County Infrastructure and Access Security Standards
The County utilizes a defense-in-depth approach to protect its election management system (EMS) against threats to the election process that includes physical controls (security fences and cameras), technical controls (data encryption, access controls and hardening of servers), and administrative controls (policies and procedures). ROV has partnered with the County Information Security Office (ISO) to provide training for employees with access to the voter database on recognizing and reporting suspicious activity and social engineering as well as other potential threats to ROV systems and data.
The information below can describe the standards in place for protecting data maintained by the Registrar of Voters.
Security infrastructure standards
Based on a recent study of the County’s security and infrastructure, the following is an overview of actions and security improvements:
- Following the National Institute of Standards and Technology (NIST) security controls and standards for cybersecurity frameworks
- Continually monitoring systems to detect and prevent intrusion
- Using software applications or hardware appliances that monitor traffic moving on a network to search for suspicious activity.
- Strengthened barriers between secure trusted networks and outside or untrusted networks, such as the Internet.
- Upgrading network firewalls and servers to the latest technology and standards
- Permitting connections to other authorized systems only when necessary, such as the State’s voter registration database called VoteCal.
- Under federal law, election officials must provide technological security to prevent unauthorized access to election management systems, including while exchanging data.
- Utilizing encryption of data while at rest and during transmission
- Conducting routine database back ups
- Regular and routine back-ups of election data can prevent data loss should other systems break down or be taken out of service.
- Thorough chain-of-custody documentation of all assets and systems
- Physical security of Berger Drive Campus includes security fencing, employee badge access to secured areas, security cameras, alarm systems, and a County Sheriff Deputy stationed on campus during critical election season. County Sheriff Deputies provide increased security on Election Day.
Employee access security standards
The ROV uses appropriate access controls to systems and data, such as:
- Granting employee access on an “as needed” basis, establishing a minimum of two-factor authentication and unique credential parameters for each employee.
- Physical access to the ROV is protected by use of employee badge. Further limitations on employee access to voting systems and servers on an “as needed” basis.
- Employing the two-person rule is critical throughout the election and at all times ballots and vote center results are being transported, during ballot processing, tabulation and adjudication, and reporting results.
Public access security standards
Public access is given to authorized applicants who meet the legal criteria. For more information on who may apply to be authorized and what information may be available, please read the “Voter Privacy Statement.”
- Requiring all applicants to complete and sign official application, indicating how they will use the data
- Thoroughly vetting all applicants against the legal criteria prior to approval
- Providing all approved applicants documentation from the County Information Security Office on security awareness and how to protect data
- Sharing only minimum data to those who have been authorized
- Using only secure networks for data transfer and granted access
- VPNs, encrypted drives, secure FTP or other methods that enable restricted access
Frequently asked questions about election security and administration