[kictanet] How Secure is the ECK data?

John Walubengo jwalu at yahoo.com
Sun Dec 30 15:27:56 EAT 2007


Based on the current impasse at ECK, I cant help sharing an
article I send to the media 4weeks before the elections and
it never got the attention it may have deserved...

walu.
~~~~~starts~~~~ 

How Secure is the ECK data? (Late Nov 2007)
Recently, there was the verbal exchange between politicians
and the Electoral Commission of Kenya (ECK) about whether
or not the Voters Register was being tampered with at ECK,
Headquarters Anniversary Towers.  Rather than debating on
who is lying and who is not, it is better to take a
nationalistic and objective view by  asking – How Secure is
the ECK data?

The Voters Register and the subsequent Polling Data is, or
should be categorised as a critical national resource and
must be accorded the appropriate levels of protection from
various threats. Any mismanagement of this data would
compromise the peaceful existence of the Kenyan state as we
know it today.  Typical threats facing this data would
arise from circumstances that can compromise the
Confidentiality, Integrity Availability and
Non-Repudability of the ECK data.

Data or information is said to be Confidential if it is
secured against un-authorised access.  Indeed most of the
ECK data is by nature public information such as the Voters
Register but there must be some data that should be kept
confidential since it  may be used  maliciously if placed
in the wrong hands. To what extend has ECK put in place
processes and systems to ensure that confidential data
remains confidential?

The Integrity of data is an aspect of whether the ECK data
is secured against illegal changes.  In other words, does
ECK have systems or controls in place that can prevent,
detect and correct un-authorised changes to the Voters
Registers or the Polling Data? Are these controls effective
and more importantly, are these controls regularly tested?

Availability of data refers to its capacity to be delivered
where and when it is needed by its stakeholders.  You can
imagine, if the voting was done, the tallying completed and
then ECK was unable to announce the results because of a
computer or more commonly hard-disk failure.  Speculations
arising from the delayed announcement of election results
during those critical hours after the elections could make
or break this nation – irrespective of whether the delay
was valid or otherwise.

Non-repudability of data refers to the capacity to prove
beyond reasonable doubt, the origin of data.  Within the
context of ECK, this may be important particularly during
this year when ECK is adopting modern communication
technologies to receive, relay and query their data. 
Assuming the Returning Officers would be sending in their
Polling data via SMS, Internet, Telephone or even Fax – are
there systems in place to prove that indeed the incoming
data is originating from the official and not impersonated
sources?

In the interest of the public, ECK must take the necessary
precautions to protect its information from the above
threats.  Similarly, ECK must be seen or should demonstrate
publicly that they have indeed done due diligence to
provide the necessary security with respect to the safety
of their data.  In developed economies, the laws and
regulations require that critical data of national
importance must be subjected to regular Information Systems
Audits along the same spirit as that of carrying out
regular Financial Audits.

Despite the lack of compelling legislation to do an
Information Systems Audit, ECK can decide to act in the
interest of the Public and engage professional Information
Systems Auditors to execute an Information Systems Audit on
their critical data and related processes.  Such an
exercise, if it has not already been done, may be the only
weapon to silence the reckless politicians who will keep
suspecting the integrity of the ECK data to the detriment
of this nation.    

J. Walubengo

Mr. Walubengo is a Lecturer at the Kenya College of
Communications Technologies (KCCT) and a Board Member,
Information Systems Audit & Control Association (ISACA). 

~~~ends~~~~





      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs




More information about the KICTANet mailing list