Journal of Innovative Systems Design and Engineering
Integrating ICT in Customs Management at Kanyaru Border in Burundi: Design, Development and Implementation Conrad M. Mubaraka1, Mamman Salisu Jibia2 & Lillian Ndagire3 1. Deputy Principal, College of Higher Degrees and Research: Kampala International University, Uganda PO Box 20000 Kampala, Uganda 2. Lecturer, Dept of Library & Information Science, Hassan Usman Katsina Polytechnic Katsina-Nigeria 3. Lecturer, School of Science & Technology, Cavendish University Uganda *E-mail of the corresponding author:
[email protected] Abstract The study set out to assess the Security Controls, Security Policies and Procedures and Security Technologies in the computerized customs management system for Kanyaru Customs Office in Burundi. Using qualitative and quantitative approaches, the researcher found that although most of these parameters are in place, little use has been accorded, posing a more security threat. They therefore concluded that the developed system could significantly improve on the management of customs and security in general; hence the researchers recommend that management carries out training sessions and seminars to train their employees on security matters. This will equip the staff of Kanyaru custom office with necessary skills in using the system such that it will not be misused. Keywords: Records Management, Security 1. Introduction Records’ system design and usage are critical in computing today. Such records are hosted on networks which are being utilized in numerous ways to support human activities. However, it is difficult to know who owns each host on a network and so is security control. Dependence on networked information systems means enterprises are more vulnerable to security attacks which can disable temporarily their activities and induce losses in business profits and client trust. Despite the external sources of these attacks, internal abuse and malicious activity may generate unexpected damages. Effective information security management is fast gaining recognition as a major enabler of success in a dynamic business and technological environment (Acquisti, 2004). For instance, compliance with legal requirements make information security an essential element of internal control. Furthermore, information security choices have an impact on the behavior of service customers in both public and private sectors and this makes the analysis of non functional requirements a critical phase in the lifecycle of new platforms and solutions. Consequently, information system security is a many-sided concept. It involves technical, organisational, managerial, and behavioral considerations. For this reason, there is a real need to build an integrated approach for more efficient management of information security. Organizations’ ability to manage and counteract threats to organizational information assets has long been recognized as a significant objective of information security (IS) management (Wade and Linda, 2007). At the same time, human behaviours are reported as the primary source of security breaches in organizations. Motivation Kanyaru Customs Office (KCO) has increased merchandise processing which include items from Democratic Republic of Congo, Rwanda and Tanzania. Previously merchandize was minimal and less crime was reported.
1
Journal of Innovative Systems Design and Engineering Eventually technology related crimes emerged and continued to suffocate transparent administration of the border. It has been difficult to monitor some operations that take place within some offices at the border; implying possibility of foul play. The researcher then postulates that: i) what exactly happens in the various customs offices? ii) and how can the government of Burundi alienate such fouls? 2. Background The Kanyaru Customs Office which is located in the district of Kayanza (Burundi) at the Burundian North-West border with Rwanda was created in 1960’s. At that time, its main objectives were to keep track of all the merchandise traffic as far as record keeping and customs clearance are concerned. This office is responsible for registering incoming merchandises, producing clearance documents and forwarding the information to the central Office which dealt then with the financial aspects. The use of manual system in recording information and in managing customs control at the Kanyaru Customs Office showed a lot of weaknesses such as: lack of accuracy in reports, low processing of data, poor maintenance of records, altered records, loss of data and unavailability of reliable information. All these problems affect considerably the profitability in terms of financial output and in terms of services rendered by the customs agents to their customers. Therefore, the aim of this research was to build a more effective and reliable (secure and consistent) system which can handle a large amount of data and produce timely reports and later be evaluated for security control measures. Enhancing and developing more control in operations management considerably shows improvement in any organization performance. The activities of any organization need to be controlled and assessed for more efficiency and productivity. The record keeping of merchandise entry at the Kanyaru Customs Office is still manual and makes difficult the management control. Therefore, since Burundi has recently joined the East African Community, it is important to fall into step with his neighbors in computerizing all its customs for better integration and profitability. To achieve that, the Kanyaru Customs Office needs to improve its record keeping by introducing a new information system where information can flows more effectively and more efficiently. This system should be able to store, update, retrieve and process data timely and more accurately. Therefore, this study will focus on the design and implementation of a database management system which will manage and control access to the merchandises entry records at the Kanyaru Customs Office. The researcher examined the existing management control system at the Kanyaru Customs Office to determine the requirements; designed the proposed system; and test and implement and later evaluated for efficient Database Management System to replace the existing manual system. 2. Literature Review Significance of Information Technology Many companies in Africa are beginning to realize the benefits of information technology (IT). They are looking at IT as an integral part of business in hope of a successful future. It is important in very may ways of people’s lives in modern technological age and it is for this reason that a number of writers and directors of companies have been able to devise means of utilizing the versatility of this technology to improve on the business condition. In any organization, computerized systems involve information systems. Morley and Parker (2007) and Wade and Linda (2007) define an Information system as a collection of people, hardware, software, data and procedures that interact to generate information needed by the users in a organization. The purpose of the information system is to manage process and exchange data from the time it is generated through its conversion into useful information. The system would manipulate data through the different activities: data input through user interfaces, data storage, data processing and data outputs through reports. Decision Support Systems (DSS) as interactive information systems help users to solve management problems especially decision makers. They provide interactive environment for decision making and support managerial decision making by providing models for processing and analysing data. Through information systems like decision support systems, people are enabled to collect, process, and manage information needed for problem solving, control and decision-making. The following are some benefits of computerized systems (Wade and Linda, 2007): i) Computer Information systems are faster and more precise in the manipulation and processing of data than human systems. Therefore, they improve the accuracy of data and competitiveness in an organization; ii)
2
Journal of Innovative Systems Design and Engineering Computer-based information systems compared to human systems, take less time to process information and thus more work can be done in a short time; and iii) The expenses can be reduced since most the manual work can now be performed by the information system. • There are numerous ways to exploit network vulnerability. Some network security vulnerabilities, such as information leakage and espionage, are difficult to detect automatically or exploit in an automated way. There exist tools that may cause these errors to appear but none of them is capable of verifying the meaning of these messages and whether they are useful to attackers, which indicates the difficulty of detecting these attacks. On the other hand, attacks based on pattern recognition are easier to detect since there are specific pattern that can be transformed into rules to help in the identification process. There are several common network security attacks (Lam & Dennis, (1999) whose detection is based on pattern recognition. It is easy to define rules to identify most of these attacks, while there still exist some others for which it is very complex to create logic rules to detect them. So, the attacks that are based on pattern recognition are detected in internet messages in places that user input is expected. Managing Operations Risk analysis, concentrating on assets, threats and vulnerabilities, used to play a major role in helping to identify the most effective set of security controls to protect information technology resources (Mariana, Rossouw & Paul, 2001). To successfully protect information, the security controls must not only protect the infrastructure, but also instill and enforce certain security properties in the information resources. To accomplish this, a more modern topdown approach is called for today, where security requirements driven by business needs dictate the level of protection required. On the other hand, Lam & Dennis, (1999) advance that information security management has been placed on a firmer footing with the publication of standards by national bodies. These standards provide an opportunity for security managers to gain senior management recognition of the importance of procedures and mechanisms to enhance information security. They may also place demands on security managers to provide convincing demonstration of conformance to the standards. The risk data repository (RDR) computer model was developed to manage organisational information security data and facilitate risk analysis studies. The RDR provides a form of computer documentation that can assist the security officer to maintain a continuous record of the organisational information security scenario and facilitate system security development, business continuity planning and standards conformance audits. Many network infrastructures can allow one host to be a node on two different networks. Much as this can present some level of security it may as well pose a threat. If one network becomes weak an attacker can use this loophole to penetrate the other previously protected network infrastructure. The following technologies suffice to check possible threats (Acquisti, 2004; Lacey, 2010): • Segmentation reduces number of threats and limits the amount of damage a single vulnerability can allow. Much as a big network pools resources closer and significantly reduces distance, it may also become a source of trouble. Segmentation allows sub nets to be created so that one can monitor and administer easily. When many networks are established, it gives chance the network administrator to control access and use of the network, thus a reduction in levels of security threats. Single points of failure allow one to assess if the network was to fail, whether could deny access to all or a significant part of the network. Users on the network should enjoy their full privileges all the time however he/she should not do so on the expense of the network security. When one distributes or segments the network they will be avoiding such attacks. Intrusion detection systems (IDS) insinuates that after perimeter controls like firewall, access control some users are admitted to use computer systems. They monitor activities to identify malicious or suspicious events. Detection measures like signature based IDS perform simple pattern matching and report situations that match the pattern corresponding to a known attack type. Heuristic build a model of acceptable behavior and flag exceptions to that model, for the future, the administrator can mark a flagged behavior as acceptable so that the heuristic IDS will not treat that previously un classified behavior as acceptable. Heuristic looks for behavior out of the ordinary. Stealth mode prevents one from disabling IDS devices whereby an IDS has two network interfaces: one for the network to be monitored and the other for other administrative needs. It uses an alarm to generate an alert. It is therefore insinuated that a secure
3
Journal of Innovative Systems Design and Engineering system (SS) developed by a ‘secure’ mind is key in managing transactions (MT) in cross border exchange and a boost to government profitability (GP); hence MT+GP=f(SS) 3. Methodology The study took both qualitative and quantitative approaches. The former used interview guides and observation to collect data about the transaction process; while the latter used non-standardized questionnaires and government statistics to compute relative statistics. The questionnaires sought to find out the existing technology in regard to reliability of the system. Data collected paved way for requirements necessary for an improved information system. System Development life cycle of a computerized merchandise entry control system for Kanyaru customs office went through phases such as planning, analyzing, design, testing, development lastly implementing (Satzinger, Robert and Stephen, 2002). Design and development phase involved entity relationship(ER) diagram, use CASE diagrams and the database was developed with SQL and PHP for interface design. When the system was completed, it was tested to ensure that it performed as designed. The target population for this system was the entire customers traveling through Kanyaru border , staff and administrators. Construct validity index of 0.87 and Cronbach alpha coefficient of 0.76 deemed the questionnaires of quality. Use CASE Model
Sys. Analyst
Insert and store data Retrieve data
Database
Customs Agents Dbase administrator
Data
Maintain, monitors and controls the system functionality
4
Produce reports of transactions
Assesses and approves the reports Figure 1: Use CASE Diagram for the proposed recordkeeping system .validity Supervisor
Application.
Update/delet e data
Admin
Journal of Innovative Systems Design and Engineering The graphical user interface which helps the user to interact with the database was programmed with PHP (Hyper Pre-Processor). It is a popular open source HTML-embedded scripting language that allows developers to write dynamically-generated pages quickly. It helps the user to access the database and manipulate the data stored inside. The database was constructed using the MySQL platform that runs as a server providing multi-user access to a number of databases. MySQL was free and cost-effective software for development of the database.
Figure 2: System Architecture After logging into the system from the main page, the user can perform the following actions: i) The customs agent can insert the employee’s details, the customer details and transactions and then submit them to the database; ii) After submission, the customs agent or the supervisor can retrieve that information from the display pages. He/she can then manipulate (update, delete) it as he wishes before producing the final report which will be printed at the end of the day; and iii) The customs agent or the supervisor is also able to retrieve records or details about a particular customer’s transactions using the search option. 4. Findings Security Controls Results show that majority of enterprise security controls fairly exist and sometimes used (2.05). Results also show that power failure detection (2.76) and viruses’ detection (2.67) controls are commonly used while holistic approach (1.24) and enterprise security policy (1.23) are rarely used. Results further show that respondents’ opinions for both extremes did not vary so much. Security Policies and Procedures Results shows that to a relatively greater extent security policies and procedures exist and are used (i.e. average mean of 1.98). The average standard deviation affirms this to the effect that respondents’ responses did not vary so much (i.e. average of 0.75). Furthermore, results show that proprietary data policy (2.58) and business continuity policy (2.32) seem outstanding among others while information security policy (1.45) and data destruction policy (1.54) trail. Majority of the respondents widely varied their opinions on data recovery procedures (0.94) and business continuity policy (0.92) while they seem to concur on information security coding (0.45) and Communications use and misuse policy (0.46). This partially may explain that organizations seem to pay attention to their data on the expense of the others, without knowing that all the above policies interrelate; otherwise a security loophole suffices.
5
Journal of Innovative Systems Design and Engineering Security Technologies Results reveal that most enterprise technologies seem to be fairly in place but little use or sometimes no use is accorded (2.34). The results still postulate that antivirus software and power surge protection are mostly available and used. Respondents collectively agree to an accurate precision point to the effect that their responses did not vary widely (i.e. were close) with an average standard deviation of 0.05. 5. Discussion Findings on security controls align well with the proposition that system and security users, for that matter, should be involved extremely in all stages of development through implementation and evaluation (Von, von & Caelli, 1993), Lam & Dennis, (1999), Mariana, Rossouw & Paul (2001). All stake holders must be involved because most attacks have been observed as orchestrated by insiders who usually have goo knowledge of the system weak points and how to manipulate them. The relatively greater extent of existence of security policies and procedures was corroborated with Acquisti (2004), Wade and Linda (2007), Lam & Dennis, (1999), Mariana, Rossouw & Paul (2001) who advance that most organisation institute security technologies but fall short of the relevance of policies to guide effective use of such intervention. Failure to accord appropriate attention may compromise security adversely to the effect that the organisation may incur great expenses in correcting the flaws. Security technologies being fairly utilized (2.34) implies that little attention is put to logical security which attracts most threats in form of hacking and infiltration. This is in agreement with proponents like Mariana, Rossouw & Paul, (2001) and Acquisti (2004) who assert that security should be all embracing because a single point of failure may expose the entire system to attack. Antivirus software is common because every user seem to have some knowledge about it; however, matters of updates and robustness of some of them could be causing most security threat experiences among users 6. Conclusion The system was created according to the needs of the customer population and fully running. The research recommends that the management of Kanyaru custom office in order to affirm the security of the system , they should come up with a security policy on how the system will be used and securely maintained. The research recommends that management carry out training sessions and seminars to train their employees on security matters. This will equip the staff of Kanyaru custom office with necessary skills in using the system such that it will not be misused. References Acquisti, A. (2004) Privacy and security of personal information: economic incentives and technological solutions, in Camp, L.J. and Lewis, S. (Eds), Economics of Information Security, Kluwer, Dordrecht. Jeffer, A. H, George. J. F. and Joseph S. V. (2005) “Modern Systems Analysis and Design”, 4 th Edition, Pearson Education Inc. Kenneth, C. L. and Carol G. T (2003) “E-commerce, business technology society”, New York, 2 nd Edition, Azimuth International Inc., 2003. Lacey, D. (2010) Understanding and transforming organizational security culture, Information Management & Computer Security, Vol. 18, pp. 4-13. Lam, K. & Dennis .L. (1999) Information security management and modelling, Information Management & Computer Security, Vol. 7 Iss: 1, pp.30 - 40 Mariana, G., Rossouw. V.S. & Paul .O. (2001) Formalizing information security requirements, Information Management & Computer Security, Vol. 9 Iss: 1, pp.32 - 37
6
Journal of Innovative Systems Design and Engineering Morley, D. and Parker. C. (2007) “Understanding Computers: Today and Tomorrow”, 12 th Edition, Boston, Course Technology Cengage Learning, 2007. Raghu, R and Johannes G (1998) “Database Management Systems”, 2nd Edition, The McGraw-Hill companies, Inc. Satzinger, W., Robert, B. J and Stephen. D. B (2002) “Systems Analysis and Design in a Changing World, 2nd Edition Boston, Course Technology Thomson Learning, 2002 Thomas, C and Carolyn B. (2005) “Database Systems, a practical approach to Design, Implementation and Management”, 4th Edition London, Pearson Education Limited. Wade, H.B. and Linda, W. (2007) Is information security under control? Investigating quality in information security management, IEEE, Security & Privacy, Vol. 5, pp. 36-44. Conrad M. Mubaraka holds a PhD, MSc Computer Science and BSc in Computer Science from Kampala International University, Uganda. He is a researcher, lecturer and manager with a 10 year experience in the university setting. Besides the mentioned portfolio, he also serves as Reviewer in African Journal of Information Systems and Guest Editor of the International Journal of Databases. He is the author of a research book: “Research Made Easy” that has significantly changed research practices of most graduate students in Uganda.
7
