Individuals can file complaints or claims to the Central Inspection against administrations falling within its remit, or against the employees or workers of these administrations, for investigation and establishment of facts.
Subject: Lebanon Emergency Crisis-Response Social Safety Net Project (ESSNP)
Implementation Support Mission for the Assessment of the DAEM Platform (August 1-5, 2022)
Excellencies,
We would like to express our appreciation for the hospitality and collaboration extended by the Government of Lebanon (GOL) to the World Bank mission that took place in Beirut during the period August 1-5, 2022 for the subject project. The mission’s objectives were to: (i) Assess the technical functioning of the DAEM registry; (ii) Review the DAEM software development and data related issues; and (iii) Assess the data center and the structure of its cyber security. The attached Aide-Mémoire summarizes the findings of the mission and outlines next steps.
Our overall assessment of the DAEM social registry is positive and the software development process follows the deliverables as agreed. To date, all key modules have been developed forming the building blocks for a full Social Protection Information System (SPIS). Specifically, the following modules are functioning: (i) Intake and Registration; (ii) Validation and Eligibility Assessment; (iii) Payment Administration; (iv) ESSN back-office;
(v) Reporting and Data Analytics; (vi) Public Dashboards; (vii) User Interfaces for WFP, surveyor firms and the PCM; and (viii) a GRM module. The DAEM data center is hosted on the premises of OGERO following the EU’s General Data Protection Regulation (GDPR). The software development process is well supervised and monitored by the Central Inspection as per the Prime Ministerial Decision (September 30, 2021). DAEM is a secure platform, it adheres to global data privacy standards, and deploys top of the line tools. Certain improvements are still needed especially for the end-users namely the ESSN Project Management Unit (PMU) in the Presidency of the Council of Ministers (PCM), and for the World Food Programme (WFP) (that is implementing segments of the program). These are detailed in the Aide-Mémoire and its Annex I.
The mission also discussed the data center and cybersecurity of DAEM. The DAEM data center follows TIER 3 international standards. Application servers and databases are hosted at OGERO’s private cloud that is based in Lebanon. The data center is accessed through secure virtual servers, through static IPs with restricted access. Devices in the data center are locked in secure cabinets. The full operating system is encrypted. In addition, OGERO has internal cyber security measures such as firewalls, DDOS, IPS, antivirus, Back-up, PAM, etc. Accession to the system is only possible through: (i) Beneficiary portal (registry portal by applications); (ii) PCM end-user interface; and (iii) WFP end-user interface. User access is therefore limited to these three options only. In addition, database administrator passwords are split between related parties making it impossible for a single party to access the system on its own. PAM (Privileged Access Management) is used to track and secure every privileged
account, to govern and control access, and to record and audit privileged activity. Additionally, a third-party cyber security consulting firm has been contracted and already executing the required types of penetration tests on a regular basis.
The Central Inspection (CI) has played the role of audit and oversight over the DAEM platform. The CI conducts this role by using digital tools and analysis and submitting regular reports to the GOL. Specifically, the CI conducts: (i) real-time audit and results analysis; and (ii) data privacy and security. In addition, and on a temporary basis, the CI has been hosting the program call center and grievance mechanism.
In conclusion, the mission found that the DAEM registry is functioning well, especially given the short period of time during which it was developed and deployed. We recommend that continued development and improvement in the DAEM registry be undertaken over the coming year. It is also important that the DAEM registry continue to be utilized as Lebanon’s social registry for all social safety net programs.
I take this opportunity to thank your teams again for the cooperation extended during the mission which has enabled significant progress on the ESSN and the DAEM platform. The World Bank wishes to reiterate that it stands ready to continue supporting Lebanon during these difficult times.
Sincerely,
Jean-Christophe Carret
Country Director, Middle East Department
Middle East and North Africa Region