TALLINN, 9 February 2023 – The National Audit Office audited five national databases containing sensitive data and came to the conclusion that although only authorised persons have access to the data there, in the case of two databases, the access rights of these persons are unreasonably broad. The justification of data queries should be checked more rigorously and logs should be analysed to determine who used the data, when and for what reasons.
The National Audit Office audited databases such as the Social Security Information System (SKAIS), the Social Services and Benefits Registry (STAR), the Criminal Records Database (KARR), the e-File misdemeanour procedure interface (VMP), and the Automatic Biometric Identification System database (ABIS) under development.
“The user of sensitive data should have access to the data that is directly related to their work and that they have the need to know, but no more,” said Auditor General Janar Holm. “In the opinion of the National Audit Office, user access to the data in the SKAIS1 and STAR databases of the Social Insurance Board is too extensive, and this creates a certain risk of misuse of data.”
In the Social Services and Benefits Registry, an official of a local authority has access to procedures related to residents of other local authorities and data contained therein. The National Audit Office points out that the Social Services and Benefits Registry has not implemented measures necessary for verifying the analysis of logs and the justification of queries. The number of procedures that users have access to is relatively high because the Social Services and Benefits Registry has been in use since April 2010 and no data have been removed from the database, for example archived, since that time. This adds even more weight to the need to protect large amounts of data related to people.
According to the National Audit Office, users of the database of the Social Services and Benefits Registry in local self-government should have access to the data of people living in their own local self-government. However, if access to procedures related to residents of other local authorities is needed, the control procedure for additional access validation should be determined.
The National Audit Office is of the opinion that auditing of access rights should be made mandatory for sensitive data in the future, as it would help to mitigate risks related to data security. The mandatory information security implementation audit for national databases was carried out in four of the five audited databases. These audits did not verify the security measures of the access management module as the auditors were not required to do so pursuant to the audit guidelines of the three-level baseline security system ISKE.
The National Audit Office notes that it is necessary to continuously analyse the log data of databases in order to detect the misuse of data as early as possible. The National Audit Office established during the audit that although log data – information about events taking place in the database – was collected and stored, there was no systematic or continuous analysis of the log data. The documents governing the activities of institutions or databases did not provide for the obligation to analyse or monitor log data.
No regular or systematic monitoring or check of the justification of queries was carried out in the audited databases. Such checks were not regulated in detail in the documents governing the activities of institutions of databases either. Checks were carried out irregularly and only after discovered incidents, queries/complaints from data subjects, or other external events.
Security incidents can be detected at an early stage and without major damage only if the use of databases is monitored continuously and logs are analysed. Without this, there is a risk of sensitive data leaking. Risks related to unauthorised alteration of logs should also be assessed and solutions for time stamping and/or crypto chaining should be implemented to ensure the integrity of logs.
Background
The purpose of the audit was to assess whether access management is organised based on the established requirements and best practice, whether measures have been implemented in the audited databases that ensure access to the database by authorised persons and exclude access by unauthorised persons, and whether the implemented measures are functional. As a result of the expert sample, the following databases were audited: the Social Security Information System (SKAIS), the Social Services and Benefits Registry (STAR), the Criminal Records Database (KARR), the e-File misdemeanour procedure interface (VMP), the Automatic Biometric Identification System database (ABIS) (i.e. database still under development).
The main criterion on the basis of which these databases were selected for auditing was the sensitivity of these data – for five databases, the ISKE confidentiality security section class S2 or S3 has been established. Security section class S2 stands for confidential information: the use of information is permitted only for certain specific user groups, access to information is permitted if the person requesting access has a legitimate interest. S3 stands for extremely confidential information: the use of information is permitted only for certain specific users, access to information is permitted if the person requesting access has a legitimate interest.
Access management must ensure that users have access to only the data and IT resources they need for the performance of their duties and only to the extent that they are authorised for.
Priit Simson
Head of Communications of the National Audit Office of Estonia
+372 640 0102
+372 5615 0280
[email protected]
[email protected]
http://www.riigikontroll.ee/
-
Posted:
2/9/2023 9:41 AM
-
Last Update:
2/9/2023 9:41 AM
-
Last Review:
2/9/2023 9:41 AM