The Unit for the Victims’ website is a success case in digital security
The Karisma Foundation assessed the Data Protection Law compliance requirements, website digital security and privacy protection practices.
When analyzing good practices to protect information and the National Government’s websites digital security focused strategies, the Karisma Foundation highlighted the Unit for the Attention and Integral Repair to the Victims’ website as a success case.
According to the Foundation, when analyzing the status of the Unit's website during April and May 2017, three main topics were checked: Data Protection Law requirements compliance (which includes legal information, transparency and contracts), website’s digital security and privacy protection practices.
This was stated by the head of the Information Technology Office (OTI in its Spanish acronym), Victor Duran, who explained that “within the developed success case framework, co-responsibility was considered as one of the most important aspects introduced by the digital security policy defined by the 2016 CONPES 3854 document. This approach acknowledges there is a role for everyone involved in digital security”.
The success case shows different actors work is possible to report and do improvement follow-up solutions in relation to Digital Security Policy.
Throughout the process, the Unit identified risks for each of received observations, which included the causes and consequences determinations and, according to Duran, “the Unit determined its respective risk assessment, which included these events probability rating and their impact to determine the inherent risk.” This is how the necessary controls for risk mitigation were established and assessed, and how the residual risk was diagnosed once different improvements had been accomplished.
Regarding tracking and privacy within the risk management framework, the Unit took corrective actions concerning search service configuration tools and website visit statistics.
The implemented measures related to the users’ personal information include a secure protocol implementation for some services and applications and for the entity's website. As for privacy and personal data protection policies disclosure, the entity created and published the respective policies on the official website as well as the privacy notice.
Regarding digital security, Duran mentioned the Unit applied access control mechanisms to minimize information leakage risk in a report that could contain sensitive information. Regarding servers and vulnerabilities updates, the entity updated the web server and the different applications software to their latest available versions.
The OTI’s head highlights that, in favor of continuous improvement, "we continue with efforts aimed at risk scenarios mitigation within the Digital Government Policy framework; established through Decree 1008 of 2018". This considers information security as one of the cross-discipline enablers that allow Digital Government development. That is why "in security terms, our challenge is to achieve ISO 27001 certification as the Information Technology Office."
The Karisma Foundation is an organization that analyses technology and human rights intersection. In addition, the Foundation proposed to analyze Colombian Government websites to assess information they offer to citizens, which gave these successful results in the Unit for the Victims’ case.