|
Overview
Technology
and processes change all the time. The nature and seriousness
of the risks posed to a system changes accordingly. Jurisdictions
thus are in a continual race against criminal elements
(and the physical environment) to remain "one-up".
A risk assessment forms an integral part of the process
used by a jurisdiction to maintain the integrity of a
system.
Fischer
Consulting specializes in performing risk assessments
in the motor vehicle and driver license environments.
The following are some of the aspects that make us uniquely
qualified:
- Our
experience in the design and implementation of both
motor vehicle and driver license business processes
and systems.
- Our
experience in document security.
- Our
active involvement in national and international
standards activities that seek to elevate the baseline
of document security and interoperability.
Though
internal reviews can be instructive, caution should always
be taken to avoid the following major pitfalls of self-policing:
- Collusion
on the part of the internal review team to overlook
gray areas, or worse.
- Assumptions
made based on over-familiarity with existing procedures.
Risk
assessment and the AAMVA DL/ID Security Framework
The
DL/ID Security Framework recently published by the American
Association of Motor Vehicle Administrators (AAMVA) provides
a number of requirements and recommendations pertaining
to risk assessments and the implementation of associated
mitigation measures.
The
Framework document primarily emphasizes the need to secure
issuance programs and access to records. However, the
most recent version of the AAMVA DL/ID Card Design Specifications
(September 2003) contains a recommendation that "[e]ach
issuing jurisdiction should conduct a risk assessment
of their own DL/ID documents to determine how and to what
extent … threats … pertain to their documents"
(See B.5 of the specification). In addition to issuance
programs and access to records, document security thus
should not be neglected.
With
reference to the above documents, it is thus suggested
that a risk analysis (performed in terms of the AAMVA
DL/ID Security Framework) should cover both the following
areas:
- Programs
for issuing documents and creating or amending records.
- The
effectiveness of document security features.
The
Fischer Consulting team is
uniquely positioned to assist jurisdictions in implementing
the goals of the Framework by conducting a review of your
jurisdiction's business, and developing security recommendations
and an associated action plan.
|
