Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

UK Electoral Commission Information Access Security

LogLogic : 19 May, 2010  (Special Report)
Guy Churchward of LogLogic questions whether the UK Electoral Commission has sufficient control over privileged user rights for accessing voter registers
In March 2010, LogLogic submitted six key questions under the Freedom of Information Act to the UK Electoral Commission. The company wanted to find out how they are protecting eligible voter information and monitoring access to the Registers. LogLogic have now finally (weeks after the 20 working days deadline) received a reply, as explained by Guy Churchward, LogLogic's CEO.

Initially we asked whether they had a product in place which allowed them to monitor and log access and changes to information on the electoral roll register/database. They replied stating that they don't. Apparently local authorities manage their own electoral registers meaning that there is no central point of control at all. They are sent secure updates on a monthly basis by each individual local authority - how this is done (over email, USB etc.) wasn't stated. The Commission did not divulge details on whether each local authority had a product in place to monitor and log access either.

We also asked how many people had access to the Registers and whether this was reviewed on a regular basis. The response here was interesting. Within the Commission, a total of 25 staff have access to the electoral registers in the Party and Election Finance team. These documents are stored in restricted folders and can only be accessed by the relevant staff for purposes of checking permissibility of donations to political parties. In addition a number of technical staff (currently 8) in the IT team also have access to the information. The electoral register information is apparently only accessed on a need to know basis and these access permissions are controlled by the ICT team with permission given in line with an agreed policy and procedure after obtaining appropriate authority. All information assets, including the electoral rolls, are reviewed annually (and ad hoc throughout the year if there is an indication that this may be necessary or as part of an audit) to ensure that they are handled and used appropriately. In addition, each time there is a change in staff, permissions to access the electoral registers are reviewed.

Whilst this sounds reassuring it is important to note that procedures and policies are great - but only if they are followed to the letter. And who is checking that? We would have (hopefully) assumed that privileged users were also being electronically monitored regarding their activities on the registers as a backup, but the answer to that question was no. They do not currently have automated systems in place to monitor the activities of users whilst accessing the electoral registers.

My 'Spider Sense' went off. Yes, the Commission's security measures conform to 'data handling in government' guidelines, but they aren't tracking users electronically and subsequently don't have any way of generating real time security alerts.

The need to monitor the digital footprint of employees in order to preserve the confidentiality and integrity of data and monitor privileged user activity is extremely important - especially with regards to public sector information. It's very disappointing. I'm hoping that each local authority is a little sharper and are electronically managing and monitoring access to their databases - it's certainly something we should be asking our councils about.

It is critical organisations like the Electoral Commission implement a central workable and secure solution. They must act upon it, monitor and maintain processes and stay up-to-date with access controls. Well-managed log data can provide them with a vital window on irregular activities. Why wouldn't they implement it?
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo