TRE - Regional Electoral Court

• case

FOCUS ON CREDIBILITY

CREDIBILITY The Regional Electoral Court of Rio de Janeiro reinforces the website structure, guaranteeing to citizens safe access to a wider range of services, securing reliable information
By Roberta Gonçalves

Imagine the impact that an election fraud can cause in the structure of a country. Political, economic and even
social issues would be strongly shaken should any security breach occur in the electoral systems. In this context, it becomes clear that credibility is the backbone of Electoral Justice, demanding from this institution constant efforts to guarantee the total integrity of its data. In the case of Brazil, the challenge is even greater due to its territorial dimensions.

This concern permeates the whole structure of electoral courts. With the advent of voting machines adopted in 1996, and the enhancement of services available over the internet, the data integrity issue became even more relevant. Given this new reality, the Electoral Regional Court of Rio de Janeiro (TRE-RJ) started in 2002 a project to reinforce security in its internet domain. “The use of voting machines streamlined the processes,
but one must guarantee the dynamics and the integrity of information”, says André Luís Corrêa de Araújo, information secretary at TRE-RJ.

According to the executive, the enhancement of services available via Web also impacted the institution. He says that on election days, the Electoral Justice removes its internet links “There is a high number of invasion attempts. If any hacker activity is found in the Superior Electoral Court (TSE) website on that day, there is a rather negative impact because it conveys to people a feeling of insecurity For that reason, TSE just keeps a page intended to disclose the voting numbers that are being counted”, he states.

MORE PROTECTION

The desire of keeping citizens informed during the ballot counting, and allowing constant access to the website's services compelled TRE-RJ to create a standalone internet structure, separate from the Electoral Justice's backbone. In 1998, the website of the Electoral Regional Court of Rio de Janeiro entered into operation. Among the services available are queries on voting places, electoral district addresses, access to the voting results, and issuing electoral quittance certificates.

With the growing volume of attack attempts observed mainly from 2002 and the increased demand for website services, the institution started to focus on the data integrity issue. “We began to look security in a more comprehensive way, including other aspects besides the technological ones”, says Araújo.

The next step was to assess the Risk Manager tool by Modulo, which makes risk analysis involving software, equipment, people, processes, and environments and provides guidance on which points can be perfected to shield the company's structure “Our main objective was to have access to consolidated information, able to provide us with the necessary guidelines to define our security planning”, he explains.

After carefully studying the product, TRE-RJ started the implementation and in the 2004 elections the solution was already in operation. The results observed were exciting. “There was a 40% reduction in risk rates. Besides, we reduced the time spent to detect potential fragilities”, celebrates Araújo. According to the executive, the use of this tool allowed to map processes, detect vulnerability levels, and determine the actions to be carried out.

The adoption of Modulo Risk Manager generated improvements that exceeded technology. “By streamlining the processes, we had the opportunity of improving the electric part, the air conditioned systems, and cleaning the environments”, he adds The institution reorganized its servers based on the recommendations provided by the solution.

Another aspect highlighted by the Secretary is the fact that Modulo Risk Manager is an inclusive solution, i.e., not restricted to aspects related to Information Technology. “This versatility of the solution allows it to be used in sectors other than the IT department, such as administration and service areas”, he believes.

The Information Security project of TRE-RJ demanded investments in hardware, software and services. Due to the flexibility and inclusiveness of Modulo Risk Manager, the institution is already studying to trickle the tool down to other divisions. “We are talking with the general services area, which involves the electoral registry offices, so that it can benefit from the solution with focus on process mapping”, he states.

NEXT STEPS

Electoral Regional Court of Rio de Janeiro plans to share with the other 26 courts throughout Brazil the positive experience with the implementation of this product. The institution expects to complete until next year the whole project involving the internet. He says that another challenge for TRE-RJ is the compliance with ISO 17799 guidelines. “We are seeking excellence in the internet domain, for later trying to cascade our experience into other sectors”, he comments.

After the completing those steps, Araújo plans to enroll the project in the Electoral Justice IT Seminar, scheduled for 2007. Each court enrolls a work, which is evaluated by a commission. The selected ones are presented during the Seminar. “The best initiatives are analyzed to verify their applicability, and can be recommended to all the country's courts”, he says.

TRE-RJ also bet on the use of Digital Certification to disclose election results. “We prepared the structure so that all numbers related to the election published at the website could rely on that resource”, stresses Araújo. The initiative was implemented along with Modulo, and had a rather positive impact on the institution's credibility. “Digital Certification allows us to attest the reliability of data published on the internet. With it, we managed to respond quickly to any fraud charge”, cheers up the executive, saying that TRE-RJ plans to use this certification in the coming elections.