Based on the current impasse at ECK, I cant help sharing an article I send to the media 4weeks before the elections and it never got the attention it may have deserved... walu. ~~~~~starts~~~~ How Secure is the ECK data? (Late Nov 2007) Recently, there was the verbal exchange between politicians and the Electoral Commission of Kenya (ECK) about whether or not the Voters Register was being tampered with at ECK, Headquarters Anniversary Towers. Rather than debating on who is lying and who is not, it is better to take a nationalistic and objective view by asking How Secure is the ECK data? The Voters Register and the subsequent Polling Data is, or should be categorised as a critical national resource and must be accorded the appropriate levels of protection from various threats. Any mismanagement of this data would compromise the peaceful existence of the Kenyan state as we know it today. Typical threats facing this data would arise from circumstances that can compromise the Confidentiality, Integrity Availability and Non-Repudability of the ECK data. Data or information is said to be Confidential if it is secured against un-authorised access. Indeed most of the ECK data is by nature public information such as the Voters Register but there must be some data that should be kept confidential since it may be used maliciously if placed in the wrong hands. To what extend has ECK put in place processes and systems to ensure that confidential data remains confidential? The Integrity of data is an aspect of whether the ECK data is secured against illegal changes. In other words, does ECK have systems or controls in place that can prevent, detect and correct un-authorised changes to the Voters Registers or the Polling Data? Are these controls effective and more importantly, are these controls regularly tested? Availability of data refers to its capacity to be delivered where and when it is needed by its stakeholders. You can imagine, if the voting was done, the tallying completed and then ECK was unable to announce the results because of a computer or more commonly hard-disk failure. Speculations arising from the delayed announcement of election results during those critical hours after the elections could make or break this nation irrespective of whether the delay was valid or otherwise. Non-repudability of data refers to the capacity to prove beyond reasonable doubt, the origin of data. Within the context of ECK, this may be important particularly during this year when ECK is adopting modern communication technologies to receive, relay and query their data. Assuming the Returning Officers would be sending in their Polling data via SMS, Internet, Telephone or even Fax are there systems in place to prove that indeed the incoming data is originating from the official and not impersonated sources? In the interest of the public, ECK must take the necessary precautions to protect its information from the above threats. Similarly, ECK must be seen or should demonstrate publicly that they have indeed done due diligence to provide the necessary security with respect to the safety of their data. In developed economies, the laws and regulations require that critical data of national importance must be subjected to regular Information Systems Audits along the same spirit as that of carrying out regular Financial Audits. Despite the lack of compelling legislation to do an Information Systems Audit, ECK can decide to act in the interest of the Public and engage professional Information Systems Auditors to execute an Information Systems Audit on their critical data and related processes. Such an exercise, if it has not already been done, may be the only weapon to silence the reckless politicians who will keep suspecting the integrity of the ECK data to the detriment of this nation. J. Walubengo Mr. Walubengo is a Lecturer at the Kenya College of Communications Technologies (KCCT) and a Board Member, Information Systems Audit & Control Association (ISACA). ~~~ends~~~~ ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs