The Support Jamaica website was set up to facilitate donations after Jamaica was hit by Hurricane Melissa on October 28, 2025.
An audit of the government's Support Jamaica website—which was set up, among other things, to receive Hurricane Melissa relief donations—has found information security governance gaps, inadequate access management, and non-compliance with data protection requirements.
The Auditor General's report was tabled in Parliament on Tuesday.
The website, which has raised millions of dollars, falls under the purview of the Office of Disaster Preparedness and Emergency Management (ODPEM), the agency leading the recovery effort.
The Auditor General's Department said its review identified significant weaknesses in ODPEM's information security (IS) governance framework, which affected access controls over the Support Jamaica website.
According to the AG, the audit found that the ODPEM did not formally approve Information Security or Access Control policies and procedures to govern the assignment, management, and monitoring of user rights across its information systems.
In the absence of an established access policy, ODPEM operated without an enforceable standard for the provisioning, modification, and deprovisioning of user accounts on the Support Jamaica administrative dashboard.
Consequently, ODPEM was exposed to an elevated risk of inappropriate or unauthorised access, inconsistent security practices, and weakened overall control of its information systems.
The department also identified issues in user access management.
It found that access was granted to eight external officers without documented requests, formal approvals, or evidence that the permissions assigned aligned with their official roles and responsibilities.
It further found that the head of the entity was assigned "Super Admin" privileges, which provide full administrative, operational, reporting, and security access, despite system administration responsibilities being inconsistent with his job function and not justified.
The report further stated that there is an increased risk of unauthorised access to sensitive donor, financial, and administrative data, potential misuse of system privileges, and non-compliance with applicable data protection laws.
The audit also raised concerns regarding data protection practices associated with the website.
comments powered by Disqus
All feeds
