Information Systems and Data Security
Security of information systems and data is an important issue that may be overlooked in the midst of more visible aspects of electioin security, such as ensuring that election fraud and intimidation are deterred.
Elections are data-driven events. At all stages of the election process, large and complex amounts of data have to be accurately handled and protected from unauthorised manipulation, particularly in:
- compiling voters registers and producing accurate voters lists for voting stations;
- processing nominations and, from these, correctly printing ballot papers;
- determining locations of voting stations and resourcing them;
- recruiting, training, and assigning staff;
- reconciling voting material, conducting ballot counts, and determining results;
- adjudicating grievances.
Loss, unavailability, or unauthorised changes of election data can both cripple election operations themselves (and result in significant cost penalties) and lead to perceptions of lack of integrity or legitimacy of election processes and outcomes.
Security provisions need to address ensuring the availability, accuracy, integrity and, where relevant, the confidentiality of information. The more complex the information systems used, the more complex security measures may need to be.
Manual Information Systems
For information held in non-computerised formats, security is founded in normal office administration systems such as:
- registration of information and documentation received;
- logical filing and secure storage of documents;
- retaining separately stored copies of important documents;
- controlling access to documents.
Computer-Based Information Systems
For information held in computer-based systems, security measures need to be more complex, particularly where these systems are used to produce or process voting material or calculate vote totals or election results, where there is a time-critical need for accuracy and integrity. Risk analyses need to be undertaken to determine the most effective methods of ensuring information security.
Basic security measures that may need to be carefully applied include:
- adequate physical security of the buildings in which computer equipment or critical communications equipment (microwave installations or optical fibre/cable exchanges) are held--including protection against both human intervention and possible natural disaster (flood, fire);
- back-up and recovery capabilities in case of system failure--including recovery of power supply, telecommunications links, hardware, and software, as well as provision for manual or lower-tech methods of achieving the same task in case the computer system cannot be revived, and simple precautions such as daily backups of all systems and data and storage of backup media at a separate location;
- thorough testing of all aspects of systems under production conditions prior to their being placed into production mode;
- access controls on software and data, to prevent unauthorised external access (hacking) or internal attempts at manipulation of system configuration, software code, or data recorded;
- thorough training of staff in the computer systems and software they are required to use, so that data is not lost or systems damaged accidentally;
- ensuring that all staff are aware of the security precautions that need to be applied.
