Much of the data held by an election management body (EMB) will be sensitive information that will be private or privileged and must be kept secure. Many computer programs used by EMBs must be kept secure to ensure that election processes run fairly and that election results are not compromised by accidentally altered or deliberately sabotaged programs.
Physical security can be used to isolate computer equipment and prevent unauthorised access (see Physical Security), but it is only the first line of defence. The next line of defence is data access security.
Password protection
The most common method of data access security is password protection. Several layers of password protection can be imposed. Computers can be set up to require a password before they can 'boot up' and give users access to any of the data on the system, either on the computer's local hard drive or on the network. Networks can be configured to require all users to enter a correct user name and password before network access is permitted, so that even if a unauthorised user can operate a local computer they are not able to get onto the network.
Particular software programs can be password protected also, so that even if an intruder can gain access to the network, they cannot run particular programs. Finally, individual files can be password protected, so that intruders are not able to open them even if they gain access to the files or copy them to another system or to a removable disk.
Passwords are not foolproof, however. There are several basic rules that apply to use of passwords, aimed at ensuring that unauthorised users cannot discover them:
- Passwords are best never written down and left where an unauthorised used might find them - if passwords have to be written down, they should be securely locked away (ideally they should be memorised - although in the case of passwords that cannot be reset by an administrator, such as a password embedded in a document, it is wise to keep a copy locked away in case it is forgotten)
- It is beneficial to change passwords regularly - about once a month is a good standard
- The most effective passwords are not obvious - the name of the user, the organisation, a relative, friend or famous person or thing can be relatively easily guessed by others - in particular, it is generally a bad idea for the password to be 'password' since everyone starts out with that one
- The most secure passwords will contain a mixture of letters and numbers and, if the computer system is case sensitive, a mixture of upper and lower case letters, since such combinations are harder to crack
- Short passwords are easier to crack - around 8 characters is a good length
- Passwords are best not shared between colleagues, relatives or friends - each person can have their own password
- In the case of very sensitive systems it may be desirable for the computer system to keep track of which passwords are used at what times, and what data is accessed
- It is desirable to limit the number of times in a session when a person can try to enter a password and fail. This is particularly important where password access is permitted on a public network like the internet (some computer programs can be set up to automatically try huge numbers of possible passwords if the system permits this)
- Where an employee who is assigned a password resigns or leaves a workplace to work elsewhere, that person's password access is best revoked
- System administrators need the ability to reset passwords for users who forget them
- Anyone with password access to a computer system (including any externally employed contractors or systems administrators) will need to have a security clearance at a level appropriate to the data accessible on the system
Limiting authorised access
Even where a user has log-in permission and a valid password, an EMB may not wish that user to access all the data held on the EMB's system. For example, casual staff employed to enter payroll data will have no need to access sensitive election results programs. Password access can be used to limit a user's right to access different parts of a system by applying different levels of access rights to different classes of users.
Where authorised access is provided, introductory screens displayed immediately after logging in can remind users of any legal requirements for maintaining the security of data and of any penalties that may apply to misuse of data.
Data storage locations
Another way to help keep data secure from unauthorised access is to limit the places in which data is stored. In networked computer systems, it is good practice to keep all data, particularly all sensitive data, on centralised servers rather than on local personal computers' hard drives. This practice means that any unauthorised intruder trying to access data has to pass two levels of security to reach data - both the local computer's and the network server's. It is generally more difficult to gain unauthorised access to data on a server than it is on a personal computer.
Another advantage of keeping sensitive data on servers is that it limits the number of computers that need a very high level of security. One way to steal data is to physically steal the computer on which it is stored. While it may be too cumbersome, expensive or impractical to keep all personal computers under high security, it is usually highly disirable and more practical to do so with at least the servers.
Remote access to data
Many computer networks allow 'remote access' to data, by connecting to the network over a public system such as the internet or the telephone system by dial-up modem. This level of access makes it much easier for unauthorised users to access data, because they do not have to gain physical access to EMB premises or a computer linked to the EMB's private network.
A risk assessment can be made to determine whether the level of risk of exposing a network to public dial-up or internet access is worth the added convenience of allowing authorised users to have remote access. If a decision is made that remote access is needed, a technical expert in minimising the risks of remote access can be employed to ensure that the system is secure as possible. To be most effective it is important to seek up-to-date advice as the technology involved in this area is constantly changing.
Unfortunately, sensitive networks that allow remote access are targets for so-called 'hackers' who specialise in breaking the security of high profile networks. This risk needs to be recognised and every possible step taken to minimise it. One way to do so, particularly if remote access is only needed for a limited range of functions, is to isolate the most sensitive data and programs from that part of the network accessible remotely, so that there are no ways to reach the sensitive data other than through a local network.
Another way to limit the risks of allowing remote access is to only allow access to copies of data, with no access permitted to the original sets of data.
Firewalls
Firewalls are technological barriers built into computer networks to control access to the networks. Firewalls are intended to prevent unauthorised users from accessing data and programs protected by the firewalls. Technical experts in this field can advise on appropriate firewall technology for a given system.
Audit trails
Audit trails can be used to log the activities of persons accessing sensitive data. Audit trails can show which staff accessed which data, and can also indicate what changes to data were made, when they were made, and who made them. Properly used (and not ignored or overlooked), such audit trails can be powerful tools for either verifying that security breaches have not occurred, or can identify any breaches that have occurred.
