6 Steps for Performing Election Security Self-assessments
Understanding your risks is key to a strong cyber defense. When was the last time your elections agency conducted an election security assessment to understand risks? CIS has developed the Election Infrastructure Assessment Tool (EIAT), a program to help your agency conduct an election security self-assessment.
The EIAT is intended to help organizations assess current cyber defenses and make a plan to remediate security vulnerabilities. The tool should also foster awareness building among key stakeholders in security processes. It all comes from conducting a robust assessment. Keep reading for key steps to performing an election security self-assessment for your organization.
1. Engage Stakeholders
As an election official charged with a multitude of responsibilities, there are a number of resources available to assist you. As you embark on your self-assessment, engage your jurisdiction’s IT administrators to assist and make sure your efforts align with county policies. Leverage your professional associations to share experiences and expertise. Reach out to your vendors to gain their insight on the aspects of the system they cover. This type of feedback will help structure your approach and reduce any apprehension.
2. Gather Information and Complete the Assessment
The EIAT classifies best practices based on the class of connectedness. These classes consist of network-connected, indirectly connected, and transmission (see Figure 1).
You should first assess your inventory of systems and devices, including those dedicated to the election process, to determine which network connected class they fall into. Use the EIAT to review each of the best practices to find out if the best practice is implemented, has policy defined, or, perhaps, is not applicable.
3. Review Results
Once complete, the EIAT will provide an overall report based on your self-assessment. Using these results, discuss the findings with your key stakeholders to determine what changes may need to be considered and what the findings mean. You may also find that some of the evaluation findings need to be revisited based on the initial assessment.
4. Make a Remediation Plan
The review of your results should become your remediation plan. It may include small changes and substantial process or technical changes that involve other departments across your jurisdiction. The EIAT findings and dashboard provide a key tool to brief other senior leaders on the need to take action, whether that involves policy shifts or budget requests to improve your overall security. Use it to establish clear milestones for achieving your goals. The EIAT will provide helpful recommendations on how to take immediate action to boost your score in the dashboard.
5. Follow your Remediation Plan
Based on your results, establish your milestones and stick with them. This goes back to engaging stakeholders early and throughout the process. With strong and continual engagement, others are more likely to remain committed to seeing full implementation of best practices.
Self-assessments are only the first step. Security threats constantly evolve just as fast as technology. Due-diligence requires dedication to a program structure that revisits the EIAT after each election to review the latest best practices and retool.
A path forward
Learning about the election security risks your agency can face and knowing which ones to mitigate first can seem overwhelming. By conducting a security self-assessment using a tool like the EIAT, your agency can identify key areas of risks for remediation. Remember that an election security assessment should be conducted regularly to identify any shifts in security needs.