Parallel Audit on Biometric Passports - Overall Results (anonymised) Read full text in English
A biometric passport (or ePassport) contains biometric information which serves to authenticate the identity of travellers. Biometric passport management is the process of establishing and implementing the regulation on standards for security features and biometrics in passports and travel documents issued by the member states. The aim is to develop and maintain efficient and secure biometric passport production procedures (see page 5).
- IS/IT system and management: The main weaknesses in this area consist of missing or incomplete information-security concepts, inappropriate or missing backup facilities, deficiencies in monitoring policies, standards and procedures, as well as limitations in the availability of IT systems. Significant risks are identified with regard to information security and the lack of systematic risk assessments. Weak access management and access controls were reported together with inappropriate access rights. Regarding policies and standards, there is a lack of definition of what controls should be applied to protect the data during production and by whom. Furthermore, audit deficiencies were revealed in respect to the processes of security incident monitoring.
- Laws and regulations: In some countries, non-compliance with national legislation regarding personal data has been identified as well as non-compliance with requirements of IS/IT management legislation. It was found that the requirements of some regulatory decrees are not strictly established and are applied according to an oral rather than a written agreement.
- Cost-benefit: In some cases, no assessment of the cost effectiveness of the issuance of biometric identity documents (operations, security, IS/IT management) was carried out at state level. Furthermore, often there are no data available on the costs of the institutions involved in the process of issuance. Regarding transparency, the findings show that calculations of the fees relating to state documents are not clear or traceable.
- Internal and external personnel involved: In nearly all the participating countries, outsourcing providers are involved. Cases have been identified where no non-disclosure agreements with the respective bodies had been signed. Additionally, the issuing bodies do not perform in-depth inspections regarding the staff employed by service providers.