National Identity Card
Client: The government of the Hong Kong Special
Administrative Region (HKSAR)
Background/Objectives
The government of the Hong Kong Special Administrative
Region (HKSAR) is now issuing multi-application smart ID cards to seven million
citizens. Security is a prime concern for any identity card system. There are
also other legitimate and important concerns, especially regarding the privacy
of citizens' information.
Consult Hyperion won an open competitive tender (against
consultancies from four continents) to assess the security and recommend a set
of security requirements to the Immigration Department (ImmD), to ensure that
the selected suppliers would produce a system which was not only functional, but
also secure and fit for purpose. It was subsequently retained to specify all the
components and to devise an evaluation system for bidders' proposals. Consult
Hyperion achieved this through applying its Structured Risk Analysis. The
detailed knowledge of multi-application cards and associated security was an
integral part of this assignment.
Approach and Benefits to Client
ImmD Security Requirements:
Security requirements affect the selection of hardware,
operating systems and the design of interfaces among components and the design
of database components. Consult Hyperion's approach to determining the security
requirements was based on performing a Structured Risk Analysis (SRA). Risk
analysis enables the identification of cost-effective measures to mitigate
risk.
In addition to providing a report, Consult Hyperion also
delivered a spreadsheet containing tables of threats, vulnerabilities and risks
with their corresponding measures of severity. This enabled the client to
perform "what if" analyses, creating a living document that can track the
reductions in exposure as countermeasures are implemented.
One of the requirements was that citizens should be able
to change their PINs easily. Consult Hyperion recommended the use of kiosks and
the presentation of a finger biometric to facilitate this, with the biometric
template being stored on the smart identity card.
ImmD Specifications:
The approach was based on the use of structured analysis
techniques, which Consult Hyperion has employed successfully on many occasions
to assist clients with complex procurements. The following activities were
performed:
- formally gathered the system requirements
- examined options for how the systems might behave in meeting the
requirement
- produced specifications for these systems which formed part of the tender
documentation for the system supply
- provided advice to assist in the process of producing the tender and
evaluating the responses
Consult Hyperion specified all the components (including
the ID card, smart card-based Security Access Module (SAM), card and application
management system and terminals) and devised a detailed evaluation system for
bidders' technical proposals.
ITSD, Remote authentication feasibility study:
Consult Hyperion designed a system to allow the ID cards
to be used for remote access to services, with minimal changes to the existing
card cryptographic scheme. All components of the system were specified, as well
as providing an interactive spreadsheet cost model and a management framework
document outlining the business rules and procedures necessary to run the
system.
Benefits from this assignment included:
- assurance, through risk analysis that the proposed HK ID card system was
fit for purpose
- detailed analysis and functional specification leading to the production
of tender documentation in such a way as to be independent of specific
products and vendors
- a watertight process for assessing bids against actual requirements and
specifications
- system specifications and cost model for the provision of a central
e-Authentication service. These provided assurance that the proposed ID card
scheme could be easily and flexibly extended to provide secure e-government
services