Swiss Federal Audit Office


Parallel Audit on Biometric Passports - Overall Results (anonymised) Read full text in English

2015 report

A biometric passport (or ePassport) contains biometric information which serves to authenticate the identity of travellers. Biometric passport management is the process of establishing and implementing the regulation on standards for security features and biometrics in passports and travel documents issued by the member states. The aim is to develop and maintain efficient and secure biometric passport production procedures (see page 5).

In the report page 9

- IS/IT system and management: The main weaknesses in this area consist of missing or incomplete information-security concepts, inappropriate or missing backup facilities, deficiencies in monitoring policies, standards and procedures, as well as limitations in the availability of IT systems. Significant risks are identified with regard to information security and the lack of systematic risk assessments. Weak access management and access controls were reported together with inappropriate access rights. Regarding policies and standards, there is a lack of definition of what controls should be applied to protect the data during production and by whom. Furthermore, audit deficiencies were revealed in respect to the processes of security incident monitoring.

In the report page 10

- Laws and regulations: In some countries, non-compliance with national legislation regarding personal data has been identified as well as non-compliance with requirements of IS/IT management legislation. It was found that the requirements of some regulatory decrees are not strictly established and are applied according to an oral rather than a written agreement.

In the report page 10

- Cost-benefit: In some cases, no assessment of the cost effectiveness of the issuance of biometric identity documents (operations, security, IS/IT management) was carried out at state level. Furthermore, often there are no data available on the costs of the institutions involved in the process of issuance. Regarding transparency, the findings show that calculations of the fees relating to state documents are not clear or traceable.

In the report page 10

- Internal and external personnel involved: In nearly all the participating countries, outsourcing providers are involved. Cases have been identified where no non-disclosure agreements with the respective bodies had been signed. Additionally, the issuing bodies do not perform in-depth inspections regarding the staff employed by service providers.

The risk cases visible on this page are collected and described by the e-Government Subgroup of the EUROSAI IT Working Group in contact with author Supreme Audit Institutions (SAI). In the same way, analytical assumptions and headings are chosen by the Subgroup. We encourage you to read the original texts by SAIs - to be found in the linked files.