Justification for making sensitive data queries in Estonia should be checked more rigorously, while logs should be analyzed to determine who used the data, on what basis and in what time-frame, the National Audit Office (Riigikontroll) found in a recent report.
The issue as presented particularly affects Estonia's 79 local municipalities, and the ability of officials to access data unhindered, even from databases relating to another municipality.
The agency has audited five national databases containing sensitive data, coming to the conclusion that, although only authorized persons have access to the data contained in these locations, in the case of two databases, the access rights of those persons are unreasonably broad.
Auditor General Janar Holm said: "The user of sensitive data should have access to the data that is directly related to their work and that they have the need to know, but no more."
"In the opinion of the National Audit Office, user access to the data in the SKAIS1 and STAR databases of the Social Insurance Board is too extensive, and this creates a certain risk of misuse of data," Holm continued, according to an audit office press release.
SKAIS1 is the Social Security Information System, and allows local authority officials access to procedures related to residents of other local authorities, and the data contained therein.
As for STAR, the Social Services and Benefits Registry, necessary measures for verifying the analysis of logs and the justification of queries have not been implemented, the office says.
The number of procedures that users have access to is relatively high, since STAR has been in use since April 2010, but no data has been removed from the database during that time, even to be archived.
This adds even more weight to the need to protect large amounts of data related to private citizens, the audit office says.
STAR users in local government should have access only to the data of people living in their own local government jurisdiction, the audit office goes on.
Should access to procedures related to residents of other municipalities be needed, in exceptional cases, proper checking procedures for additional access validation should be put in place, the audit office finds.
The auditing of access rights should be made mandatory for sensitive data in the future, as it would help to mitigate risks related to data security.
The National Audit Office audited the Criminal Records Database (KARR), the e-File misdemeanor procedure interface (VMP), and the under-development Automatic Biometric Identification System database (ABIS), in addition to STAR and SKAIS.
Of these five, mandatory information security implementation audit for national databases was carried out in four of the databases.
These audits did not, however, verify the security measures of the access management module, since the auditors were not required to do so, pursuant to the audit guidelines of the Information System Authority's (RIA) three-level baseline security system IT baseline security system (ISKE).
The office found that checks or monitoring into queries was not adequately carried out in the audited databases.
Documents governing the activities of institutions of databases were not adequately monitored either.
Checks were carried out irregularly, and only after incidents, queries/complaints from data subjects, or other external events had come to light, the agency said.
The National Audit Office says the continuous analysis of the log data of databases is needed in order to detect the misuse of data as early as possible.
The National Audit Office found that while log data – information about events taking place in the database – was collected and stored, there was no systematic or continuous analysis of same.
Documents governing the activities of institutions or databases did not provide for the obligation to analyze or monitor log data.
Security incidents can be detected at an early stage, and without major damage, only if the use of databases is monitored continuously and logs are analyzed, the agency says.
Otherwise, the risk of a sensitive data leak remains.
Risks relating to the unauthorized alteration of logs should also be assessed, while solutions for time stamping and/or crypto chaining should be implemented to ensure the integrity of logs, the audit office says.
The main criteria used in selecting the five (see above) databases or auditing was the sensitivity of their data; ISKE confidentiality security section class S2 (confidential information whose access is permitted only for certain specific user groups and in cases of legitimate interest) or S3 (extremely confidential information).
The full text of the report (in Estonian) can be found here.
Editor: Andrew Whyte