eNatis audit looms

Johannesburg, 05 Jul 2007

eNatis, the much-maligned electronic National Traffic Information System, will undergo a full post-implementation audit by officials from the office of the auditor-general in the next few weeks, says Department of Transport eNatis project manager Werner Koekemoer.

The audit will evaluate eNatis, including its cost, efficiency and security. Concerns about the latter arose anew yesterday, after the eNatis Web site, hosted in the US, was apparently hacked twice.

Security vendors say this type of attack has become infrequent as the authorities clamp down on hacking and hackers turn to financial crime.

No security risk

Koekemoer says the hacking of the US site had no implications for the integrity of the South African eNatis system. He says the US site is essentially a bulletin board and is not connected, at any level, with eNatis proper.

A statement on the eNatis Web site adds "the suggestion that eNatis was hacked is actually laughable. The eNatis public Web site is in no way connected at all to the eNatis system. This was a deliberate design choice.

"The eNatis Web site is running on a public hosting area on a public hosting service. The hosting service is not inside the eNatis data centre at all. There is also no connection of any kind between [the] ...Web site and the eNatis system. The Department of Transport deliberately decided to host the Web site on a completely different server than the eNatis system servers to ensure any hacking attempts would be fruitless," the site adds.

"The eNatis system can only be accessed by workstations that are authorised to access the system and all communication with the eNatis system is encrypted. In addition, a predefined user name and password is needed to connect to the eNatis system. An eNatis user will only be given access to the system after signing a confidentiality agreement regulating the security of passwords."

Transport spokesman Collen Msibi adds that an investigation into the incident is under way.

"We are going to find out who did it and be more vigilant," he says. Msibi says the department is "disappointed" that people attacked a system meant to be of use to the public.

Report goes public

Msibi adds that the department expects the AG to table a final report on a pre-implementation audit in Parliament next month. The report, extracts of which were published earlier this year, said the auditors had found numerous security concerns.

The department rebutted this by saying the auditors had reviewed an early prototype of the system and that their concerns had been incorporated into the operational variant deployed in April.

"Once the audit process is complete, it will be tabled in Parliament and become public," Msibi says. "The indications are this will happen in August."

Meanwhile, Democratic Alliance transport spokesman Stuart Farrow says the transport portfolio committee - on which he serves - as well as the Standing Committee on Public Accounts, are awaiting the report in order to take further action. "I'm desperately trying to get my hands on it [the reports] and would want to compare the pre- with the post-implementation report."

Govt security concerns

Speaking at the recent launch of its ICT in government survey, Forge Ahead head of research Adrian Schofield said "government faces challenges to keep its data clean and secure".

Schofield noted that, while this was a concern for all businesses, it was perhaps more so for the state.

He said the problem was a lack of standardisation across different departments. "CIOs are being left to make their own decisions."

He added that the greatest risk for ICT breaches in any organisation was its own workers. In this regard, he said it was disappointing government departments were still not spending much on security dashboards. "This would allow managers to monitor the situation before incidents take place."