Information security policy

Information Security Policy of the eVotUM Electronic Voting System

Version: 1.0

Date: 26th of January, 2017


The Information Security Policy aims at:

It is considered an information asset a resource consisting of all the data and information generated, acquired, used or stored by the eVotUM electronic voting system.

 

Users

  1. The IT (information technology) resources of the eVotUM electronic voting system can only be used for implementing activities relevant and of interest to the electoral processes.
  2. The users of the eVotUM electronic voting system shall only have access to the IT resources that are indispensable to perform their particular activities.
  3.  Access to the information technology resources in the restricted area of the eVotUM site is only allowed upon authentication of the users.
  4. The eVotUM electronic voting system can be accessed by four types of different users: 
    1. Institution Official - appointed by the Rector of the University of Minho, it’s the person responsible for the configuration of the electoral processes, with the indication of the various elections and relevant dates, elements of the Electoral commissions, automatic generation of pairs of ciphering/deciphering keys for the votes and sending of the components of the deciphering key access password to the different elements of the Electoral Commissions. It’s also the person responsible for the generation of the eVotUM Root Certifying Authority and the signature of all digital certificates issued to the components of this system.
    2. Member of the electoral commission - identified in the system by the institution official, manages the electoral process and the several elections that are part of it;
    3. Voter - identified in the system by the Electoral Commission, he can: 
      • Change his personal information (contact e-mail and second method for voting authentication);
      • See his electoral processes;
      • Communicate with the Electoral Commissions;
      • Vote on each of the elections, if within the voting period;
      • Verify that his vote was counted in the election, by entering the voting reference.
    4. Public - can access the public pages of the electronic voting system, with:
      • General information (Frequently asked questions, Information security policy, Privacy policy, Terms of use, Site map, Contacts); 
      • Checking the electoral processes (all the information made available by the Electoral Commissions);
      • Checking the electoral rolls, where complaints may be lodged if there are any inaccuracies in them.
    5. The voter, members of the electoral commission and institution official have access to personal and non-transferable access accounts, so they can access the restricted area of the eVotUM site. The security credentials to access that account are the credentials used to access the different services available on the University of Minho’s Intranet.
      • The public has access to the public pages of the eVotUM electronic voting system, without the need for personal user accounts.
    6. The security credential is unique, personal and non-transferable and should not be shared. Its use or the consequences arising from its improper use are the sole responsibility of the holder.
    7. To recover the security credential password to access the restricted area, the voter must follow the procedure indicated by the DTSI (Technology and Information Systems Department) for recovery/changing the password to access to electronic services of the University of Minho, and can proceed to the recovery/changing of the password online through the Intranet portal (https://intranet.uminho.pt).
      This operation requires the voter to have previously completed, in the Intranet and in the human resources personal file, his personal contacts, namely, his mobile phone number or a personal e-mail address (different from the institutional one). If this is not the case, the voter should visit the DTSI’s facilities.
    8. The members of the electoral commission are responsible for setting the security level of the different actions that can be performed by the electoral commission:
      • Simple - Only one member of the electoral commission is needed to perform the action.
      • Strong - (M/2)+1 members of the electoral commission are needed to perform the action. (M = total number of members of the electoral commission)
      • Critical - All members of the electoral commission are needed to perform the action.
    9. The user is responsible for all the accesses performed using his personal account.
    10. The user must block the access to the restricted area of the eVotUM site when he leaves the device used to access it, and it is considered that he will be liable for the consequences resulting from any improper handling carried out using his open account. 
    11. The user must ensure the secrecy of his access password, being responsible for any possible damages resulting from its use.
    12. The user is responsible for the correct use of the IT resources of the eVotUM electronic voting system, and by proactively promoting the security of information.
    13. The user must preserve the confidentiality of the information used and supplied.
    14. Users should report any incidents that affect the safety of the information assets or the non-compliance with this Information Security Policy.

Intellectual property rights

  1. The use of IT resources in the eVotUM electronic voting system complies with the legislation concerning the protection of intellectual property rights (copyright, software and patents).
  2. The entire project developed within the scope of the eVotUM electronic voting system is the exclusive property of the University of Minho and users cannot claim ownership of any kind.

Physical security measures

The security measures of the Datacenter’s premises where the IT resources of the eVotUM electronic voting system are housed have the following characteristics:

  1. Use of a CCTV system, with the collection of images (CCTV) in the area surrounding the immediate vicinity of the building, the access corridor to the Datacenter and its interior;
  2. Access to the premises is made with the use of the employee card; the access to the corridor of the Datacenter is made with the use of the employee card; the access to the Datacenter is made by biometric identification (iris recognition).
  3. The premises are protected by an intruder alarm system.
  4. The Datacenter is protected by an intruder alarm system composed of impact sensors that protect against any intrusion attempt made directly from the exterior.
  5. Access to the Datacenter by external entities is always accompanied by an element of the Datacenter’s management team.
  6. Physical access to the network servers in production is done only for carrying out tasks that necessarily require physical interaction with the existing equipment, or tasks that may be adversely affected by the loss of connectivity.
  7.  IT resources are identified and inventoried.

Logical security measures

The eVotUM electronic voting system incorporates the appropriate means and mechanisms to ensure the correct handling of information, particularly in the creation, storage, query, update, transfer and disposal of data, respecting the applicable internal and normative policies and standards for information security, ensuring the following: 

  1. All applications have user profiles configured with different privileges, ensuring that no user is granted more privileges than necessary;
  2. User access to the different applications is based on strong authentication mechanisms, or where this is not possible, the best practices in the use of passwords are adopted;
  3. To ensure the confidentiality of traffic, all communications use the TLS protocol;
  4. The EVotUM system has mechanisms that support security audits.
  5. Proper security mechanisms are used, at the level of the network and operating system, to ensure state of the art safety standards.
  6. The use of system monitoring and administration tools is performed in a controlled manner, not compromising the security of the information and the surroundings. 
  7. The tools for monitoring and administration of the network, systems and databases are for the exclusive use of the administrators of the respective services.
  8. The maintenance and updating procedures of the production environment are scheduled, preferably outside voting periods.
  9. The information systems are, whenever possible, kept up-to-date with the latest versions available. 
  10. The IT resources of the eVotUM electronic voting system are updated, whenever a vulnerability is detected. 
  11. To restrict physical access to the production environment, the network servers have remote management consoles for their administration.
  12. Event logs are stored centrally and protected against removal and unauthorized access, which include information on success and failure of accesses, for the purpose of any future audits.
  13. The backup plan aims at providing disaster recovery for loss of original data by accidental deletion or corruption of data, and respects the specifications of storage and service life of the media used.
  14. The backup of the information stored in the information systems is performed, preferably, at times of low use of the eVotUM electronic voting system. 
  15. Procedures to restore the information contained within the backup media are run regularly, in order to verify the integrity of the information stored.

Final provisions

 

  1. It is the responsibility of the DTSI to, at any time, take the necessary measures when there is evidence of risks to the security of the information. 
  2. Access and improper use of the IT resources of the eVotUM electronic voting system is liable to sanction by law, according to the legislation in force.

Validity and updating

  1. This policy shall enter into force from the date of its publication.
  2. Its updating will occur whenever necessary.