Printable Version
What's New
National Identity Card
Client: The government of the Hong Kong Special Administrative Region (HKSAR)
Background/Objectives
The government of the Hong Kong Special Administrative Region (HKSAR) is now issuing multi-application smart ID cards to seven million citizens. Security is a prime concern for any identity card system. There are also other legitimate and important concerns, especially regarding the privacy of citizens' information.
Consult Hyperion won an open competitive tender (against consultancies from four continents) to assess the security and recommend a set of security requirements to the Immigration Department (ImmD), to ensure that the selected suppliers would produce a system which was not only functional, but also secure and fit for purpose. It was subsequently retained to specify all the components and to devise an evaluation system for bidders' proposals. Consult Hyperion achieved this through applying its Structured Risk Analysis. The detailed knowledge of multi-application cards and associated security was an integral part of this assignment.
Approach and Benefits to Client
ImmD Security Requirements:
Security requirements affect the selection of hardware, operating systems and the design of interfaces among components and the design of database components. Consult Hyperion's approach to determining the security requirements was based on performing a Structured Risk Analysis (SRA). Risk analysis enables the identification of cost-effective measures to mitigate risk.
In addition to providing a report, Consult Hyperion also delivered a spreadsheet containing tables of threats, vulnerabilities and risks with their corresponding measures of severity. This enabled the client to perform "what if" analyses, creating a living document that can track the reductions in exposure as countermeasures are implemented.
One of the requirements was that citizens should be able to change their PINs easily. Consult Hyperion recommended the use of kiosks and the presentation of a finger biometric to facilitate this, with the biometric template being stored on the smart identity card.
ImmD Specifications:
The approach was based on the use of structured analysis techniques, which Consult Hyperion has employed successfully on many occasions to assist clients with complex procurements. The following activities were performed:
- formally gathered the system requirements
- examined options for how the systems might behave in meeting the requirement
- produced specifications for these systems which formed part of the tender documentation for the system supply
- provided advice to assist in the process of producing the tender and evaluating the responses
Consult Hyperion specified all the components (including the ID card, smart card-based Security Access Module (SAM), card and application management system and terminals) and devised a detailed evaluation system for bidders' technical proposals.
ITSD, Remote authentication feasibility study:
Consult Hyperion designed a system to allow the ID cards to be used for remote access to services, with minimal changes to the existing card cryptographic scheme. All components of the system were specified, as well as providing an interactive spreadsheet cost model and a management framework document outlining the business rules and procedures necessary to run the system.
Benefits from this assignment included:
- assurance, through risk analysis that the proposed HK ID card system was fit for purpose
- detailed analysis and functional specification leading to the production of tender documentation in such a way as to be independent of specific products and vendors
- a watertight process for assessing bids against actual requirements and specifications
- system specifications and cost model for the provision of a central e-Authentication service. These provided assurance that the proposed ID card scheme could be easily and flexibly extended to provide secure e-government services
