It is now 461 days since the secure sockets layer of the official website of the IPPIS Secretariat, a department in the Office of the Accountant-General of the Federation (OAGF) to oversee the management of the Integrated Personnel and Payroll Information System (IPPIS), expired without renewal.
Secure sockets layer (SSL) is a protective feature on every website that keeps user data safe, helps to verify ownership of the website and prevent attackers from creating a counterfeit version of the site.
The secretariat manages the employee payroll of the federal government with appropriate deductions and remittances of third-party payments. As a government entity, the department owns that website.
READ ALSO: SPOTTED: 2 Weeks After Expiration, State House Website’s Security Certificate Not Renewed
While trying to fetch some data from the website on Friday, FIJ found that the website was unsafe, advising users that their data could be compromised if they proceeded to the website.
A look into the safety status of the website by FIJ showed that its SSL certificate had expired more than a year ago.
The website was created on March 1, 2011, using the National Information Technology Development Agency (NITDA) as its registrar. While its domain address remains okay, the same thing could not be said of its security feature.
Results of the website SSL certificate scan.
According to SSL Checker, an SSL certificate review website, the website’s SSL certificate expired on June 3, 2023. Since then, the website and user data have become vulnerable.
Abdullahi Tumba, whose phone number was copied from the website’s registration details, told FIJ on the phone that he was “no longer in government and could not speak on its behalf”.
Government agencies are mandated by the NITDA to maintain safe websites through which citizens can easily access information necessary to their daily activities.
In this instance, this IPPIS runs foul of section 7.2 of the NITDA guidelines for government websites. The guidelines read in part:
Government Institutions shall: i. ii. iii. Commit to a continuous process of maintaining the security of Web Servers to ensure continued security. Use authentication and cryptographic technologies as appropriate to protect certain types of sensitive data with differing access privileges. It is recommended that SSL be used for any cryptographic implementation
READ ALSO: NPF Website Violates NITDA Guidelines, Does Not Have the Phone Numbers of PPROs
Data safety and accessibility also take a key spot in transparency rating of government ministries, departments and agencies by the Presidential Enabling Business Environment Council, an agency set up by the Business Facilitation Act.
The act requires agencies to provide a comprehensive inventory of all charges and information on their websites and revise such information in a consistent manner to empower citizens demand efficient services.
Aside from not having an up-to-date security feature, some information on the website is outdated. For example, the website listed Nsikak Ben as an acting director of the IPPIS. Meanwhile, Ben had long left that role, with latest news reports showing Emma James Deko as the new helsman.
The post ALERT: Website of IPPIS Secretariat in Accountant-General’s Office Is Unsecure appeared first on Foundation For Investigative Journalism.