Elections commission
Audit trail key to database integrity
Stabroek News
February 15, 2004
Automatic recording of all changes to the electoral database and establishing who might be behind these changes, is key to maintaining its integrity.
This is the overall message of an Audit Trail Policy in a draft IT Operations Manual, constructed for the Guyana Elections Commission (GECOM) by consultant, Ronan McDermott.
McDermott says audit trails of user activity on systems and applications should be maintained to help detect performance problems and flaws in applications.
Among the contents in his draft are proposals on how the security vulnerabilities should be addressed.
These proposals are based on the deficiencies that were detected in the audits of the database that were done by the Institute for Democracy and Electoral Assistance (IDEA) and forensic database specialist, Roy Dalle Vedove.
The main opposition party, the PNCR has called for the scrapping of GECOM's database because of its concerns about several vulnerabilities that were detected in the security safeguards, following audits that were conducted after the 2001 General Elections.
The need for more computer and administrative audit trails was one of the concerns which the PNCR used to inform its position on the issue.
The party noted that the audit trails were not created in key areas and where created were partially deleted with no back-up copies.
It was contended that these trails could have been used to detect unauthorised attempts to access the database. The system auditors have however found no evidence that the database was ever breached.
McDermott, in the draft, says that data integrity and operational transparency require a means to reconstruct and review user activities related to operations, procedures, or events occurring on all mission-critical GECOM Automated Information Systems.
"In the absence of paper trails, the role of automated audit trails is critical," he notes in the draft.
"Mere availability of audit trails will not suffice. There should be processes for reviewing the audit trails to provide reasonable assurance that the actions as reflected in the audit trails are valid and duly organised."
He recommends that GECOM policy be that it requires a record of user activity to be maintained and users to be identified and authenticated so that they can be held accountable for their actions. Moreover, to facilitate independent analysis of audit trails, any records of user activity must be kept in generic format for a period of three years.
The draft also says that GECOM should prepare policy guidelines on online monitoring and audit trail recording, protecting, reviewing and report. It should also commission regular independent reviews of audit policy and analysis of audit records.
McDermott notes that system functions such as log-in attempts, password changes and file creations, changes and/or deletions must be recorded.
The audit trail event record should specify the type of event, the time when the event occurred, the user ID associated with the event and the programme or command used to initiate the event.
Also, GECOM databases must include audit trail functionality to capture at minimum the following information:
- Terminal from which operation invoked
- User who invoked the operation
- Date and time of the operation
- Attributes affected
- Old values
- New values
The draft also says that all mission-critical databases at GECOM should be developed on platforms which include security measures preventing any user, including the Database Administrator, from inhibiting or altering the database audit trail.
The System Audit Trails must be reviewed weekly by authorised GECOM individuals and the GECOM/IT Division Manager must review the audit trail monthly.
Anomalies that are detected must be immediately reported to the appropriate supervisory personnel for follow-up action. Also, all the audit records shall be stored in a locked room and kept for three years.
The procedures outlined in the Audit Trail draft will be applicable to all personnel who use, manage, design or implement automated information systems at GECOM.
In the December issue of the New Nation, the PNCR reaffirmed its position on the GECOM database and the security for its IT operations.
"The [PNCR] has no confidence in the current database and demands that GECOM scrap it entirely and immediately," the article stated.
GECOM was urged to implement the recommendations in the IDEA report on tightening the security of its IT operations.
"The [PNCR] believes that GECOM's stated intention to move to continuous registration (for which the current database is totally incompatible) provides an additional reason to dump the current database and embark on a new national registration process in time for the 2006 election."
GECOM Chairman Dr Steve Surujbally, at a press conference last month, said the report addresses all of the perceived vulnerabilities within the IT system.
McDermott's proposals are still being studied by the commission and stakeholders have until the end of February to comment on them.
Surujbally said once they are endorsed by the stakeholders the proposals would be implemented in a time-frame which has already been set.