The Quick Start Management Guide for
Voting System Security is a snapshot of
processes and procedures for local election
administrators to use when implementing
security measures for their voting systems.
It is a guide that highlights priority items
essential to securing a voting system.
A comprehensive set of Management
Guidelines is under development and will
be released in modules in 2007 and 2008.
�
Qu
ick
Sta
rt M
anag
emen
t G
uid
e fo
r V
oti
ng
Sys
tem
Sec
ur
ity
Software Security
• EnsurethatthesoftwareinstalledonthevotingsystemistheexactversionthathasbeencertifiedbyyourState,theNationalAssociationofStateElectionDirectors(NASED),and/ortheElectionAssistanceCommission’sVotingSystemTestingandCertificationProgram.Ifyouhaveanyreasontosuspectthatyourvotingsystemsoftwarehasbeencompromised,reinstallthevotingsystemsoftwarebyusingthecertifiedcopyofthesoftwareobtaineddi-rectlyfromyourStateelectionofficeorthelaboratorythattestedthevotingsystem.
• Donotallowanysoftwareonyourvote-tabulatingcomputerexceptthevotingsystemsoftwareitself.Specifically,donotallowofficeautomationsoftware,suchasMicrosoft®Word,PowerPoint,andExcel,ornetworkingsoftware,suchase-mailandnetworkbrowsers.
• Verifythatyourvotingsystemisnotconnectedtoanynetworkoutsidethedirectcontroloftheelectionoffice.Allunusedconnectionsonthevotingsystemsshouldbesealed,includinguniversalserialbus(USB),parallel,andotherports.
• Familiarizeyourselfwiththecontentoftheauditlogsonyourvotingsystemandlearntoprintthem.
• Consideranyresultstransmittedelectronicallyfromtheprecincttothecentralofficetobeunofficialandverifythemagainsttheresultscontainedonthemediathatarephysicallytransported
�Q
uic
k S
tart
Man
agem
ent
Gu
ide
for
Vo
tin
g S
yste
m S
ecu
rit
y
tothecentraloffice.Example:Reload all voting machine memory cards into the central tabulation computer to validate any unofficial results that are transmitted via modem to your office on election night.
Policies and Procedures
• Developaspecificprocedureformonitoringeachpersonwhohasaccesstoyourvotingsystem,includingyourelectionofficestaff,vendorpersonnel,andvisitorstoyouroffice.
• Requirepositiveidentificationofeachpersonwhorequestsaccesstothevotingsystem.Keepalogofeveryonewhoaccessesthevotingsystem.Thislogshouldincludetheperson’sname,thepurposeoftheaccess,thedateandtimetheaccessbegins,andthetimetheaccessends.Theentriesinthislogmustbecomplete.Example:“System Maintenance” is not an acceptable entry. The entry should state who accessed the system, exactly what maintenance was performed and why it was necessary, when the maintenance work began, and when it ended.
• Issuepasswordstostaffthatwillallowthemtoperformonlyauthorizedfunctionsonthevotingsystem.Itishighlyrecommendedthatmembersoftheelectionstaffworkinpairswheneverpossible.Thisprocedurewillgreatlyreducethepotentialforaccidentalerrorsandvirtuallyeliminateanyopportunityfordeliberatemischieforfraudbyarogueemployee.
�
Qu
ick
Sta
rt M
anag
emen
t G
uid
e fo
r V
oti
ng
Sys
tem
Sec
ur
ity
• Controltheaccessofvendorpersonneltoyoursystemuntilyouareabsolutelycertainthatanychange,upgrade,ormaintenancethattheyintendtoperformhasalreadybeenapprovedbytheFederaland/oryourStatecertificationprocess.Itisessentialthatthevendorneverbeallowedaccesstothevotingsystemwithoutamemberoftheelectionofficestaffpresent.Inthiscontext,anonvendorconsultantworkingundercontractwiththeelectionofficeisconsideredtobeamemberoftheelectionofficestaff;however,consultantsshouldbemonitoredascloselyasvendorpersonnel.
Password Maintenance
• Designatesomeoneintheelectionofficeasthepasswordadministrator.Thispersonshouldbeeitherthechiefelectionofficeroraseniormemberoftheelectionofficestaff.Thepasswordadministratorperformsthefollowingduties:
1. Issuespasswords.
2. Maintainsamasterlistofallpasswordsissued.
3. Reissuesallpasswordsperiodically.
4. Monitorspasswordusage.
Aprintedcopyofthemasterlistofpasswordsshouldbekeptbythepasswordadministratorinasafeandsecureplaceatalltimesandshouldonlybeusedintheeventofanofficeemergency.
• Neverissueasystempasswordtoanyone(includingvendorpersonnel)otherthananemployeeoftheelectionoffice.
�Q
uic
k S
tart
Man
agem
ent
Gu
ide
for
Vo
tin
g S
yste
m S
ecu
rit
y
Physical Security
• Engagecountyandmunicipalinformationtechnologystaffand/orlocalcommunitycollegeortechnicalschoolstafftohelpconductasecurityreviewandestablishandimplementapplicableelectionmanagementsystemsecuritymeasures.
• Createorupdateappropriateprocedurestoensurethatabsenteeandemergencyballotblankpaperstocksarecontrolledatalltimes.
• Developphysicalsecurityproceduresandsafeguardstodocumentthecontrolledphysicalaccesstovotingsystemsandthefacilitywherethesystemsarestored.Documentallsecurity-relatedrepairsandmodificationstothephysicalcomponentsofthefacilitywherevotingsystemsarestored.Example:walls, doors, locks, cameras, alarm systems.
• Reviewelectionofficeworkareastoensurethatofficespaceisappropriatelyisolatedandthatundetectedaccessbyunauthorizedindividualsisnotpossible.Reviewvotingequipmentstorageandworkareastoensurethatonlyauthorizedpersonnelhaveaccesstothem.
• Maintainalistofpersonnelwhohavekeystoelectionofficeworkareasandvotingequipmentstoragetoensurethatallkeysareaccountedforandonlyauthorizedpersonnelhavekeys.Developproceduresandpoliciesrequiringthatkeysorcombinationlocksbechangedforeachelectioncycle.
�
Qu
ick
Sta
rt M
anag
emen
t G
uid
e fo
r V
oti
ng
Sys
tem
Sec
ur
ity
• Developchain-of-custodyprocedures,usetamper-evidentseals,andimplementinventorycontrol/assetmanagementprocessestoensurethatvotingunitsandassociatedequipmentareproperlyandsecurelycontrolledandaccountedforatalltimesthroughouttheelectionadministrationprocess.
• Reviewallelectionaudittrailcheckliststoensurethattheyincorporatetwo-personintegritysecuritymeasures,suchasdualsignoff.
Personnel Security
• Establishqualificationguidelinesforchoos-ingtheperson(s)whowilloperateandadministerthevotingsystemandperformbackgroundchecksonelectionofficialswhoareauthorizedtodefineandconfigureelectionsandmaintainvotingdevices.
• Allowonlyauthorizedpersonneltophysicallyaccessthevotingsystem.Fortrackingpurposes,issueeachstaffmemberauniqueentrycode.
• Requirestaffmemberstowearidentificationbadgesatalltimes.Whenvisitors,vendors,maintenancepersonnel,andothernonstaffindividualsenterelectionofficeworkareas,logtheirentryandexitdatesandtimes,recordthepurposeoftheirvisit,andissuethemnumberedtemporaryidentificationbadges.
• Ateachpollingplaceestablishthenumberofpersonnelneededandidentifytheirdu-ties,maintainseparationofdutiesforpollmanagers,incorporatetwo-personintegrity
�Q
uic
k S
tart
Man
agem
ent
Gu
ide
for
Vo
tin
g S
yste
m S
ecu
rit
y
securitymeasures,andprovideadequatesecurityforelectionequipmentatalltimes.Establishpoliciesand/orproceduresforvisitorsandobserversinthepollingplace.
Securing the Voting Devices During Preparation and Transport to the Precinct
• Securethevotingdeviceswithtamper-proof,numberedsealsandrecordtheserialnum-bersforeachdevice.Thesenumbersshouldbeverifiedduringsetupattheprecinct.
• Developanoperationalplanthatdefinesthevotingdevicesthatwillbedelivered.Theplanshouldalsodescribewhereandwhenthedeviceswillbedeliveredandwhowilldeliverthem.
Securing the Voting Devices During In-Person Absentee and/or Early Voting
• Usethesameprocedurestoprepare,test,deliver,andsetupin-personabsenteeand/orearlyvotingdevicesasthoseusedtoprepare,test,deliver,andsetupvotingdevicesthatareusedinthepollingplacesonElectionDay.
• Placevotingstoragemediainthesamevotingdeviceseachmorningandremovethemediaeachnight.
• Close,seal,andsecurethevotingdevicesattheendofeachday.Securethevotingstoragemediaeachnightinatamper-prooflocation,preferablywithintheelectionoffice.
�
Qu
ick
Sta
rt M
anag
emen
t G
uid
e fo
r V
oti
ng
Sys
tem
Sec
ur
ity
• Verifythenumbersonallprotectivesealsandpubliccountersbeforethevotingde-vicesareusedforvotingthenextmorning.
Securing the Voting Devices on Election Day
• Requirethepollmanagertoverifyandsignoffontheserialnumbersofallvotingdevicesandnecessaryelectionsupplies.Example:ballot activation devices, administrator devices, communication equipment, closing seals.
• Requirethepollmanagertoverifythenumbersofallsealsand/ortamper-resis-tanttapeonallvotingdevicesandinspectthevotingdevicesforanyevidenceoftampering.Requirethepollmanagerandallpollworkerstouseachecklisttoverifythatallopeningprocedureswerefollowedandthensignoffonthatchecklist.
• Controlaccesstothevotingdevice’spowercontrol,countercontrols,andelectionresultsstoragemedia.Thepollingplaceshouldbearrangedsothattheexteriorofthevotingdeviceisinplainviewofthepollmanager(s)atalltimes.
• Allowonlypollmanagersandregisteredvotersinthevotingdevicearea.Avotershouldnotbeallowedtoenterthisareauntilavotingdeviceisavailableforhisorheruse.Thepollmanagershouldmaintaincontrolofadministratorandballotactivationdevices.
�Q
uic
k S
tart
Man
agem
ent
Gu
ide
for
Vo
tin
g S
yste
m S
ecu
rit
y
• Encouragepollmanagerstoperiodicallyverifythenumberofvotersprocessedagainstthenumberofvotesrecorded(viapubliccounter)onthevotingdevicesandtocomparethatnumberwiththetotalnumberofsignaturesrecordedinthepollbook.
Securing the Voting Devices During Tabulation
• Useanumbered,sealedpouchtotransportstoragemediafromthepollingplacetothelocalelectionofficeordesignatedcollectionpoint.
• Establishprocedurestosecurelytransportelectionresultsfromopticalscannerstovote-tabulationcomputersiftheopticalscannersarenotlocatedinthesameloca-tionaswherevotetabulationtakesplace.
• Verifytheunofficialresultstransmittedbymodemfromtheprecinctstothecentralelectionofficebyperformingaseparatecountoftheelectionresultstoragemediacontainingtheoriginalvotescast.
• Allowonlyauthorizedelectionofficialsinthetabulationequipmentroom.
• Considerusinguniformedsecurityorpoliceofficerstosecuretheballotroomand/orvotingequipmentduringtabulation.
• Encouragepollmanagerstoperiodicallyverifythenumberofvotersprocessedagainstthenumberofvotesrecorded(viapubliccounter)onthevotingdevicesandtocomparethatnumberwiththetotalnumberofsignaturesrecordedinthepollbook.
�
Qu
ick
Sta
rt M
anag
emen
t G
uid
e fo
r V
oti
ng
Sys
tem
Sec
ur
ity
Securing the Voting Devices During Storage and Post Election
• Verifythatallvotingdevicesarereturnedtostorage,confirmthatthedeviceshavenotbeentamperedwithduringtransport,andsignoffonthereceiptofthevotingdevices.
• Maintainaninventoryofelectionmaterials,includingvotingdevices,administratorandballotactivationdevices,sealenvelopes,voterregistration(poll)lists,electionresulttapesandprintouts,fieldsupervisors’reports,pollworkers’dailylogs,reconciliationreports,auditdata,andotheritems.