Cybersecurity in Elections Infrastructure: Risks and Mitigations

Slides:



Advertisements
Similar presentations
Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Advertisements

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Khammar Mrabit Director Office of Nuclear Security
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Course: e-Governance Project Lifecycle Day 1
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
National Infrastructure Protection Plan
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
OHIO OFFICE OF INFORMATION TECHNOLOGY. Even the agents are suffering…
By: Ashwin Vignesh Madhu
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Application Threat Modeling Workshop
CBP Website Redesign Geography Summit May 29, 2007.
The Evergreen, Background, Methodology and IT Service Management Model
Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Thursday, January 23, :00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.
IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee
12/9-10/2009 TGDC Meeting NIST Research on UOCAVA Voting Andrew Regenscheid National Institute of Standards and Technology
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
PMC Update on Cyber Sprint June 18, Overview: 30-Day Cyber Sprint 1.Interagency Cyber Sprint Team: Launched June 11 and executing against the.
Introduction to Information Security
1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:
Internet of Things Business Case Template. Powered by InfoTech, provided by Atlantic BT Summarize the business case for analyzing the Internet of Things.
An Independent Licensee of the Blue Cross Blue Shield Association Right Sizing the HIPAA Security Program Laurie Leer, CISSP;Manager Information Systems.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Security and resilience for Smart Hospitals Key findings
Information Systems Security
Sell Network Optimization Service Risk Assessment
Cyber Security – An Existential Threat? (IIC, Singapore)
Cybersecurity - What’s Next? June 2017
Case Study - Target.
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Information Technology Controls
Compliance with hardening standards
Evaluating Existing Systems
Introduction to Information Security
Introduction to the Federal Defense Acquisition Regulation
Evaluating Existing Systems
Introduction to Program Evaluation
Cyber Protections: First Step, Risk Assessment
USA Final Project Report
CMGT 431 STUDY Lessons in Excellence--cmgt431study.com.
NRC Cyber Security Regulatory Overview
Risk Assessment = Risky Business
Strong Security for Your Weak Link:
NCHER Knowledge Symposium Federal Contractor/TPS Session
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Security Essentials for Small Businesses
How to Mitigate the Consequences What are the Countermeasures?
2 OVERVIEW Cybersecurity initiative launched in July 2015 to create a trusted environment to address Cybersecurity -- Focus on the security needs of operators.
Cybersecurity ATD technical
Planning for IT Audit Session 4.
Securing Critical Chemical Assets: The Responsible Care® Security Code
HIPAA Security A Quantitative and Qualitative Risk Assessment
Cyber Security Accelerator for trusted SMEs IT Ecosystems
IT Management Services Infrastructure Services
DSC Contract Management Committee Meeting
Data Breach of United States Office of Personnel Management
Leading financial services provider
Data Breach of United States Office of Personnel Management
Election Security Presented by: michelle K. tassinari Director and Legal counsel Elections division Office of the secretary of the commonwealth.
CyberSecurity Strategy For Defendable ROI
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

Cybersecurity in Elections Infrastructure: Risks and Mitigations https://www.cisecurity.org/elections-resources/ Dr. Michael Garcia, Director of Elections Best Practices 14 June 2018

A word about CIS CIS is a technical organization Address the how over the what Backed up by experience and resources CIS history and programs underpin best practices and recommendations Focused on the entire ecosystem Looks at – and provides best practices – from start to finish

Center for Internet Security

The threat environment There have always been threats to elections There’s been a steady progression toward IT-related attacks over the last two decades 2016: a more concerted effort, but just an increase in what had already been occurring

Motivation Attackers have one or more goals Information theft, espionage, sabotage Sabotage: destruction, defamation, or blackmail of targets Motivation can be BOTH changing votes AND reputation damage to democracy itself In cybersecurity, risks drive investments Must assess risk and keep a broad view Adversaries will look for a weakness anywhere; so must we strengthen defenses everywhere

A Handbook for Elections Infrastructure Security View and download at: https://www.cisecurity.org/elections-resources/ Order free hardcopies at: https://learn.cisecurity.org/ei-handbook

The starting point The most substantial risks are to components that have network connections For cybersecurity folks, this puts us in known waters Bigger than paper ballots or RLAs Jumping on a moving train means continual improvement Constrained resources means mitigating risk at the margin Focus on the best way to spend the next dollar, regardless of where it is

Handbook Structure Three parts Introduction of elections and risk An architecture of elections systems and their risks Technical best practices Includes recommendations on contracting and procurement, auditing, and incident planning Contains 88 best practices in the form of security controls

Part 1: Introduction Typical stuff: scope, audience, environment Also info about conducting a risk assessment Introduces three classes of connectivity Network connected systems Indirectly connected systems Systems that are not connected Bonus! Transmission risks

Part 2: Architecture and Risk Generalized architecture Describe each component, its risks, and its connectedness

Part 3: Mitigating Risk Summarize and mitigate risks Best practices have Asset class: device, process, software, user Priority: high, medium Known security controls Estimates of Potential resistance, upfront cost, ongoing maintenance cost Resources to help implementation Links to online resources, NIST guidance, tools

Possible uses of the handbook Using as a baseline in developing training and assessment tools Drawing connections between non-technical understanding of risk and technical approaches to mitigation Prioritizing additional security work Showing how investments have been used and future investment will be used Conducting an assessment of current practices

What’s next? Self-assessment tool against handbook Pilot phase underway, full launch in July Training for independent assessors In early development, hoping to begin training in fall Procurement guidebook Based on handbook, provides sound approaches to procurement as well as model contract clauses

Thank you! Mike Garcia Mike.Garcia@cisecurity.org www.cisecurity.org/elections-resources

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.