Notes from the Security Bootcamp in Ghana

Article submitted by DHIS2 expert Bob Jolliffe @bobj

The Ghana Health Service hosted and organised a security bootcamp
between 23rd to 27th of September in Aburi, Ghana. They were joined
by participants from Togo, Nigeria, Ireland and Oslo. Over the course
of five days many areas were covered, including security process
planning and design, rapid server audits and training. Country
experiences and challenges were shared by Nigeria and Togo.

Last year a small group of masters students formed a DHIS2 related
security research group in the University of Oslo. In keeping with
the action research tradition of the HISP project, one of those
students (Katrine Almås) has been researching security management
systems. Prior to the security bootcamp Katrine spent three weeks
assessing the system in Ghana based on the recommendations outlined in
ISO27000. The gaps identified formed the base for the two first days
of the bootcamp, which was mainly focused on process planning.
Discussions and group work resulted in both an asset register and a
risk register that will provide structure for which areas the team
should focus on going forward. For the remaining days the focus
shifted to the technical aspects of the system. A rapid server audit
was performed on both servers, and some immediate improvements were
made. Practical training exercises were given to the participants to
elevate their knowledge.

Information between participating countries were shared through
discussion including a presentation on how the DHIS2 is set up in

The meeting did not meet all of its objectives, but there were many
useful outcomes. These include:
(i) a working risk register was established with a number of risks
identified and classified according the ISO27000 categorization.
(ii) the rapid assessment tool for the server setup was refined.
(iii) some immediate improvements were made to the server setup
(iv) progress was made in the design of an incident reporting and
response system
(v) a help desk system has been identified and installed and will be tested
(vi) many other gaps were identified and will inform the future work of the GHS

A number of suggestions were made about how this type of initiative
should be followed up. The participants felt that there would be
value in organising Security Academy at the regional level to raise
general awareness of security issues. In country bootcamps like this
one also have additional value by focussing on concrete systems.
Ideally regional organisations such as HISP WCA could lead such
initiatives. There is a general need to raise security consciousness
around DHIS2 implementation at all levels from country to regional and

Quote from the head of the GHS HMIS: “it’s been a great experience
working with Katrine, especially the use of ISO27000. It is not just
a one off experience but something we need to repeat yearly. It will
also be very useful for us in responding to our annual government IT
audit. We hope that some of what we have done can also be useful in
other countries.”