The Election Management System WA (EMSWA) is used by the Western Australian Electoral Commission (WAEC) to manage election related information. This includes EMSWA storing an electronic electoral roll, and recording and counting votes for State general elections. The system stores voter personal information such as name, address, telephone numbers and date of birth.
The EMSWA system essentially achieves its purpose. However, we found a number of issues that may compromise the security and integrity of sensitive data, including voter identity details.
While we did not find any instances of inappropriate access or misuse, confidential information is at risk due to insufficient password controls, unencrypted databases and minimal tracking or monitoring of changes made to the data. The availability of the system is also at risk due to a lack of documented and tested disaster recovery plan.
Inefficient manual transfer of data from other related sources into the EMSWA system may compromise the integrity of the information in the EMSWA system.
The WAEC aims to provide all Western Australians with accessible, efficient and high quality electoral and enrolment services.
It is responsible for maintaining the State’s electoral roll and conducting parliamentary elections and referenda, local government elections and other statutory and non-statutory elections. WAEC also promotes community awareness of the electoral process.
In the State general election on 11 March 2017, there were 1,593,222 people enrolled to vote and 1,411,829 votes counted.
Completed ballot paper information was recorded and processed through EMSWA, which is developed and maintained by WAEC.
Security weaknesses increase the risk of inappropriate access and misuse of voter personal information
The EMSWA system stores confidential personal information about voters such as name, address, telephone numbers and date of birth. If accessed inappropriately this information could be used for identity theft. While we found no instances of this information being inappropriately accessed or misused, we did identify security weaknesses, including:
- Insecure databases – The password policy is not enforced for database user accounts and the password for the System Administrator account had not been changed for over 2 years. Administrator and database accounts are the first accounts an attacker will try to compromise in order to gain unauthorised access to systems. We also found that data encryption is not used to protect sensitive information in the EMSWA databases, leaving this information more vulnerable to misuse if inappropriately accessed.
- Unprotected personal information – We found that confidential personal information of voters from the EMSWA live system is copied and used in the test environment which does not have the same level of security. Processing and storing this information in test systems without appropriate levels of security increases the risk that it may be compromised.
WAEC does not have documented processes to recover the EMSWA following a major incident or disruption
WAEC does not have an IT Disaster Recovery Plan (DRP) that details the processes to recover its information systems following a major incident or disruption. This could compromise the continuity and integrity of election processes and the delivery of key services, and potentially damage the reputation of the WAEC.
While the WAEC has recovery procedures in place, these are not fully documented and tested.
An IT DRP is a key document that provides details of procedures to be followed to recover systems in the event of an incident or disruption. Without an appropriately tested IT DRP it is not possible to confirm the effectiveness of the plan and the ability of the WAEC staff to execute it.
WAEC does not know whether inappropriate or unauthorised changes are made to the EMSWA information
The WAEC does not have a formal policy or procedure in place to manage the logging and monitoring of key events. The EMSWA does not capture user logon activities or who made changes to electoral roll information. Without effective system logging and proactive monitoring of these logs the WAEC cannot identify and act on any suspicious events or user activities.
Manual processes are inefficient and increase the risk of errors in the EMSWA
Information from a number of internal systems is manually entered into the EMSWA, increasing the likelihood of errors.
Examples of manual processing that could be automated to increase efficiency and reduce the risk of errors include:
- Legislative Council ballot paper information is manually entered into an application called CountWA. After results are calculated in this system, a subset of the results are then manually entered into the EMSWA system.
- Legislative Assembly ballot paper information is manually entered into spreadsheets. This information is then manually imported into the EMSWA system.
These processes could be automated within the EMSWA to draw the information directly from CountWA and spreadsheets.
The WAEC should:
- enforce its password policy for all users including administrator accounts
- review the risks associated with storing confidential personal information and assess options to protect it from unauthorised access and misuse
- a. develop, regularly review and test the IT DRP
- develop and implement an effective framework for monitoring and logging of key change events
- implement appropriate information security controls to protect sensitive information in the test environment
- a. review election systems to identify key events or transactions that require logging and monitoring
- review manual data transfer processes and consider if they can be automated
- complete, test and implement changes to election systems in readiness for the State General Election in March 2021.
The Western Australian Electoral Commission welcomed the application controls review of the Election Management System WA (EMSWA) and provides the following acceptance of the recommendations from this review.
Recommendation 1: Accept fully
Password complexity policies will be enforced on all SQL accounts. Password expiration policies will be enforced on all SQL accounts where appropriate. Application specific accounts will be controlled via a manually scheduled password change regime to ensure election system uptime. This is currently being implemented and is targeted for completion by 31 August 2018.
Recommendation 2: Accept fully
A review of the risks associated with storing confidential information and options to protect it will be conducted in conjunction with our Risk Management and Audit Committee by 30 September 2018.
Recommendation 3: Accept fully
Development of the IT DRP reflecting the Commission’s current DR solution will commence shortly and be completed and tested by 31 December 2018 with an annual review and test being scheduled.
A framework to capture key change event audit logs will be developed by 31 December 2018 with implementation scheduled with election system changes due to be completed by 30 June 2020.
Safeguards to mask and protect sensitive information used in the test environments will be implemented by 31 December 2018.
Recommendation 4: Accept fully
A review to identify key events or transactions that require logging and monitoring and manual data transfer processes that can be cost effectively automated will be conducted in conjunction with our Election Management Committee by 30 June 2019.
Recommendation 5: Accept fully
Changes to election systems will be completed, tested and implemented by 30 June 2020, well in advance of the next State General Election in March 2021.