TALLINN, 24 May 2018 – The audit of the National Audit Office indicates that guaranteeing the safety and preservation of the critical databases of Estonia requires considerably more attention – there is no legal framework, there are significant deficiencies in guaranteeing information security in several critical databases, such as in the analysis of logs, penetration testing and protection of mobile devices. The special requirements needed for protecting critical data have not yet been established either.
Approximately half of the audit is subject to access restriction – certain parts are meant for internal use only. The National Audit Office has published the parts of the audit that cover general problems. In order to avoid jeopardising critical data and databases, the National Audit Office sent its detailed observations and recommendations about the organisation of information security to the audited authorities as separate documents meant for internal use only.
The National Audit Office made the following observations:
* Ten databases of critical importance from the viewpoint of independence have been identified in Estonia at present: the e-File, the Land Register, the Commercial Register, the information system of Riigi Teataja, the Land Cadastre, the information system of the State Treasury, the Register of Taxable Persons, the Population Register, the Register of Identification Documents and the State Pension Insurance Register. As the conditions for selecting critical databases have not been determined and there is no certainty that all of the necessary databases are included in the process.
The backup copies of half or five of the audited databases are physically taken to Estonian embassies abroad on backup media once a quarter, but it has not been tested whether the work of information systems can actually be recovered from them. The owners of critical databases said in the course of the audit that making these copies functional quickly and easily is more likely to be impossible, as the recovery of work and services also requires functional application software and support services.
The preservation of the data required for the functioning of the state in the event of the destruction of local data centres would presently not be guaranteed in the case of five of the 10 databases. Some authorities have not fully understood the threats from which databases must be protected and the risk scenarios for which they need to prepare.
* In order to solve the problem of backing up and preserving critical databases, the Ministry of Economic Affairs and Communications intends to establish a data embassy or its own server room in a national database of a foreign state and start backing up data to a foreign country electronically, via a data exchange channel. In addition to storage, this would also make it possible to guarantee the capability to operate services, i.e. if a data centre in Estonia is destroyed, its services can be provided from elsewhere. Steps have also been taken to achieve this objective – a contract with the data centre in Luxembourg has been signed, the issues of equipment, a communication channel, etc. are being dealt with. The plan is to launch the data embassy near the end of June, i.e. the server room with the necessary equipment for backing up critical databases will be ready. Only backup copies will be kept there as first, but the plan is to also develop the capability to provide services from the data embassy. There are no plans to establish other data embassies at present and the Ministry of Economic Affairs and Communications will analyse this topic and make a decision after the Luxembourg project. Since the details of the operations of the first data embassy have not been agreed yet (e.g. what, how, how often and by which method will be backed up), there is no calculation of how much backing up critical databases electronically to the data embassy in Luxembourg could cost (e.g. to the owner of each database).
* No action plan or requirements have been established for the implementation of the concept of critical databases of Estonia, and there is no detailed risk analysis or action plan for the future. The additional measures agreed for the protection of critical databases, incl. a specific action plan and deadlines, have not been officially determined in any document. There is no legally mandatory set of rules. Present activities are partly based on informal activity. The National Audit Office presumed that the state has determined the parties related to keeping critical databases (e.g. central coordinator, owner of a critical database) and their roles (incl. rights, obligations). The audit revealed that so far, the process has only been described in the memo prepared by the critical information systems working group in March 2017. The rules of defining and maintaining critical databases have not been determined or regulated in any legislative act.
* The audits of compliance with the information security system ISKE, which are mandatory to the state authorities of Estonia, have been carried out as frequently as required in just two of the 10 critical databases. An ISKE data security audit was carried out in two databases of critical importance only during the audit of the National Audit Office in late 2017, i.e. seven years later (sic!) that these databases must have been audited.
* There are significant deficiencies in guaranteeing information security in several critical databases, e.g. in analysing logs, protecting mobile devices, encrypting hard drives. The National Audit Office found that the means of checking the integrity of files should also be used. The use of removable devices in the computer network connected to a critical database should be restricted. Some owners of critical databases have carried out internal security tests and scanned their intranet, but there were also critical databases where no regular penetration tests had been carried out, i.e. they had not tested whether it is possible to break into the authority’s intranet or database from outside and change or destroy data in there. The need to protect critical databases physically should also not be underestimated.
Critical databases:
e-File, Land Register, Commercial Register, Riigi Teataja – owned by the Ministry of Justice and managed by the Centre of Registers and Information Systems of the Ministry of Justice.
Land Cadastre – owned by the Land Board and managed by the Information Technology Centre of the Ministry of the Environment.
Information Centre of the State Treasury – owned by the Ministry of Finance and managed by the Information Technology Centre of the Ministry of Finance (RMIT).
Register of Taxable Persons – owned by the Tax and Customs Board and managed by the RMIT.
Population Register – owned by the Ministry of the Interior and managed by the Information Technology and Development Centre of the Ministry of the Interior.
Register of Identification Documents – owned by the Police and Border Guard Board (PPA) and managed by the Information Technology and Development Centre of the Ministry of the Interior.
State Pension Insurance Register – owned by the Social Insurance Board (SKA) and managed by the Centre of Health and Wellness Information Systems (TEHIK).
Auditor General Janar Holm commented on the results of the audit as follows:
“There is certainly no reason to panic – as an e-state, we’ve set ourselves rather strict requirements in guaranteeing data security and even these problems don’t mean that our critical databases are not secure. However, as we want to the belong to the elite of e-states, we must be able to comply with the strict requirements that we set for ourselves. This is particularly important in the case of critical databases. Especially because many databases are now fully digital and we no longer have data on paper that could be used to recover lost information.
Guaranteeing the security of databases is certainly not a glamorous topic the ministries could use for attractive press releases, such giving all kinds of support funds to one or another stakeholder. Also, it is possible to get more attention and approval in the area of IT with some new and cool e-service. Unfortunately, information security is one of the topics of the state’s life where getting the praise (and votes) of the general public is difficult when everything is fine, but it’s possible to lose a lot when a security risk materialises.
The ‘invisibility’ of information security solutions has created the situation where the officials responsible for information security in many government agencies have told the auditors of the National Audit Office that they cannot make the investment needs concerning security or even the necessity of simpler prevention measures visible and audible to political decision-makers in addition to other choices. The audit indicated that there are plenty of reasons to see and hear, and to demand as well.
The Ministry of Economic Affairs and Communications has defined its present activities as a pilot project, where more suitable technical and legal solutions for the organisation of backing up are still being sought. Moving in the right direction would be more successful if those responsible had fixed the objectives and action plan of the project in greater detail. The establishment of a clear legal framework and a longer financial plan would also be good.”
The National Audit Office advised the Minister of Entrepreneurship and Information Technology to
- determine the rules for additional protection of critical databases, incl. selection of critical, processing data therein and backing up of the data that are critical to the state; and assess how to provide additional funding for these activities;
- analyse the different stages of the establishment of data embassies both in terms of financial planning and information security, and implement the best project management practices in the implementation of these stages.
The Ministry of Economic Affairs and Communications agreed with most of the recommendations made by the National Audit Office.
The National Audit Office presented its recommendations for the improvement of information security in the detailed summaries of checklists sent to the owners of critical databases. For example, the National Audit Office recommended the following:
- In information security procedures, determine how often, in what way and to which scope the weaknesses of critical databases must be assessed.
- In order to identify anomalies, regularly check event logs and prepare reports about this after determined periods of time.
- Assess the level of information security awareness of the staff of agencies and areas of government and on the basis of this, prepare plans for basic information security training and raising awareness.
- In information security procedures, determine how the inspection of the integrity of files will be guaranteed in systems of critical importance.
- Regularly order external and internal penetration tests to identify the weaknesses or security weaknesses of critical databases.
Background:
This day and age, the preservation of the independence of Estonia means that in addition to physically defending the territory of the state, it is also necessary to protect the digital assets of primary importance to the state in light of the events that pose the biggest threat to the Republic of Estonia. The digital assets that need to be protected the most are the data about the people living here, the territory of the Republic of Estonia and lawmaking that are held by the state. It is also necessary to protect the data of the property, real estate and rights belonging to people in Estonia.
The Working Group on Critical Databases works by the Cyber Security Council on the initiative of the Ministry of Economic Affairs and Communications and has started to regulate the protection of the data in the aforementioned databases that are the most important or critical to independence.
In the course of the audit, the National Audit Office checked how the state has selected the data and databases that are critical to guaranteeing national sustainability. It was also checked whether and with which tools the security of these data and databases is guaranteed as well whether and how the long-term continuity of the databases containing these day is guaranteed.
As Estonia is a member of NATO and the European Union, the physical security of the state is better guaranteed than ever before. However, Estonia must consider the possibility that cyber security may also be at risk in the event of an escalation of security problems. Such risk scenarios and the recently increasingly more frequent information security incidents, such as cyber attacks and data leaks, may also jeopardise the data and databases that are the most important to the state.
If the data that are of primary importance to the state are changed without authorisation, they leak or perish, the state will no longer be able to perform the necessary functions, including guarantee the security of the people living in the state, provide necessary services to them, create the environment required for business and much more.
Toomas Mattson
Communication Manager of the National Audit Office
+372 640 0777
+372 513 4900
[email protected]
[email protected]
-
Posted:
5/24/2018 11:00 AM
-
Last Update:
5/24/2018 10:59 AM
-
Last Review:
5/24/2018 10:59 AM