T 2.76 Inadequate documentation of archive accesses

Just like for other IT systems, there are manipulation options for archive systems if these are protected poorly. Users may try to store falsified documents to the archive and to assign these documents to existing administrative procedures by entering the corresponding context information or to falsify completely new procedures. System administrators may perform manipulations bypassing the archive system and hide the manipulation by changing the log files.

Normally, log files are considered less important than the documents to be archived. This is often manifested in shorter retention periods for log files and in the less careful handling of log files.

If archived documents are to be incorporated into later administrative procedures, it is absolutely necessary to be able to verify their authenticity, i.e. to be able to differentiate correct from manipulated documents, and to be able to verify the document history in the event of controversial documents. This is endangered by

• insufficient logging of the archive accesses, particularly the storage processes,
• insufficient protection of the logged data against manipulation performed by users and system administrators,
• the loss of logged data,
• retention periods for the logged data that are too short.

If the documents to be archived are classified according to confidentiality levels, it must always be possible to trace who viewed the documents at which time. This is no longer guaranteed if read accesses and search queries are not documented.

Examples:

• Within the framework of an archive-based research, a document is found incriminating a person in a certain way in a current administrative procedure. The document is deemed authentic on the basis of the context information stored together with the document. However, the document was generated by an unauthorised person who had deliberately entered incorrect context information (amongst other things, author of the document, date of creation) in order to be able to incriminate the person in question later. Since the log files of the archive accesses were deleted in the meantime, it is no longer possible to discern this. The employee concerned is incriminated erroneously in this way.
• A user disposing of administrative privileges manipulates files in the cache area of the archive system before they are stored to permanent media. The manipulation cannot be traced, since the user manipulated both the data and the log files, bypassing the archive system.