Riigikontroll

National Audit Office of Estonia

Database access management

2023 EE2023dbAccess
SCALE
  • - In 2021, the Incident Response Department of the Information Systems Authority registered about 73,800 automated reports regarding security vulnerabilities and about 2,200 incidents with impact in Estonia. Most of these incidents were based on access takeover or were aimed at exploiting access rights to take over user accounts of others and thereby compromise the integrity of data or leak data.
COMPLIANCE FOCUS
  • - European Parliament and Council Regulation (EU) 2018/1725
  • - Government of the Republic Regulation No. 252 of 20 December 2007
  • - System of Information System Security Measures
PERFORMANCE ASPECT
  • - security measures’ effectiveness
  • - monitoring and analysis application

Although access management ensures that only authorised persons can access the data in the audited databases, in the case of two databases, the access rights that these persons have are too broad. If, in the opinion of the [audited entity], it is not possible to organise the access request procedure quickly enough and in the way that the process of assessing the need for assistance requires, other measures must be implemented to prevent and detect misuse of data.

Insofar as STAR has not implemented measures necessary for verifying the analysis of logs and the justification of queries, the risk of misuse of data increases. Log data, i.e. information about the events that occurred in the database, were collected and stored in the audited databases, but these logs were not systematically or regularly analysed and the respective obligation was not established in the documents governing the activities of institutions or databases.

Checks were carried out irregularly and only after discovered incidents, queries/complaints from data subjects, or other external events.

Code (gexf) to continue analysis with GephiTerminology graph
svg
The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).