[kictanet] Our Response to Systematic ICT Systems Failure at IEBC-just fix the laws/regulatory framework

Kivuva Kivuva at transworldafrica.com
Wed Mar 13 12:43:56 EAT 2013


I happen to be in the communications committee of ISACA Kenya, and we try
to publicize  our organisation as much as possible, through outreach in
Universities, and conferences. As a matter of fact, to be employed as an
information security analyst, you must possess one of our certifications.
Many people might never have heard about ISACA Kenya, but they know CISA,
CISM, CGEIT, CRISC, and COBIT professional courses, which are administered
and maintained by ISACA.  We have a website www.isaca.or.ke, and FB page
http://www.facebook.com/ISACAKenya, and a twitter handle
https://twitter.com/Isaca_kenya.

Now from the shameless advertising, IEBC on 16th Feb 2013 called for
information security experts to audit their systems, although the call came
very late. Below is what they required.

Dear ISACA Member


"The Independent Electoral and Boundaries Commission ("IEBC"), through
one of its development partners, is seeking the service of an expert
information security professional to conduct an end-to-end to
information security testing of its electoral systems that will be
used to transmit and present provisional electoral results in the 4th
March 2013 general election. The specific terms of reference for this
immediate short-term appointment are:

Perform a security testing against well-known industry best practices
and standards:

Back-end running on a Windows Server and/or Unix/Linux OS
Network – dedicated VPN over GPRS/GSM/2G/3G and private WLAN
Front-end comprises custom mobile app on Java-enabled handheld devices.

Interface of the RTS with other electoral systems
Other relevant activities consistent with the assignment.

Deliverables:

Interim and final reports with specific action points, clearly
pointing out the risk if not addressed.

Due to the short procurement cycle, expressions of interested are
invited for immediate consideration from experience and skilled IT
security professionals who must be current holders of CISSP/CISM/CISA
or equivalent. Membership to professional bodies in good standing
required. Individual consultants are particularly encouraged to
respond.

Duration of Engagement: 10 – 15 working days, starting ASAP, but not
later than 21/02/2013. Please include your daily professional rates
for this type of engagement.

Closing Date: Applications must be received not later than Monday,
February 18, 2013 at 5pm.

Please send applications to kenyapa at ifes.org, with a copy to:
dongondi at iebc.or.ke. Please include "Application to Provide
Information Security Services" in the subject line to ease sorting.

If you are interested and meet the requirements please send your
application ASAP to the email addresses above.

Regards
Mwendwa Kivuva (lordmwesh)

On 13 March 2013 10:17, Harry Delano <harry at comtelsys.co.ke> wrote:

> Hey Walu,****
>
> ** **
>
> Very pertinent issues, these that you have raised.****
>
> ** **
>
> Looking at the Framework we have ,it’s tough to see how we can
> sufficiently address the issue we have at hand.  At best we can only rely
> on what IEBC will willingly share.. But we cannot****
>
> compel them to do so. It is an independent body. Who has oversight on
> independent bodies, other than the Judiciary..?  At best Judiciary will
> also have to rely on evidence.  Who produces****
>
> credible high quality tech evidence..?****
>
> ** **
>
> Your response came in while I was mulling the idea of mooting a national
> IS ( Information Systems) Task force – maybe to be named KISTF (Kenya
> Information Systems Task Force). This is****
>
> in cognizance of the fact most systems are going digital in this
> information age and without any independent supervisory framework, we may
> have real issues handling the ensuing mayhem.****
>
> ** **
>
> This body should have the capacity/powers to deal with/oversee/audit –
> National IS systems – The procurement process, implementation and
> operational matters as well as audits and ensure ****
>
> good governance etc.****
>
> ** **
>
> In fact now that we are aware that such an issue as the debacle at IEBC
> would come back and bite us hard ( We the ICT fraternity), it is incumbent
> upon us to lobby to be put in place the legal ****
>
> framework that paves way for such a taskforce that should be independent,
> professional, impartial, credible and with a national outlook, and of
> course.****
>
> ** **
>
> Where can we start..?  Secretariat..?****
>
> ** **
>
> Regards,****
>
> Harry****
>
> ** **
>
> *From:* kictanet [mailto:kictanet-bounces+harry=
> comtelsys.co.ke at lists.kictanet.or.ke] *On Behalf Of *Walubengo J
> *Sent:* Wednesday, March 13, 2013 9:24 AM
> *To:* harry at comtelsys.co.ke
>
> *Cc:* KICTAnet ICT Policy Discussions
> *Subject:* Re: [kictanet] Our Response to Systematic ICT Systems Failure
> at IEBC-just fix the laws/regulatory framework****
>
> ** **
>
> Edith,
>
> In Kenya there is NO explicit and compelling legal framework for auditing
> Information Systems. The  Kenya Comm. Act 2009 comes close but is too
> general and restricted to telcos. Furthermore the details of how  these
> telcos are supposed to maintain security and integrity of their Infor
> systems is *correctly*  left out since this does require and independent
> and substantive standolone  legislation that touches on the role of an IT
> savvy Judiciary, IT Savvy Prosecution, IT Savvy Investigators/Law
> Enforcement and IT Savvy Organisastional Requirments (e.g being compelled
> to do regular and report on IS Audits - more like we do for the Financial
> Audits). So that is the ecosystem/framework that needs to kick in to
> guarantee us some semblance of a secure information system
> landscape/knowledge industry.
>
> Serious companies (mainly blue chip banking, insurance, telcos, etc) do
> Info System Audit either as best practice or as directed by their foreign
> Headquarters' legal requirements.  US/EU/Australia have specific laws
> compelling companies to annually do and report on their Information Systems
> Governance, Risks and Assurance.
>
> In Kenya the closest we have come to having this framework is through the
> repeated and still continuing attempts to have the Data Protection Bill,
> the Freedom of Information  Bill as well last years CCKs discussions on
> eCommerce Regulations in palce. In all these exercises ISACA-Kenya (
> www.isaca.or.ke) which is the local chapter for the international (
> www.isaca.org) that deals with Information Systems Governance, Risks and
> Assurance has been participating.  So my take going forward is just fix
> these laws and regulations and we can save ourselves the next election
> fiasco in 2017.
>
> Your never having heard of them (ISACA-Kenya) is because "tunatenda bila
> kusema" (we do without saying :- ) just to rephrase the now famous slogan.
>
> walu.
>
>   ****
>
> ** **
> ------------------------------
>
> *From:* Edith Adera <eadera at idrc.ca>
> *To:* Walubengo J <jwalu at yahoo.com>
> *Cc:* KICTAnet ICT Policy Discussions <kictanet at lists.kictanet.or.ke>
> *Sent:* Tuesday, March 12, 2013 9:53 PM
> *Subject:* RE: [kictanet] Our Response to Systematic ICT Systems Failure
> at IEBC****
>
>
> Walu,
>
> What is the legal and institutional framework for auditing such mega
> systems for public use? which is the standards body?
>
> who would be responsible for carrying out such a public audit - afte
> action review?
>
> Never heard of ISACA-Kenya?
>
> Edith
> ________________________________________
> From: kictanet [kictanet-bounces+eadera=idrc.ca at lists.kictanet.or.ke] on
> behalf of Walubengo J [jwalu at yahoo.com]
> Sent: Tuesday, March 12, 2013 12:08 PM
> To: Edith Adera
> Cc: KICTAnet ICT Policy Discussions
> Subject: Re: [kictanet] Our Response to Systematic ICT Systems Failure at
>     IEBC
>
> +1,
> @ Sam,
> From your pitch,
> >>...are we saying that nobody in this list bid for this system? nobody
> tried? ... doesn't that mean we are just talking ..... and talk is cheap.
>
> am tempted to confess that indeed as a member of the ISACA-Kenya (the
> information system audit community) I did get an invite to make a bid to
> externally audit the election information system.  But guess what, the
> invite came on a Friday Feb 22nd and was due by that Monday 25th which
> incidentally was then just 1week to the voting/election day.  Assuming the
> eventual IS Auditor (whoever it was) did find issues that needed more than
> a week to fix?
>
> My point which I have been singing all along, folks in Government and
> related type of organisations know what needs to be done, they just never
> get the complimentary and  necessary support in a timely manner.  So your
> post-mortem must go beyond the technical and begin to address the
> "organisational" context/issues.
>
> walu.
>
>
>
> ________________________________
> From: Sam Gichuru <gichuru at gmail.com>
> To: jwalu at yahoo.com
> Cc: KICTAnet ICT Policy Discussions <kictanet at lists.kictanet.or.ke>
> Sent: Tuesday, March 12, 2013 6:45 PM
> Subject: Re: [kictanet] Our Response to Systematic ICT Systems Failure at
> IEBC
>
> Edith,
>
> I am one of those who suggested a full Audit of the system but only after
> the elections and I am definitely looking forward to this weeks #140 Friday
> with Brian, I hear people involved will be available for candid discussions.
>
> What I am seeing and I stand to be corrected is the spectator syndrome,
> when everything is ok and the international press highlight Kenya as a tech
> destination, Mpesa is praised, Ushahidi and startups with all our Mvitus,
> we celebrate, claim our team (#teamtech/ICT) is winning and write long blog
> posts and gazillion tweets etc
>
> This only last as long as nothing goes wrong, but when it does, suddenly
> the conversation changes from "we" to "them", they have failed, they dint
> consult, they dint test, they... not us. This is what most football
> fans/Spectators do, they love their football team only when its winning,
> which basically makes one wonder are we players or are we fans of this game?
>
> But to bring this home, we have a bigger problem, if this community
> started asking about the procurement process, the system architect and the
> companies that were selected to implement  the IEBC system only after it
> failed, we are not engaging enough, are we saying that nobody in this list
> bid for this system? nobody tried? ... doesn't that mean we are just
> talking ..... and talk is cheap.
>
> I would like to challenge the community to engage more with an aim to
> problem solve, to tender and bid for local contracts, to build more open
> source solutions, to fundraise with an aim to seed fund startups, if we
> dont... we are going to be running around in circles and then move to
> Rwanda and guess what we will all say ..... they dint do xyz...
>
>
> Let ask Ourselves ... who is they?
>
>
> On Tue, Mar 12, 2013 at 4:35 PM, Edith Adera <eadera at idrc.ca<mailto:
> eadera at idrc.ca>> wrote:
> Harry,
>
> Not sure you were in Kenya or buried your head in the sand!
>
> It’s a fact that the system did not work and IEBC had to revert to the
> manual system as reported by the Chair of the IEBC on TV.
>
> We need to learn to tell the truth as a country and confront our issues.
> Someone suggested on this list, can’t remember who,  that as an ICT
> industry an audit should be carried out so we know what went wrong and
> learn for the future.
>
> Why do we always turn to the easy targets….tribalism, partisan interests
> etc when hard questions are asked?
>
> Edith
>
> From: kictanet [mailto:kictanet-bounces+eadera<
> mailto:kictanet-bounces%2Beadera <kictanet-bounces%2Beadera>>=
> idrc.ca at lists.kictanet.or.ke<mailto:idrc.ca at lists.kictanet.or.ke>] On
> Behalf Of Harry Delano
> Sent: March 12, 2013 3:22 PM
> To: Edith Adera
> Cc: KICTAnet ICT Policy Discussions
> Subject: [kictanet] Our Response to Systematic ICT Systems Failure at IEBC
>
>
> Aye..!
>
> Could someone please aver what the furor was all about on this list when
> systems failed at IEBC last week. I thought it was so that
> we could address systemic issues in that part of the election process..?
> Please someone correct me, but I seem to be settling on
> this conclusion that we collectively only raise hue and cry when the
> system(s) are perceived to be working  against “us”, or not in
> “our” interests – whichever side of divide each one of us sits. Once they
> serve ‘our’ interests, we quickly move on.. So where is
> posterity in all this..? A pattern emerges where well calculated
> intellectual arguments everywhere nowadays, that  thinly  veil and
> mask the real motives in us. We completely bury our heads in the ground
> and deny that we have deeply rooted issues that stem
> from tribe, class etc and as a result,  we are caught up in this  vicious
> cycle that we cannot seem to free ourselves from and which
> clouds our entire vision as a nation. Who will free us, if we do not take
> initiative ourselves..? How and when will we as a nation
> confront this ‘monster’ head on, by first of all acknowledging it exists.
> Then moving to deal with it. Can this list be at the forefront
> of it..?
>
> If so,  let’s start now..
>
> Harry
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke<mailto:kictanet at lists.kictanet.or.ke>
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/gichuru%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>
>
> --
> Warm Regards,
> ------------------------
> Sam Gichuru
>
>
> twitter: | @samgichuru<http://twitter.com/samgichuru>
> Blog: |  www.samgichuru.com<http://www.samgichuru.com/>
> Facebook: | Sam.g<http://sam.g/>ichuru<http://www.facebook.com/sam.gichuru
> >
> Skype: Sam.gichuru
> Cellphone: | +254-722-730565
>
> Co-founder/ Director /Nailab Incubation
> Location: | Nairobi
> Website: | www.nailab.co.ke<http://www.nailab.co.ke/>
> twitter: | @thenailab
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke<mailto:kictanet at lists.kictanet.or.ke>
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>
> ****
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafrica.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>



-- 
______________________
Mwendwa Kivuva
For
Business Development
Transworld Computer Channels
Cel: 0722402248
twitter.com/lordmwesh
www.transworldAfrica.com  | Fluent in computing
kenya.or.ke | The Kenya we know
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20130313/28dcc54c/attachment.htm>


More information about the KICTANet mailing list