Websites’ security audit

The Government of the UT of Jammu and Kashmir has taken steps to digitise and streamline services. However, a significant concern has arisen as most departments have not conducted security audits for their websites and applications through Computer Emergency Response Team (CERT)-empowered agencies. This oversight leaves potential vulnerabilities that hackers could exploit. The Government has responded firmly to this issue. If the security audit is not completed within the next month, the services will be discontinued at the State Data Centre. No further websites or applications will be hosted without a “Safe to Host” certificate from the respective departments. If the audit agency has already been selected, there should be no reason for such significant delays in completing the necessary tasks. There is no valid justification for this negligence.
Such a situation demands immediate attention and action. It is not just informational websites at stake but also online forms, bills, and the personal information of students and residents, making the system vulnerable to exploitation by hackers. Hackers are known for their persistent efforts to exploit any weaknesses in the system, making this a critical issue for the Government. A website security audit is a crucial process that identifies vulnerabilities and weaknesses in websites and applications. The audit scans websites and their servers for existing or potential weaknesses that hackers could exploit. This proactive approach aims to eliminate architectural discrepancies before malicious actors can take advantage of them. It’s also worth noting that the Information Technology Act, of 2008, mandates security audits for all applications and web services to be eligible for hosting in the State Data Centre (SDC).
The sensitivity of the situation in Jammu and Kashmir cannot be overstated, given the continuous efforts by Pakistan and its hackers to create embarrassing situations for the Government. All safety audits and guidelines set by governing organisations must be rigorously followed. Timely audits are essential to ensuring the security of data, and any vulnerabilities identified during these audits can be promptly addressed. All Government departments are expected to have adequate funds to upgrade their software and avail themselves of audit services. However, it is concerning that, in practice, many departments are not taking these matters seriously. JaKeGA, which stands for the Jammu and Kashmir e-Governance Agency, holds the responsibility for planning, executing, and overseeing e-Governance initiatives within the state of Jammu and Kashmir. Their primary aim is to establish the necessary administrative, financial, legal, and technical infrastructure to support these projects. Despite more than a year and a half passing since the official letter from JAKeGA was issued, a majority of departments have not responded or taken the necessary actions. This represents a serious violation of security protocols.
There is an established procedure in place to ensure timely audits and certifications. Various teams of professionals are involved in different projects for various departments, and there appears to be a lack of background checks on the individuals deployed for these tasks. The safety of the State Data Centre is of paramount importance and cannot be compromised under any circumstances. It is crucial to take all mandatory precautions to safeguard sensitive information. Hackers have proven capable of inflicting significant damage on many national websites. To protect against such situations, it is essential to maintain consistent vigilance through precautions and conduct timely audits. JAKeGA has rightly set a new deadline of one month, and departments must treat this directive with the utmost seriousness. Timely audits are crucial not only for data safety but also for the uninterrupted provision of services to the public. It is the responsibility of every department to prioritise security and act immediately to comply with JAKeGA’s directive. Failure to do so not only jeopardises data security but also puts the entire system at risk. It is far better to adhere to established procedures now than to face regrettable consequences later on.