TGDC Meeting, December 2011 Andrew Regenscheid National Institute of Standards and Technology Update on UOCAVA Risk Assessment by.

Slides:



Advertisements
Similar presentations
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Advertisements

IEEE P1622 Meeting, Oct 2011 IEEE P1622 Meeting October 24-25, 2011 Overview of IEEE P1622 Draft Standard for Electronic Distribution of Blank Ballots.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks
United States Election Assistance Commission Pilot Program Testing and Certification Manual & UOCAVA Pilot Program Testing and Certification Manual & UOCAVA.
TGDC Meeting, Jan 2011 UOCAVA Pilot Projects for the 2012 Federal Election Report from the UOCAVA Working Group Andrew Regenscheid National Institute of.
TGDC Meeting, July 2011 Overview of July TGDC Meeting Belinda L. Collins, Ph.D. Senior Advisor, Voting Standards, ITL
TGDC Meeting, July 2011 Update on the UOCAVA Working Group Andrew Regenscheid Mathematician, Computer Security Division, ITL
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
United States Election Assistance Commission EAC UOCAVA Documents: Status &Update EAC Technical Guidelines Development Committee Meeting (TGDC)
TGDC Meeting, July 2011 UOCAVA Roadmap Update Nelson Hastings, Ph.D. Technical Project Leader for Voting Standards, ITL
Military and Overseas Voter Empowerment Act (MOVE) Donald Palmer, Director, Division of Elections, Florida Department of State.
TGDC Meeting, July 2011 IEEE P.1622 Update John P. Wack Computer Scientist, Software and Systems Division, ITL
WMD & Emergency Planning Steps Session 12. Emergency Planning Steps Vulnerability Assessment Mitigation Efforts Emergency Response Planning Recovery.
Federal Voting Assistance Program Technology Programs and 2012 Cycle Initiatives Technical Guidelines Development Committee EAC-NIST January 13, 2011.
Making every vote count. United States Election Assistance Commission HAVA 101 TGDC Meeting December 9-10, 2009.
1 The Impact of SAS 112 on Governmental Financial Statement Audits GAQC Member Conference Call January 4, 2007 Presented by Chuck Landes, CPA.
12/9-10/2009 TGDC Meeting NIST Research on UOCAVA Voting Andrew Regenscheid National Institute of Standards and Technology
Maryland‘s Experience with the MOVE Act Linda H. Lamone State Administrator Maryland State Board of Elections.
UOCAVA Report Overview and Status July 2008 Andrew Regenscheid Computer Security Division National Institute of Standards and Technology.
Tingxuan Liu Risk Management in Software engineering.
IEEE P1622 Meeting, Feb 2011 Common Data Format (CDF) Update John P. Wack National Institute of Standards and Technology
1 Election Operations Assessment Summary Election Assistance Commission.
Improving U.S. Voting Systems Security Breakout Session Improving U.S. Voting Systems Andrew Regenscheid National Institute.
Federal Voting Assistance Program Voting Initiatives and MOVE Act Joint Election Officials Liaison Committee January 7 th, 2010.
TGDC Meeting, December 2011 IEEE P1622 Common Data Format Standardization Update John P. Wack National Institute of Standards and Technology
UOCAVA Voting in Four States A Study of Election Administration.
The Election Administration and Voting Survey: A User’s View Charles Stewart III MIT August 8, 2013 version 1.2.
TGDC Meeting, Jan 2011 Accessibility and Usability Considerations for UOCAVA Remote Electronic Voting Systems Sharon Laskowski, PhD National Institute.
TGDC Meeting, July 2010 Security Considerations for Remote Electronic UOCAVA Voting Andrew Regenscheid National Institute of Standards and Technology
TGDC Meeting, July 2010 Report of the UOCAVA Working Group John Wack National Institute of Standards and Technology DRAFT.
Election Reforms: What Should We Prioritize for 2013 and Beyond? CACEO Priorities: 1. Unfunded State Mandates – AGAIN Permanent Vote-by-Mail Vote-by-Mail.
NIST Voting Program Page 1 NIST Voting Program Lynne Rosenthal National Institute of Standards and Technology
TGDC Meeting, December 2011 Overview of December TGDC Meeting Belinda L. Collins, Ph.D. Senior Advisor, Voting Standards
TGDC Meeting, July 2011 Voluntary Voting System Guidelines Roadmap Nelson Hastings, Ph.D. Technical Project Leader for Voting Standards, ITL
TGDC Meeting, Jan 2011 Help America Vote Act (HAVA) Roadmap Nelson Hastings National Institute of Standards and Technology
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
UOCAVA What we know What works Dr. Donald S. Inbody Texas State University.
TGDC Meeting, July 2010 Report on Other Resolutions from Dec 2009 TGDC Meeting John Wack National Institute of Standards and Technology
TGDC Meeting, Jan 2011 Common Data Format (CDF) Update John P. Wack National Institute of Standards and Technology
TGDC Meeting, Jan 2011 Review of UOCAVA Roadmap Nelson Hastings National Institute of Standards and Technology
1 DECEMBER 9-10, 2009 Gaithersburg, Maryland TECHNICAL GUIDELINES DEVELOPMENT COMMITTEE Commissioner Donetta Davidson.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.
TGDC Meeting, July 2010 Overview of NIST Activities and TGDC Meeting Agenda Martin Herman, PhD National Institute of Standards and Technology
TGDC Meeting, Jan 2011 Development of High Level Guidelines for UOCAVA voting systems Andrew Regenscheid National Institute of Standards and Technology.
TGDC Meeting, Jan 2011 Path Forward for FY11 UOCAVA Activities Nelson Hastings National Institute of Standards and Technology
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
TGDC Meeting, Jan 2011 Report from Workshop on UOCAVA Remote Voting Systems Nelson Hastings National Institute of Standards and Technology
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
TGDC Meeting, Jan 2011 VVSG 2.0 and Beyond: Usability and Accessibility Issues, Gaps, and Performance Tests Sharon Laskowski, PhD National Institute of.
TGDC Meeting, Jan 2011 UOCAVA Pilot Projects for the 2012 Federal Election Report from the UOCAVA Working Group Andrew Regenscheid National Institute of.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Headquarters U.S. Air Force
SELF-GUIDED SECURITY ASSESSMENT
DISASTER VULNERABILITY, RISK AND CAPACITY
Voter Assistance Training
National Institute of Standards and Technology
Internet Voting Resources and Reports
UOCAVA Electronic Blank Ballot Delivery Use Case
Unit 7 – Organisational Systems Security
Risk Assessment = Risky Business
Element 49 Page 217.
SELF-GUIDED SECURITY ASSESSMENT
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

TGDC Meeting, December 2011 Andrew Regenscheid National Institute of Standards and Technology Update on UOCAVA Risk Assessment by UOCAVA Working Group

TGDC Meeting, December 2011 Outline Background Risk assessment methodology Sources of data Status update on progress Next steps Page 2

TGDC Meeting, December 2011 Background All systems and processes have risks Current UOCAVA Vote-by-Mail (VBM) as baseline We have implicitly accepted risks in the current UOCAVA voting process Director Carey has maintained future systems should be compared to the current system TGDC accepted task to develop a risk assessment on current UOCAVA processes Page 3

TGDC Meeting, December 2011 Charge To describe risks in currently-used UOCAVA voting processes Vote by Mail (VBM) Electronic ballot delivery via , fax, and web sites Effort should facilitate comparisons between different types of risks Future efforts could look at remote electronic voting systems, once a system is defined Page 4

TGDC Meeting, December 2011 Risks From NIST SP800-30rev1: Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of: The adverse impacts that would arise if the circumstance or event occurs; and The likelihood of occurrence A risk assessment is the process of identifying, prioritizing, and estimating information security risks Page 5

TGDC Meeting, December 2011 Methodology Initial step: Define current UOCAVA voting processes Tailored methodology in NIST SP rev1, Guide for Conducting Risk Assessments (draft) Major contents of risk assessment: Threat event Vulnerability Threat source Impact Likelihood Page 6

TGDC Meeting, December 2011 Defining Current Processes (1) EAC whitepaper, UOCAVA Registration and Voting Processes, April 2011 Split UOCAVA Voting into 6 processes Prepare and Submit Voter Registration Application Process Voter Registration Application Prepare and Deliver Blank Ballots Mark and Return Ballots Receive and Process Ballot Packets Count Ballots Page 7

TGDC Meeting, December 2011 Defining Current Processes (2) Each process could have several instantiations, e.g., Registration by mail, , fax, or web Ballot delivery by mail, , fax, or web For each process, we created flowcharts UML 2 Activity Diagrams Currently only vote-by-mail diagrams are completed Activities in each diagram are tagged with an identifier Page 8

TGDC Meeting, December 2011 Page 9

TGDC Meeting, December 2011 Page 10

TGDC Meeting, December 2011 Page 11

TGDC Meeting, December 2011 Risk Assessment Diagrams represent the target system of the risk assessment Risks may be present at any step (i.e., activity) of the processes To describe the risk, we need to identify the: Threat event Vulnerability Threat source Impact Likelihood Page 12

TGDC Meeting, December 2011 Threat Event A threat event is any event or situation that has the potential for causing undesirable consequences or impact Undesirable impacts violate one of the following goals: Correctness of election result Protect voter privacy Maintain public confidence in election Example: Blank Ballot is lost or delayed en route to voter A threat event involves the exploitation of a vulnerability by a threat source Page 13

TGDC Meeting, December 2011 Vulnerability A vulnerability is an inherent weakness in a system, security procedures, internal controls, or implementation that could be exploited by a threat source Example: Foreign and domestic mail services are not fully reliable Page 14

TGDC Meeting, December 2011 Threat Sources (1) A threat source is the adversary intending to exploit vulnerability, or it is a situation that may accidentally or incidentally exploit a vulnerability Types of threat sources Adversarial attacks Human errors of omission or commission Structural failures of jurisdiction-controlled resources Natural and man-made disasters, accidents, and failures beyond the control of the jurisdiction Page 15

TGDC Meeting, December 2011 Threat Sources (2) Examples of threat sources: Adversarial Hostile individuals and groups Disgruntled election workers Non-adversarial Voters Election officials Postal agencies Natural disasters Page 16

TGDC Meeting, December 2011 Impact Impact is a measure of the harm done by the occurrence of a threat event Qualitative measure of two factors: Page 17 Severity How “bad” is the event? Low/Moderate/High Scale How many voters/ballots are impacted? Small/Large scale Impact

TGDC Meeting, December 2011 Likelihood The likelihood of occurrence of a threat is an estimate of the likelihood that a threat event will occur and result in an adverse impact UOCAVA voting processes have different types of risks, e.g., System-wide risks that rarely occur Transactional risks that occur frequently We replace likelihood with Occurrences; that is, how often a given threat event is likely to occur in a given state during a Presidential election year Page 18

TGDC Meeting, December 2011 Occurrences We have a 4-point qualitative scale for estimating occurrences Page 19 Uncommon(1) RareThe event is very unlikely to occur (2) UnlikelyThe event regularly occurs in elections, but is unlikely to occur in any given election Common(3) InfrequentThe event is expected to occur a few times during an election (4) FrequentThe event is expected to occur many times during an election

TGDC Meeting, December 2011 Risk Assessment Examples Page 20 Threat EventVulnerabilityThreat Source ActivitySeverityScaleOccurrence A voter moves and forgets to inform the LEO of his/her new address Human error- Voters must remember to update their addresses Voter 1A-aHighSmall (4) Frequent A marked ballot is lost or delayed by a mail service en route to a LEO Foreign and domestic mail services are not fully reliable Mail services 4A-eHighSmall (4) Frequent Batch of marked ballots is lost during processing Loss of physical security LEO5, 6HighLarge (2) Unlikely

TGDC Meeting, December 2011 Data Sources Government reports 2010 EAC UOCAVA Report 2010 FVAP Post Election Survey 2010 Analysis of the Military Postal System Compliance with the MOVE Act Other reports Pew Overseas Vote Foundation Experiences/Anecdotal reports from Election Officials Page 21

TGDC Meeting, December 2011 Status Update Completed activity diagrams for UOCAVA Vote-by-Mail processes Identified risks in those processes Currently estimating impact and occurrences of each risk Page 22

TGDC Meeting, December 2011 Next Steps Complete UOCAVA Vote-by-Mail analysis Conduct risk assessments for blank ballot delivery Develop conclusions on major sources of risk in current processes Page 23

TGDC Meeting, December 2011 Discussion Page 24

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.