A4 Security

A4.1 Is there an information technology security policy for your country?

Background

Computer security, cybersecurity or information technology security is the protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. Security of information technology and the paperless trade systems should ensure the confidence of users to replace paper-based documents with electronic information or data.

A nation wishes to adopt the paperless trade systems should establish an information technology cybersecurity policy at the national level. At the national level, cybersecurity is a shared responsibility which requires coordinated action for prevention, preparation, response, and incident recovery on the part of government authorities, the private sector and civil society. The main purpose of cybersecurity is to ensure Confidentiality, Integrity, and Availability (CIA) of data and services.

Expected Answers
  • Yes - An information technology (IT) security policy has been established for the country, e.g. the policy established through a cyber-security law, an IT security policy and guidelines mandated by the Head of Government/the Cabinet or by the ICT/Digital Economy Ministry.
  • No - There is no information technology security policy established at the national level.
Good Practices

IT-related security laws along with security policies and practical guidelines should be established at the national level. These cyber-security policies and related practices should be mandated at least for the critical IT infrastructures of the country. Cyber-security policies and guidelines should be promoted and practiced by business and citizens as necessary based on the sensitivity of related usage systems.

An information technology security policy normally includes a framework for setting its objectives by considering all relevant business, legal, regulatory and contractual security requirements; the criteria for the evaluation of risk and its structure.

References and Case Studies

A4.2 If any of the systems mentioned in A2.1 (e.g. e-Customs, e-Ports, e-Licenses, e-Certificates and e-Permits) have been implemented, what kind of security measures are in place to protect them from unauthorized access?

Background

Security, in the present context, refers to the system's ability to protect data and information from unauthorized access while still providing access to users and systems that are authorized. An action taken against a computer system with the intention of doing harm is referred to as an attack and can take a number of forms. It may be an unauthorized attempt to access data or services or to modify data, or it may be intended to deny services to legitimate users.

Several security measures should be in place to protect the paperless trade systems deployed in the country e.g. e-Customs, e-Ports, e-Licenses, e-Certificates and e-Permits, from unauthorized access and attacks.

Expected Answers
  • Yes - Security measures have been extensively established for the systems mentioned in section A2.
  • Partially Yes - Security measures have been established but for some systems mentioned in section A2, or only some not all necessary security measures have been established.
  • No - Security measures have not been established, or they are partially established so that the systems mentioned in section A2 are not fully protected from unauthorized access or still with high risks of attacks.
Good Practices

It is recommended that a defense-in-depth security strategy should be deployed for this highly-secure paperless trade and single window systems, e.g. using multi-layered secure-zoning architecture for the primary data centers as well as for the disaster recovery data centers. These multi-layered security protection could reduce risks of attacks or unauthorized accesses.

Several security measures with specific hardware and software capability should be deployed, e.g. distributed denial-of-access services (DDOS) protection, firewall equipment, cryptography, advanced persistence threat (APT) protection, secure software design and coding practices, regular risk assessments, penetration testing, and vulnerability assessment.

References and Case Studies

A4.3 What kind of authentication mechanism is used to ensure security of information transmitted electronically?

Background

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. There are several kinds of authentication mechanism used to ensure security of information transmitted electronically by a particular identified person.

Expected Answers
  • Yes - The authentication mechanism is established for ensuring security of information transmitted electronically between intended parties or systems.
  • No - The authentication mechanism has not been established or the security of information transmitted electronically between intended parties or systems is not ensured.
Good Practices

There are generally three recognized types of authentication factors as follows:

  • Type 1 - Something You Know - includes passwords, PINs, combinations, code words, or secret handshakes. Anything that the user can remember and then type, say, do, perform, or otherwise recall when needed falls into this category.
  • Type 2 - Something You Have - includes all items that are physical objects, such as keys, smart phones, smart cards, USB drives, and token devices. A token device produces a time-based PIN or can compute a response from a challenge number issued by the server.
  • Type 3 - Something You Are - includes any part of the human body that can be offered for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.

Multi-factor authentication is normally recommended as a method of logon verification where at least two different factors of proof are required for adding an extra layer of security. Multi-factor authentication is preferred, as it is much more difficult for an intruder to overcome. With just a password, an attacker only has to have a single attack skill and wage a single successful attack to impersonate the victim. With multi-factor authentication, the attack must have multiple attack skills and wage multiple successful attacks simultaneously in order to impersonate the victim. This is extremely difficult and, thus, a more resilient logon solution or digital identification of users or of the servers to be communicated with.

To ensure confidentiality of data exchange between any two intended parties or system, at least a secure transport protocol (e.g. HTTPS) must be employed. If a higher level of confidentiality is required, an additional encryption algorithm at the application software level could be deployed.

References and Case Studies

A4.4 What kind of communication protocol is used for electronic data exchange currently?

Background

There are several kinds of communication protocol that can be used for electronic data exchange in the paperless trade or single window systems. Sharing information about the communication protocol currently used in the country could be useful for future collaboration and lessons learned.

Good Practices

Different communication protocols have been used for electronic data exchange of different countries. Some of those are, FTP (file transfer protocol), SFTP (secure file transfer protocol), HTTP (hypertext transfer protocol), ASx protocols, ebXML messaging service protocol, REST and web services over HTTP.

References and Case Studies

A4.5 What is your country's future plan and targeted timeline to enhance the security level in A4.1 and A4.2?

Background

Security as the measures to protect information systems from any threats, such attacks and unauthorized accesses, is crucial in creating trust and confidence for the paperless trade systems. The country’s future plan and targeted timeline to enhance the security of these infrastructure and systems must be established.

Good Practices

The ICT risk assessment, e.g. based on ISO 27003 risk assessment procedures, along with vulnerability assessment and penetration testing, should be conducted on the paperless trade systems of the country. The output from these assessments should be utilized to propose specific security measures and then to develop the country's future plan and targeted timeline to enhance its security.

References and Case Studies

 

Glossary
  1. Paperless trade refers to the digitization of these information flows, including making available and enabling the exchange of trade-related data and documents electronically. Less formally, one can think of this as cross-border trade transactions using electronic data in lieu of paper-based documents. More...

  2. Electronic Customs System (e-Customs)” is an automated Customs administration system with several electronic supporting functions to efficiently facilitate and effectively regulate Customs-related procedures.

    More specifically, key functions of the e-Customs system include: electronic lodgement of Customs declarations using online connections, the use of risk management software application to reduce Customs clearance times and less physical examination of shipments, the automated calculation and e-payment to facilitate collection of duties and taxes, and services to ensure the uniform application of laws and regulations. More...

  3. An Electronic Port System (e-Port), or a Port Community System (PCS)” is a neutral and open electronic platform enabling intelligent and secure exchange of information between public and private stakeholders in order to improve the competitive position of the sea and air ports’ communities.

    ePort optimises, manages and automates port and logistics processes through a single submission of data and connecting transport and logistics chains.

    e-Port handles electronic communication in ports between the private transport operators (shipping lines, agents, freight forwarders, stevedores, terminals, depots), the private hinterland (pre- and on-carriage by road, rail and inland waterways), the importers and exporters, the port authorities, Customs and other authorities. More...

  4. An Electronic License System (e-Licenses)” is a government department’s software application for issuing import or export related licenses. Some of its key features and automation include electronic lodgment of applications, validation of submitted data, approval and licenses issuing services. More...

  5. “An Electronic Certificate System (e-Certificates)” for exports is a government department’s software application for issuing export certificates, e.g. certificate of origin (CO), phytosanitary and sanitary of certificates. Some of its key features and automation include electronic lodgment of applications, validation of submitted data, approval and certificate issuing services.

    Some certain certificates need physical or laboratory testing processes prior to issuing the certificates. The e-Certificate System could electronic services to support the physical coordination and laboratory testing reports in conjunctions with other certificate issuing functions. More...

    “An Electronic Certificate System (e-Certificates)” for imports is an electronic system that enables an authority in the country of import to receive overseas government certificates in a digital format. This includes, for example, phytosanitary and sanitary certificates for food and agricultural imports. More...

  6. An Electronic Permit System (e-Permits)” is a system that improves and automates all business processes related to import/export permit issuance, exchange, control and reporting. More...

  7. “Single window” means a facility that allows parties involved in a trade transaction to electronically lodge data and documents with a single-entry point to fulfil all import, export and transit-related regulatory requirements. UNECE Recommendation and Guidelines on establishing a Single Window

  8. “Electronic data exchange” refers to the computer-to-computer exchange of business data in a standard electronic format between business partners. UNECE’s UN/EDIFACT is the main Electronic Data Interchange (EDI) standard adopted throughout the world and used extensively in National Customs and International Shipping, amongst others. ISO 9735-10:2014 - Electronic data interchange for administration, commerce and transport (EDIFACT).