Database access management
SCALE
In 2021, the Incident Response Department of the Information Systems Authority registered about 73,800 automated reports regarding security vulnerabilities and about 2,200 incidents with impact in Estonia. Most of these incidents were based on access takeover or were aimed at exploiting access rights to take over user accounts of others and thereby compromise the integrity of data or leak data.COMPLIANCE
European Parliament and Council Regulation (EU) 2018/1725 Government of the Republic Regulation No. 252 of 20 December 2007 System of Information System Security Measures
Access
-
Authorization
Although access management ensures that only authorised persons can access the data in the audited databases, in the case of two databases, the access rights that these persons have are too broad.
If, in the opinion of the [audited entity], it is not possible to organise the access request procedure quickly enough and in the way that the process of assessing the need for assistance requires, other measures must be implemented to prevent and detect misuse of data.
Access
-
Logging
Insofar as STAR has not implemented measures necessary for verifying the analysis of logs and the justification of queries, the risk of misuse of data increases. Log data, i.e. information about the events that occurred in the database, were collected and stored in the audited databases, but these logs were not systematically or regularly analysed and the respective obligation was not established in the documents governing the activities of institutions or databases.
Monitoring
-
Timing
Checks were carried out irregularly and only after discovered incidents, queries/complaints from data subjects, or other external events.
Code (gexf) to continue analysis with GephiTerminology graph
