP (hypertext transfer protocol), ASx protocols, ebXML messaging service protocol, REST and web services over HTTP.
References and Case Studies
- Cross-border Single Window Interoperability: A Managerial Guide, https://www.unescap.org/resources/cross-border-single-window-interoperability-managerial-guide
- Electronic data interchange, http://tfig.itcilo.org/contents/recommendation-26.htm
- Communication Protocols, ISO 26000 Communication protocol.
- ebXML, http://www.ebxml.org/
- Representational state transfer, https://standards.rest/
- Web services, https://www.w3.org/standards/
A4.5 What is your country’s future plan and targeted timeline to enhance the security level in A4.1 and A4.2?
Background
Security as the measures to protect information systems from any threats, such attacks and unauthorized accesses, is crucial in creating trust and confidence for the paperless trade systems. The country’s future plan and targeted timeline to enhance the security of these infrastructure and systems must be established.
Good Practices
The ICT risk assessment, e.g. based on ISO 27003 risk assessment procedures, along with vulnerability assessment and penetration testing, should be conducted on the paperless trade systems of the country. The output from these assessments should be utilized to propose specific security measures and then to develop the country's future plan and targeted timeline to enhance its security.
References and Case Studies
- ISO 27001 Risk Assessment, https://www.itgovernance.co.uk/iso27001/iso27001-risk-assessment
- Guide for Developing Security Plans, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf
- Case Example: Risk Assessment, https://pdfs.semanticscholar.org/59f3/dc37e451fb24d35ca14b14e84ad3da937b76.pdf
- Defense-in-Depth and Multi-layered Zoning Architecture, https://ieeexplore.ieee.org/abstract/document/8426099