In line with the recommendations of the Federal Tax Ombudsman (FTO) Dr Asif Mahmood Jah, the Federal Board of Revenue’s (FBR’s) Information Technology Wing (IT-Wing) shall be audited by a security firm to conduct a security audit of data centres.

This has been concluded in an investigation conducted by the FTO who has unearthed systematic flaws in security of confidential/ classified data of taxpayers, and directed the FBR to develop security policies/ infrastructure and implement international standards for protection against future cyber attacks on FBR website.

It is learnt that the FTO in a landmark investigation found that the confidential/ classified data of FBR Web portal was hacked, as the PRAL has not properly discharged its duties.

According to details, tax lawyer Waheed Shahzad Butt has filed a public interest complaint against the FBR/ PRAL key position holders, wherein after a comprehensive investigation, FTO Dr Asif Jah concluded that FBR/ PRAL is not using any software to manage its Network Security policies and FBR has filed a false/ wrong statement regarding the system disrupted period which is also contrary to the Finance Minister’s stance and using expired certification.

FTO order stated that the said analysis clearly reflects maladministration oozing out of neglect, inattention, delay, incompetence and ineptitude of FBR & PRAL’s functionaries, in the administration and discharge of assigned duties and responsibilities. PRAL data centre is not equipped with any Instruction Prevention/ Intrusion Detection system, a material systematic flaw exposing security of its database. PRAL data centre is not compliant to some credible International Standard and its certification was also expired in December 2020.

When contacted Waheed Shahzad Butt told this correspondent that cyber attack on key data websites, data and data centres of FBR/PRAL pose a threat that can undermine the security capabilities of the state.

FBR has submitted a compliance report to FTO which stated that the “PRAL has reinforced ‘ISMS’ policies and procedures in lieu of the ISO 27001 framework. However, they are awaiting security infrastructure, for which procurements has already been initiated.

The process of procurement of security infrastructure is already under way, which also consists of SIEM. Once the procurement is completed, PRAL will deploy SIEM at the data centres which enhanced security features. The FBR (IT Wing) has recently awarded a three years contract to a reputable security firm to conduct a security audit of data centres. After the completion of the audit, FBR Data Centres will be ISO-27001 certified”.

The story was originally published in Business Recorder on February 28, 2022.