Independent review of Scottish Government's use of mobile messaging apps and non-corporate technology
Emma Martins' report of her independent review
23. Appendix 9. WhatsApp Risk Mapping Table
Risk Category |
Potential Impact |
Risk Description |
Mitigation |
Ethical Considerations |
Likelihood |
Severity |
Risk Grade |
|---|---|---|---|---|---|---|---|
Encryption Concerns |
Compromised National Security |
End-to-end encryption hindering interception and analysis of potential threats. |
Implement alternative communication channels with encryption but also allow controlled interception by security agencies. |
Balancing privacy rights with national security concerns. |
Med |
High |
Med |
Data Privacy |
Breach of Sensitive Information |
Collection of user data by messaging apps, raising concerns about privacy and data breaches. |
Educate users on data privacy best practices. Implement policies restricting sharing sensitive information via messaging apps. |
Protecting user privacy while ensuring the security of government data. |
High |
High |
High |
Unauthorized Data Access |
Unauthorized access to sensitive government information stored or transmitted via MMA, leading to data breaches or leaks. |
Implement robust encryption measures for data in transit and at rest. - Enforce strict authentication and access controls. - Regular security audits and updates. |
Respect for individuals' privacy and confidentiality of information. |
High |
High |
High |
|
Data Leakage |
Leakage of sensitive information due to improper handling or transmission via MMA, leading to reputational damage. |
Provide comprehensive training on data handling and security protocols. - Establish clear guidelines for what information can be shared via MMA. |
Ensuring transparency and accountability in handling sensitive information. |
High |
High |
High |
|
Malware and Phishing |
Compromised System Integrity |
Susceptibility to malware and phishing attacks leading to compromise of sensitive information. |
Implement security awareness training programs for government workers. Employ advanced threat detection software and protocols. |
Balancing security measures with user convenience and usability. |
High |
High |
High |
Device Vulnerabilities |
Malware and Exploits |
Exploitation of vulnerabilities in MMA software or underlying devices, leading to unauthorized access or control. |
Regularly update MMA software and device operating systems. - Employ mobile device management solutions for centralized security control. |
Ensuring the security and integrity of government IT infrastructure. |
High |
High |
High |
Device Theft or Loss |
Theft or loss of devices containing sensitive information, potentially leading to data breaches or leaks. |
- Implement device encryption and remote wipe capabilities. - Enforce strict physical security measures for device handling. |
Protecting sensitive government information from unauthorized access or disclosure. |
Med |
High |
High |
|
Communication Integrity |
Message Tampering |
Tampering or alteration of messages sent via MMA, leading to misinformation or manipulation. |
Use digital signatures or other cryptographic techniques to verify message integrity. - Enable features like message deletion after a certain period. |
Ensuring the accuracy and reliability of communication within government agencies. |
Medium |
High |
High |
Lack of Traceability |
Difficulty in tracing or retrieving messages sent via MMA, hindering investigations or audits. |
Implement logging and monitoring mechanisms for MMA usage. - Regularly review and archive communication records. |
Ensuring accountability and transparency in government operations. |
High |
Medium |
High |
|
Live Location Tracking |
Physical Threats or Surveillance |
Risk of exposing government officials' whereabouts, making them vulnerable to physical threats or surveillance. |
Disable live location tracking feature. Educate users on the risks associated with sharing location information. Implement secure communication protocols. |
Ensuring the safety and security of government personnel. |
Medium |
High |
Medium |
Third-party Access |
Unauthorized Data Access |
Concerns about third-party access to sensitive conversations and potential misuse of data. |
Implement data encryption and access control measures. Conduct regular security audits of messaging app providers. |
Protecting sensitive government information from unauthorized access. |
High |
High |
High |
Dependency on External |
Control Over Data and Infrastructure |
Reliance on external platforms subjecting government to the security measures and policies of private companies. |
Develop in-house communication platforms with stringent security measures. Partner with trusted vendors adhering to government security standards. |
Balancing security requirements with the need for efficient communication tools. |
High |
High |
High |
Regulatory Compliance |
Legal and Regulatory Violations |
Use of messaging apps not meeting regulatory requirements regarding data storage, access, and transmission. |
Ensure messaging apps comply with relevant regulations. Implement policies for secure data storage and transmission. Monitor changes in regulations. |
Upholding legal and regulatory standards while maintaining effective communication. |
Medium |
High |
Medium |
This risk mapping table provides an overview of the various risks associated with government workers using messaging apps like WhatsApp, along with potential impacts, risk descriptions, mitigation strategies, ethical considerations, likelihood, severity, and overall risk grades. |
|||||||
Contact
Email: helen.findlay@gov.scot
There is a problem
Thanks for your feedback