Michigan Department of State

(MDOS)

Risk Mitigation:

Multiple Factors and Approaches

Purpose

The purpose of the risk mitigation is to reduce the potential for

adverse future events. Mitigation aids in recovering from

business operation disruptions, disasters, and helps maintain

status quo operations.

Risk Mitigation

Primary focus is on IT today….

▪ IT is important and should be included

▪ Focus on recovery efforts from various

disruptions

▪ Cover a broad spectrum of disruptions

-network outages, power outages

-building access, pandemics,

-inaccessible data, customer actions

-bad actors

Risk Mitigation

Risks MDOS has identified…

Risk Mitigation

1. IT outages, physical building inaccessibility, active shooter

scenarios, disruptions due to weather… these are addressed with

the department’s Business Continuity of Operations and Recovery

Plan (BCORP)

2. Cyber threats

3. Loss of all or partial communication

4. Inappropriate customer activity or actions

5. Large scale, coordinated fraud (money, information, votes…)

6. Large event (i.e. Presidential Elections) risks

Risk Mitigation

Outages that the BCORP Focuses On▪ IT outages

▪ Physical building inaccessibility

▪ Active shooter scenarios

▪ Disruptions due to weather

▪ For major data or IT outages, we use the BCORP to guide us on

when to institute overall or individual IT disaster recovery plans

▪ The MDOS BCORP does establish pre-scheduled call-in times and

numbers for use if there is an emergency that prevents physical

access

▪ MDOS does annually train staff for active shooter events

Risk Mitigation

Cyber Threats

▪ MDOS relies on the Department of Technology, Management, and

Budget for cyber threat prevention

▪ MDOS does try to mitigate risk through our own Information Security

Office

Risk Mitigation

Loss of all or partial communication▪ When email is not accessible or functioning

▪ When phone land lines are down

▪ When cellular service is bogged down or disrupted

▪ The MDOS BCORP does establish pre-scheduled call-in times and

numbers for use if there is an emergency.

▪ MDOS also will post physical paper signs at pre-established locations

and use news outlets to communicate with staff and customers.

▪ The use of the three (3) 800 MHz radios on the MPSCS

Risk Mitigation

Loss of all or partial communication▪ When email is not accessible or functioning

▪ When phone land lines are down

▪ When cellular service is bogged down or disrupted

▪ The MDOS BCORP does establish pre-scheduled call-in times and

numbers for use if there is an emergency.

▪ MDOS also will post physical paper signs at pre-established locations

and use news outlets to communicate with staff and customers.

▪ The use of the three (3) 800 MHz radios on the MPSCS

Risk Mitigation

Inappropriate customer behavior▪ We experience numerous customer “events” each week

▪ Some require law enforcement response

▪ Some require first responder response

▪ MDOS wants to reduce customers in the branches as 70% of those who

come to the branch can do their business virtually

▪ MDOS has a goal of 30 minutes or less for customers with appointments

• Any branch up to 6 months in advance

▪ MDOS is designing branches to be less institutional

▪ Service without staff

• Self Service Terminals (SSTs)

• Expanded online services

Risk Mitigation

Large Scale Fraud▪ License plates, tabs, watercraft stickers, snowmobile stickers, moped

stickers, and titles all have a street value

▪ Some customers have been caught trying to circumvent the law for

insurance with short term temporary policies and then cancel them

▪ Some clerks have experienced bribery for actions or information

▪ MDOS secures all “saleable” items in our fenced, alarmed, and video

monitored warehouse

▪ All items are tracked in our system and by our Inventory Unit

▪ Our Office of Investigative Services works with Insurance

companies to combat insurance fraud

▪ We work with staff on the seriousness of being offered

money for requests

Risk Mitigation

2020 Presidential Election Preparation▪ Securing infrastructure

▪ Upgraded voting technology in 2017 & 2018

▪ Improved Qualified Voter File system

▪ 5-Point Security Plan

▪ Long-standing accuracy and integrity practices

▪ Misinformation detection

▪ Decentralized system (1500+ clerks in 83 counties)

▪ Cooperation among all election officials

▪ Public Hearing results

▪ Suspicious Activity Reporting

Questions/Discussion