Montserrat Ferry Online Booking Application

4th June, 2020

An Information Security (IS) Audit Report of the Auditor General about the Montserrat Ferry Online Booking Application has been presented to the Legislative Assembly on May 19th 2020. 

Background

This report assessed whether there were, and are, appropriate policies and procedures and effective controls in existence, to ensure the security of the Montserrat Ferry Online Booking software and sensitive and personal information entered and stored in it.  The audit focused on areas such as Outsourcing, IT Operations, Application and Information Security controls, and Business Continuity.

Key Findings  

  • There are adequate input and output validation controls in place that ensures the data being input or output is accurate, reliable, and complete when accepted by Montserrat Ferry Booking application, in a timely manner. The application’s information is also properly protected and secured and there have not been any reports of security related incidents or breaches since its initial debut in 2016. 
  • The Office of the Premier’s Access Division does not have a Service Level Agreement or Contract that defines what functions are to be outsourced, what must remain in-house, or the ownership of the application and the stored data. This is a very high-risk issue should the software vendor fail to maintain the software, goes out of business, or folds, as the GoM does not retain business knowledge or ownership of the ferry online booking application and data

Recommendations

                The Office of the Auditor General strongly recommends that:

  • The GoM should develop a clear outsourcing policy that documents the IT functions that can be outsourced and what remains in-house.  All of the roles and responsibilities between GoM and future vendors and contractors should be identified and defined. This includes a Service Level Agreement that defines the services the contractor will be expected to accomplish, and the technical parameters for those services, i.e., items critical to the GoM. 
  • The Access Division should assess the feasibility of purchasing the software and maintaining it, in-house. Should this option not be accepted by the supplier, then they should request that the software be lodged in an escrow agreement where the source code is stored with an independent third party.      

The report in its entirety can be found at the Montserrat Public Library or by visiting Publications or by requesting an electronic copy from the Office of the Auditor General