0

The National Information Technology Development Agency (NITDA) has explained that University Transparency and Accountability Solution (UTAS) payment application being promoted by the Academic Staff Union of Universities (ASUU) has five 5 high risk vulnerabilities and two low risk vulnerabilities that that are likely to negatively impact on the platform if exploited.

RELATED  No Going Back On IPPIS As ASUU Develops Own Software, UTAS, To Tackle Corruption In Varsities

NITDA in an official statement by Head, Corporate Affairs and External Relations, Mrs Hadiza Umar, has asked ASUU to improve on the “areas identified, work on the security issues flagged and resubmit the solution for further assessment.”

Read the full statement below.

NITDA’s engagement with ASUU on UTAS: Putting the records straight

The attention of the National Information Technology Development Agency (NITDA) has been drawn to series of media statements about NITDA’s role on the assessment of the University Transparency and Accountability Solution (UTAS). It is imperative therefore that the agency puts the records straight for the interest of stakeholders and the general public.

ADVERTISEMENT

It may be recalled that the Act establishing NITDA mandates it to create a framework for the planning, research, development, standardization, application, coordination, monitoring, evaluation and regulation of Information Technology (IT) practices in Nigeria. The agency has, over the years, issued series of regulatory instruments including the Software Testing and Quality Assurance Framework and Guideline, issued in 2016. This regulatory instrument, currently being reviewed, provides guidelines for the design, development and testing of software projects in Nigeria. Furthermore, Section 10 of the Guidelines for Nigerian Content Development in ICT, 2019 provided detailed guidelines and expectations for Indigenous Software Development and Software Enabled Products and Services.

In line with its mandate, the Agency has been registering indigenous software solutions. Part of the registration process requires that solutions are subjected to tests in line with the requirements of the Software Testing and Quality Assurance Framework and Guideline and the Guidelines for Nigerian Content Development in ICT.

It is common knowledge that the Academic Staff Union of Universities (ASUU) has been engaging the Federal Government on a number of issues including payment of promotion arrears, earned academic allowance, funding for revitalisation of public Universities, and adoption of UTAS as payment platform for universities. On the 14th October, 2020, NITDA was invited to participate in an interactive session between ASUU, Federal Government and the Legislature. The session, held at the Conference Hall of Accountant General of the Federation’s office, was to avail ASUU the opportunity to demonstrate the UTAS platform.

ADVERTISEMENT

Conditions for Acceptance of UTAS as Payment Platform

As part of the conditions for acceptance of UTAS as payment platform for public universities by Federal Government, NITDA was directed to subject the platform to Integrity Test and advise Government appropriately. In doing so, the Agency decided to carry out 3 out of the 8 tests specified in the Software Testing and Quality Assurance Framework and Guideline. These tests are:

  1. User Acceptance Test (UAT);
  2. Stress Test; and
  3. Vulnerability Assessment and Penetration Test (VAPT).

As part of the process, NITDA held its first meeting with ASUU on the 22nd October, 2020 and discussions centred on the modalities of the assessment. Furthermore, documents necessary for effective planning and execution of the tests were requested. As critical stakeholders to the implementation and deployment of the Solution, both the National Universities Commission (NUC) and the Office of the Accountant General of the Federation were also engaged. The main aim of this engagement was to obtain software requirements from their perspective.

Upon receipt of the documents from ASUU as well as access details of the UTAS platform in January, 2021, the Agency’s team carried out basic Functionality/User Acceptance Test on the platform. As NUC conducted UAT, NITDA felt it can use the report produced by NUC for its report. However, upon review, it was observed that the Solution was demonstrated to the Principal Officers in a similar way it was demonstrated at the Accountant General’s Office.  The agency decided that further UAT be carried out with actual end-users from the University System. As a result, arrangements were made and 46 staff members from 28 Federal Universities, mainly from Vice Chancellor’s Office, Human Resources, Accounts and Bursary participated in the UAT, held at NUC, on the 10th August, 2021.

Although the UAT was carried out as planned, challenges were encountered that negatively impacted on the outcome of the assessment. For instance, although the invitation emphasised the need for prospective participants to come with ICT tools for the exercise, very few of the participants had these tools. This resulted into grouping the participants and very limited hands-on interaction with the solution was possible. Furthermore, there was limited connectivity thereby making it difficult for the participants with the relevant tools to follow the demonstration by ASUU. These issues were adequately reported to key stakeholders.

UTAS platform has seven risk vulnerabilities

The agency’s team also carried out series of Vulnerability Assessment and Penetration Tests on the UTAS platform. One of these assessments revealed five (5) High Risk vulnerabilities that are likely to negatively impact on the platform if exploited. Furthermore, two (2) Low Risk vulnerabilities were identified. These were discussed with the ASUU team and a further assessment carried out on the updated version of the solution revealed that the High Risk Vulnerabilities have been addressed. However, one (1) Medium Risk, three (3) Low Risks and forty-four (44) Informational Risks were identified. These also, were adequately communicated to the relevant stakeholders including ASUU.

A detailed Functionality/User Acceptance Test on the platform was carried out by our team. A total of 687 test cases were generated in which 529 passed, 156 failed and 2 cautionary warnings. As some of the failed cases are critical to the overall functionality of the solution, the agency could not recommend for the solution to be deployed in production environment. ASUU was therefore requested to work on the Solution and submit it for further assessment. Furthermore, a comprehensive report outlining all the tests carried out and issues identified was submitted to the Honourable Minister of Communications and Digital Economy on the 3rd December, 2021. This was in turn submitted to the chief conciliator, the Honourable Minister of Labour and Employment as well as other stakeholders in ASUU.

During the conciliation meeting held at the instance of the Honourable Minister of Labour and Employment on Tuesday, 22nd February, 2022, it resolved that NITDA works with ASUU and subject UTAS to re-assessment. Furthermore, it was resolved that key members of the conciliation team be in attendance during the Technical Team’s sessions as observers.

It may interest the agency’s stakeholders to know that NITDA, as a responsible agency of government, made all arrangements to ensure that the exercise was carried out successfully. The interaction commenced on the 8th March, 2022 with discussion on the methodology to be used as specified in the Software Testing and Quality Assurance Framework and Guideline. Upon reaching agreement and starting the actual test on the Solution, a critical error occurred and the test could not continue.  As a result, the interaction had to be postponed to enable the ASUU Team rectify the issue.

Considering the challenge encountered, the assessment methodology had to be reviewed to facilitate daily remediation of critical issues as they occur. This, although not in NITDA’s Standard Operating Procedure for exercises such as this, was adopted. Consideration was made to the national importance attached to the exercise as well as the need to complete it in a reasonably shorter period of time.

It is important to note that despite making all efforts to fast-track the exercise, it took the team two weeks of continuous interaction on a daily basis. There is no doubt that the exercise has positively impacted on the functionality and robustness of the UTAS platform. Furthermore, we believe that the interaction availed ASUU the opportunity to understand and appreciate NITDA’s commitment and level of professionalism exhibited in carrying out its responsibilities.

The attention of stakeholders and the general public is drawn to the need for the UTAS platform to be sufficiently robust with key functionalities implemented before being deployed to the production environment. However, the assessment revealed that the Solution, as it is currently implemented, is limited. There are critical functionalities that have to be implemented, tested and passed before the Solution can considered to meet NITDA’s due diligence requirements. These areas of improvement have been fully documented and shared with the ASUU team for necessary action. It is expected that ASUU will improve on the areas identified, work on the security issues flagged and resubmit the solution for further assessment.

The agency wishes to use this opportunity to assure stakeholders and the general public of its commitment to its mandate and the vision of proactively facilitating the development of Nigeria into a sustainable digital economy by creating an enabling environment where Nigerians develop, adopt and derive value from digital technology.

 

More in News

You may also like