Only a DigiD audit is insufficient for securing web services
By drs. Joep Janssen RE MIM
The government is digitizing at a rapid pace. Citizens (and businesses) are increasingly tempted or even obliged to use web portals to interact with the government. Due to this development, government organizations need to do more to ensure the security of their digital services.
For a significant number of web services, the government requires users to log in using DigiD, so they know who they are dealing with. The government also demands that public service providers, such as hospitals and health insurers, use DigiD.
The government must ensure that electronic communication between citizens and the government is sufficiently secure, meaning reliable and confidential. This is achieved by determining the security level at which citizens can log in. Currently, this is often only with a simple DigiD password, possibly supplemented with SMS or scanning a QR code via the DigiD app. The process has started to enable login at a higher security level, such as using the chip in a driver's license or passport. In addition to DigiD, authentication means and trust services from the market can also be used.
At the same time, the websites and applications of government organizations that deliver digital services must also be secure.
'The tone at the top'
This always begins with effective governance of information security by the organization's leadership ('the tone at the top') based on a current IT security plan and transparent public accountability for the management provided to stakeholders. Naturally, the organization complies with the generally applicable requirements for information security ('getting the basics right'), such as access management, encryption, change management, incident management, logging, and agreements with suppliers.
For specific web services, this is supplemented with the usual requirements for securing web services, such as the web guidelines of the National Cyber Security Center (NCSC).
Society increasingly demands an independent assessment of the security of web services by an auditor. Websites often prove to be vulnerable to hacker attacks. This led to the introduction of annual DigiD audits on government websites where citizens can log in with DigiD. Undoubtedly, this has contributed to improving the security of websites, but it is only a first step that urgently needs to be followed up.
The societal responsibility of government organizations
At present, the Minister of the Interior and Kingdom Relations (BZK) only requests an audit report for web services that use DigiD, based on a limited selection of twenty NCSC guidelines and only concerning the setup and existence of security guidelines. Whether the measures have worked over an entire year remains unexamined. Due to the limited number of guidelines and the focus on setup and existence, there is a risk that the audit report provides a false sense of security.
The societal responsibility of government organizations and other public service providers to deliver secure digital services goes far beyond merely complying with twenty NCSC guidelines. Citizens have the right to secure digital services in which their data is processed in a reliable and confidential manner.
In recent years, the government has launched several initiatives to enhance information security. Implementing all these initiatives remains a massive task. Much attention is paid to making systems technically secure. Penetration tests expose system vulnerabilities to internet-based attacks, and security specialists patch these vulnerabilities.
A more proactive and continuous approach is needed
There is a danger that information security will remain limited to responding to incidents and remain a 'party for security specialists.' A more proactive and continuous approach is needed, focused on preventing vulnerabilities and continually monitoring and improving. The best security measures lie within the organization and with people themselves ('security is a people issue').
This requires much greater involvement from the leadership and board members of organizations. Specifically, this means that the subject of information security should be discussed regularly at the board level, including monitoring progress. Government organizations must also ensure a professional security organization with a strong Chief Information Security Officer and ensure that basic security and management processes are in place and assigned to the appropriate responsible party. Information security should be discussed at the board level in the same way as financial management.
The audit practice must respond to this. The assessment of specific NCSC security guidelines for websites will remain, but it will be expanded to include an assessment of the governance of information security by the organization's leadership ('the tone at the top') and the establishment of basic information security processes ('getting the basics right'). This includes not only assessing the setup and existence of measures but also continuous attention throughout the year."
Drs. Joep GM Janssen RE MIM is Lead IT Auditor at Highberg and chairman of the national NOREA working group for DigiD assessments. This contribution is written in a personal title.