Biometric Access Control System
KZN Treasury

A. Problem Analysis

 1. What was the problem before the implementation of the initiative?
Growth of IT systems and process digitisation within the public sector has escalated the requirements to preserve the confidentiality, integrity and availability of information assets within these organizations. The increased dependency on electronic information has unfortunately gone hand in hand with an increase in system abuse and fraudulent activities. In an effort to combat these types of criminal activities, KZN Treasury have Implemented A Solution that not only created visibility of suspicious activity within a fully auditable biometric solution, but allows us to associate an individual with undeniable electronic proof can only make the judicial process that much simpler

B. Strategic Approach

 2. What was the solution?
Solution was proposed by the IT Directorate of KZN Provincial Treasury in conjunction with senior management. Goals: Proactive management of electronic fraud to over 5,000 of its financial system users from 16 federated Government Departments. Protection of its core mainframe applications (BAS and PERSAL).To visibly deter fraud, educate its personnel about electronic fraud, and most protect innocent people from being implicated in cases of electronic fraud. Objectives: To prevent unauthorised people from accessing PERSAL and BAS through the use of fingerprint biometrics; to institute accountability for authorised users so that innocent people could not be implicated in cases of electronic fraud and; to establish an independent and automated secure mechanism to prove beyond doubt which person performed what sensitive transaction at what time, and to be able to provide conclusive electronic evidence to prosecute and convict the perpetrators of fraud on financial systems. Strategy and solution: To increase the security access control on financial systems through an additional layer of security through the use of fingerprint authentication and a non repudiation system at the transaction level. The system used PKI and encryption technologies to create the additional security access layer. Target audience: all users of financial systems in KZN Provincial Government.

 3. How did the initiative solve the problem and improve people’s lives?
The solution automates the secure digital signing of context sensitive transactions in an automated manner and stores the audit trial data in an evidence vault for future use. Other biometric solutions rely purely on fingerprint minutiae to authenticate to the application and biometrically re-authenticate again when sensitive transactions are performed, this however does not address the requirements of the ECT Act. The eDNAsolution implemented for KZN Treasury uses a secure smartcard to store the user's digital identity information and PKI credentials and when the user wants to authorise a sensitive transaction then the user uses his/her fingerprint to unlock a smartcard on which a PKI digital signature is stored. This digital signature is then automatically used by the system to digitally sign the transaction with the usersx.509 compliant digital certificate and the transaction is then sealed at the source of the transaction and then stored centrally in the evidence vault, after which the application completes the transaction. The system shows what the user saw before he/she made changes and also what changes were made by the user. Additionally the date and time of the transaction is also recorded into the evidence through a RFC 3613 Time Stamping Authority so that the accurate time of the transaction is also presented in the transaction evidence. The solution serves as an independent referee in transactions across platforms and thus provides a common platform service for instituting strong authentication and people accountability across Departments, networks, platforms and applications in a consistent manner.

C. Execution and Implementation

 4. In which ways is the initiative creative and innovative?
Key elements of the project implementation: User buy in- a aggressive user awareness session through structured workshops was conducted among all users throughout KZN Province to inform them of the system, its benefits and the implementation plan. 5000 users were targeted User audit- an audit of all users was conducted to verify the existence of potential users and to obtain all relevant information: contact details, location, name of financial systems being used. This process ensured that only legitimate authorised users are enrolled onto the biometric system. PC audit- an audit of all user PCs was conducted to ensure that they meet the minimum specifications of the new system, and to give the various departments sufficient time to replace PCs that do not meet the specifications Procurement and installation of infrastructure- all required IT infrastructure was procured, installed and configured System development and testing- an intense process of document user requirements, development and testing was then completed. Enrolment of users onto the system- physical face to face enrolment of all users was done in compliance with all legal procedures and legislation to ensure integrity of the process and to eliminate any doubt in the event of prosecution. Policy and procedures development- Biometric access control policy, Enrolment procedures, support procedures, procedures to manage the issue and replacement of smartcards and fingerprint scanners. Support and maintenance – post implementation support and maintenance to ensure users have an easy experience

 5. Who implemented the initiative and what is the size of the population affected by this initiative?
The following stakeholders were involved: Senior Management from all provincial departments to drive the process internally within their organisations All BAS and Persal users who were the direct beneficiaries of the system SITA- who procured the system and managed the project Datacentrix and Lawtrust (service providers) who were involved in the development and roll out of the system Provincial Treasury who were directly responsible for the project from an overall management and budget perspective Office of the Premier who provide the inputs and support for the Persal part of the system requirements
 6. How was the strategy implemented and what resources were mobilized?
Human resources Project team: key representatives from various forums formed the project team: Persal and BAS system controllers, Provincial Treasury IT manager, representatives from the service providers and State IT Agency Steering Committee: members of Senior Management Provincial Treasury to oversee the project and make high level decisions and approvals on the project BAS and Persal users: a user forum comprising of BAS and Persal system controllers was established to communicate project progress and challenges and to find solutions to problem areas. The system controllers formed the communication link between the project teams and the 5000 users of the system.

 7. Who were the stakeholders involved in the design of the initiative and in its implementation?
contributed to the success of the initiative. 1. User awareness sessions- conducted in all regions to reach all beneficiaries. This process ensure support and buy in of the end users 2. Involvement of relevant stakeholders in the project team- representatives of al stakeholder groupings were on the project team. This ensured that all business requirements were identified and addressed during the development of the system. Intense and regular consultation resulted in a detailed User Requirement Specification document resulting in a system that addresses the business needs. 3. Effective project management- a highly skilled and experienced project manager was able to coordinate all activities and tasks in pursuance of a common goal- to develop and implement a system within the committed time frame and budget. Risks were effectively managed and this resulted in a successful project. 4. Support from senior management- active and unconditional support from the executive management team created the environment for a successful project. Timeous and decisive actions on their part ensured that challenges were effectively resolved.

 8. What were the most successful outputs and why was the initiative effective?
Project meetings were held on a weekly basis to assess progress, challenges and risks. A range of relevant reports were compiled and communicated to all stakeholders. Project progress was evaluated in conjunction with the budget spent to ensure value for money and a guarantee that the project will be completed with the allocated budget. Regular feedback to the end users kept them informed and sustained the buy in achieved during the awareness sessions. Steering committee meetings: held on a monthly basis to allow for communication on project progress and challenges and to resolved identified risks.

 9. What were the main obstacles encountered and how were they overcome?
Logistical arrangement: posed a serious challenge. Our end users are geographically dispersed over a wide area much of which is rural in nature with poor infrastructure. Proper and detailed plans were drawn up for the enrolled of the 5000 users. Full contact details obtained during the user audit help the project team to contact users for advance planning of their availability. We still could not reach some users. In these cases, central venues were identified were they could go to be enrolled onto the biometric system. Communication challenges: because of the large number of stakeholders and users, obtained and disseminating information was a challenge. Structures like the BAS and Persal user forums were used to communicate project related issues. The use of emails and the website also assisted in effective communication.

D. Impact and Sustainability

 10. What were the key benefits resulting from this initiative?
Reduction in cases of electronic fraud on the protected systems. There has been no reported system related fraud since the Biometric system has been implemented (more than 4 years). This has a direct impact on the budget. Less money is lost through criminal activity and therefore more of the allocated budget is used for the desired purpose, i.e. service delivery. Reduction in labour related cases of electronic fraud and fast and efficient collection of accurate case information without the probability of tainting evidence through the evidence collection process. The system has a non repudiation system which forces users to use their fingerprint both when they log on to BAS or Persal and when they are about to perform sensitive transactions. This means that users finger prints are linked to specific transactions and this information is digitally stored in an electronic fault as conclusive and undisputed forensic evidence. Hence, fraudulent users cannot deny that that they committed fraudulent transactions. This effectively has reduced the number of labour disputes, disciplinary and criminal cases, saving the taxpayer time and money Passwords are not written down, lost or stolen anymore. Finger prints are a reliable and more secure authentication mechanism. There is no risk of unauthorised users gaining access to the system. Criminal syndicates and potential employee fraudsters are deterred from pursuing their illegitimate actions. Increased security posture of KZN Treasury with respect to strong authentication, application access control and non-repudiation of transactions. The use of digital signatures and PKI has resulted in compliance with the ECT Act. From a legal perspective, the system provides forensic evidence that is conclusive, tamper proof and instantly available. This increases the conviction rate. However, thus far there has been no reported system related fraud. The Biometric system also protects the innocent. Employees who are falsely accused or implicated in fraudulent actions are able to prove conclusively that they are innocent as the system stores all forensic evidence together with the finger prints of the real perpetrators of the fraud. With the increased awareness of how the system works, potential fraudsters cannot implicate innocent parties. This saves innocent employees from the psychological trauma. It also prevents the reputation of innocent parties from being ruined as a result of being falsely accused

 11. Did the initiative improve integrity and/or accountability in public service? (If applicable)
Reduction in cases of electronic fraud on the protected systems. There has been no reported system related fraud since the Biometric system has been implemented (more than 4 years). This has a direct impact on the budget. Less money is lost through criminal activity and therefore more of the allocated budget is used for the desired purpose, i.e. service delivery. Reduction in labour related cases of electronic fraud and fast and efficient collection of accurate case information without the probability of tainting evidence through the evidence collection process. The system has a non repudiation system which forces users to use their fingerprint both when they log on to BAS or Persal and when they are about to perform sensitive transactions. This means that users finger prints are linked to specific transactions and this information is digitally stored in an electronic fault as conclusive and undisputed forensic evidence. Hence, fraudulent users cannot deny that that they committed fraudulent transactions. This effectively has reduced the number of labour disputes, disciplinary and criminal cases, saving the taxpayer time and money Passwords are not written down, lost or stolen anymore. Finger prints are a reliable and more secure authentication mechanism. There is no risk of unauthorised users gaining access to the system. Criminal syndicates and potential employee fraudsters are deterred from pursuing their illegitimate actions. Increased security posture of KZN Treasury with respect to strong authentication, application access control and non-repudiation of transactions. The use of digital signatures and PKI has resulted in compliance with the ECT Act. From a legal perspective, the system provides forensic evidence that is conclusive, tamper proof and instantly available. This increases the conviction rate. However,thus far there has been no reported system related fraud. The Biometric system also protects the innocent. Employees who are falsely accused or implicated in fraudulent actions are able to prove conclusively that they are innocent as the system stores all forensic evidence together with the finger prints of the real perpetrators of the fraud. With the increased awareness of how the system works, potential fraudsters cannot implicate innocent parties. This saves innocent employees from the psychological trauma. It also prevents the reputation of innocent parties from being ruined as a result of being falsely accused. KZN Treasury has together with the service provider formed a task team that deals with all related matters with representation from all stakeholders responsible to ensure the system is managed and maintained providing the highest level of security. KZN Treasury has outsourced the management of the system to a service provider whom implemented and now works closely with the department to ensure sustainability. There is a comprehensive proactive Service Level Agreement in place to ensure that the system is always available so that there is minimal downtime. This ensures BAS and Persal users are able to work uninterrupted. Treasury has also implemented a full disaster recovery site. This guarantees business continuity. A task team made up of representatives from the Office of the Premier (Persal), Provincial Treasury and the service providers meet twice a month to identify potential problems with the system, related policies and procedures and processes. The system is under constant review in order to improve on its functionality through planned enhancements. Treasury makes provision for adequate funds to cover the support and maintenance of the system, enhancements and software licences. A dedicated unit is being created at Treasury to manage and support the Biometric system. There is a system development roadmap to ensure that the system is upgraded according to schedule to meet the changing technological and business requirements. The solution is based on a Service Oriented Architecture and uses open industry standard equipment components so that the system is open to extension and re-use. The system complies with the Minimum Interoperability standards as set by SITA. The solution is also in use at the Department of Home Affairs nationally, and for their National Population Register and Passport application which is proof that the system has been replicated and that is does work for multiple applications. The Northern Cape Treasury has also commenced with implementing the same Biometric system at a fraction of the cost that KZN Treasury incurred. Other provinces have show similar interests.

 12. Were special measures put in place to ensure that the initiative benefits women and girls and improves the situation of the poorest and most vulnerable? (If applicable)
Lessons Learned: Phase I The identification, inclusion and involvement of as many stakeholders as possible in the communication process as the project progresses ensured that people are aware of the project and its impact on them. The change management model used was matured over the duration of the project. There was an extensive drive of user awareness sessions which took the form of roadshows and aimed to reach as many users as possible across the province. In addition, presentations were made to CFOs, IT managers and transversal system controllers to inform and involve them in the project. Parallel change control processes had to be defined specifically for the project to manage the complexity of the technology and the various parties involved in its implementation and support. The lesson learned was that aggressive structured communication channels and strong change management was crucial to the success of the project. Lessons Learned: Phase II The availability of users, particularly in remote areas played a major role in the length of time taken to roll out the system ultimately. The lesson that the project team took away from this was that central enrolment centres worked more effectively than individual enrolments at a user's workstation and it allowed better management of the enrolment process. A number of client workstations did not meet the minimum specification requirement which delayed the installation process and required a number of on-site visits to remote areas to resolve the technical installations. The state of infrastructure in some areas also had an impact on the ability of the technicians to carry out their tasks and prolonged the entire rollout process. Lesson learned was that advanced audit of user PCs was important to give departments enough time to replace obsolete IT equipment. Greater consideration for the impact of holidays, school vacations, financial year end, special system runs, etc. on the availability of people had to be taken into account during the rollout process.

Contact Information

Institution Name:   KZN Treasury
Institution Type:   Government Agency  
Contact Person:   Thansen Singh
Title:   Mr  
Telephone/ Fax:   +27 33 897 4550
Institution's / Project's Website:  
E-mail:   vaughan.hart@kzntreasury.gov.za  
Address:   PO Box 3613
Postal Code:   3200
City:   Pietermaritzburg
State/Province:   KZN
Country:  

          Go Back

Print friendly Page