Arise, O Compatriots! Nigeria Calls to Obey. The first phrase of our former national anthem is etched in history, symboliSing a call to action for all Nigerians.

Recently, I came across a video online featuring the commissioning of the Bola Ahmed Tinubu Technology Innovation Complex at the Nigerian Immigration Service (NIS) Headquarters in Abuja, showcasing some of the technology facilities on ground including a newly built data center. The initiative is a commendable step toward addressing systemic lapses and reducing corruption, particularly in passport processing.

Nigerians can relate to how arduous obtaining or renewing a passport used to be. From excessive waiting periods to unofficial fees—popularly called “settle”—the system was challenging to navigate. Thanks to reforms introduced by Dr. Olubunmi Tunji-Ojo and the new NIS administration, these difficulties have improved significantly. Today, passport processing has become more efficient, transparent, and accessible.

However, with technological advancement comes a new level of responsibility, especially concerning information security. As an information security analyst, I observed a critical security gap in the video advertising the newly commissioned complex.

The complex was described as “A sophisticated, multibillion-naira project housing some of the most advanced technological security solutions, competing globally while serving as a blueprint for the rest of Africa.”

While this sounds ambitious, my professional analysis reveals significant security flaws that deviate from globally recognized security standards such as ISO/IEC 27001, NIST SP 800-53, and CIS Controls. Co-locating a data center in the same complex as a primary business or advertising its physical location introduces significant vulnerabilities making it as easy target for threat actors.

Let’s break it down against globally recognized security standards and frameworks like ISO/IEC 27001, NIST SP 800-53, and CIS Controls:

• Data Center Location

Risk: Having a data center within the same facility increases exposure to both physical and cyber threats, including natural disasters, insider threats, and targeted attacks.

Framework Alignment:

ISO/IEC 27001 mandates that organizations consider location-specific risks (A.11.1 – Physical Security Perimeter).

NIST SP 800-53 (PE-18) specifies the need for “location diversification” to reduce the impact of a single failure.

Best Practice: Data centers should be in geographically separate, secure facilities to ensure redundancy and disaster recovery.

• Advertising the Data Center

Risk: Publicly disclosing the location of a critical infrastructure makes it an easy target for threat actors.

Framework Alignment: ISO/IEC 27001 recommends maintaining confidentiality for sensitive infrastructure (A.18.1 – Compliance with Security Policies).

CIS Control 14 emphasizes minimizing the attack surface, including exposure to public information.

Best Practice: Limit information about the data center’s location to only authorized personnel with a need-to-know basis.

While the reforms and innovations introduced at the NIS are laudable, there is a pressing need to align the implementation with international best practices for information security. Addressing these critical vulnerabilities will not only enhance the security posture of the NIS but also serve as a true benchmark for Africa and beyond.

Omotoyosi Oduyoye is a Certified Information Systems Auditor (CISA) and Certified in Cyber Cybersecurity (CC) based in Edmonton, Canada.