Election TechReports(tm) Newsletter

*Election TechREPORTS^™* InfoSENTRY® Services www.infosentry.com info@infosentry.com Issue 10 August 2002 Privacy Policy FEATURE 1: Checking Vendor References Can Be A Contact Sport. FEATURE 2: Sources of Your System's Security Weaknesses. FEATURE 3: Mecklenburg County (NC) Board of Elections. FEATURE 4: After Action Reviews Capture "Lessons Learned" Easily FEATURE 5: Virginia's Local Government Officials' Conference
Checking Vendor References Can Be A Contact Sport One of the standard steps in buying a new voter registration system or a new vote tally system is the reference check. Typically, vendors provide names of three or four clients to whom they have provided similar services or products. Then, you call or visit one or two of the clients to get a better idea of how the vendor performed. The results are an integral part of your decision-making. An article in the August 1, 2002, CIO magazine ("The Truth About Customer References: How Sweet Deals Can Be Rotten Business") gives pause when looking at that entire process. It points to an alarming number of instances in which individuals and organizations had financial ties to the vendor for whom they provided references. Not only was there the occasional ticket to the big game, ticket to a concert, trip to a trade show, or preferential treatment provided by vendor to client. There was the flat out financial incentive, such as a percentage of sales, offered in exchange for a good reference. Surely that never happens in the elections field! Consider this situation that actually happened. Election Office A received a proposal from Vendor Z for a new technology system. A went to a site visit at Election Office B that was listed as a reference for Z. The resulting reference was glowing! A completed the procurement process and entered into contract with Z. Over two years later Election Office A, after having serious problems implementing Z's system, discovered that Election Office B was considering litigation against Vendor Z to recover unpaid royalties on sales of the system! Imagine their surprise to learn that the "reference" had been provided by what was in effect the vendor's business partner! Election Office A considered both civil and criminal remedies, eventually deciding not to pursue either alternative. Z + B = Conflict of Reference! Yes, it all really happened! So, when you check references, you might find yourself in the uncomfortable but necessary situation of asking if there are any particular financial relationships between the referee and the vendor. Here are some steps you can take to add meaning to reference checks. Just like the financial news reporters these days who ask stock touts if they, or their cousins twice removed, have any relationships with the stocks they are recommending, you need to be sure there is no financial relationship between potential vendors and their references. You also want to use the systems you might purchase in an environment as close to yours as possible. A demonstration by the vendor is no substitute for using the system. Ask the reference site if you can use the system to perform (or see it performing) some of your most common and most difficult business operations. Ask detailed questions of the references, not just "beauty contest" questions. Be specific in your questions. ("What has been the worst example of the vendor's support and assistance?" "How many outstanding assistance calls do you have with the vendor and what is the average age of the assistance calls?" "May I talk with some of the department managers who have staff using the system?") Carry out the reference checks and site visits in person and without the vendor being present. If you are preparing to spend hundreds of thousands or millions of dollars for a new voter registration or vote tally system, it is worth more than a phone call. Select a client who is on the vendor's client list, but not on the reference list, for a phone call to discuss past performance. There are no guarantees for stepping through reference checks. There is only a substantial amount of due diligence and hard work to make sure business ethics are in place and operating. Top of page Sources of Your System's Security Weaknesses A recent article by P.J. Connelly in Information Week highlight results of a survey by the System Administration, Networking, and Securty (SANS) Institute. In April 2002 SANS asked 1220 security professionals why information technology (IT) security is weak. The results? 64% of the respondents say management's skimping on budgets and undermining IT security efforts. 47% said the fault lies with end users who do not understand their own responsibilities and vendors that ship products with insecure default settings or known security holes. 41% cited the lack of commonly accepted security standards. 39% mentioned the lack of effective risk assessments. 38% blamed the constant presence of hackers trying to get in to systems. 38% chose a shortage of trained security professionals for weak system security. (The survey allowed multiple responses, explaining why the figures total more than 100%.) We agree with Mr. Connelly that managers who blame the weak security of their systems on the existence of hackers have insight that ranks right up there with the simple wisdom of Willie Sutton. When asked why he robbed banks, Mr. Sutton reportedly answered with "Because that's where the money is." As long as there are systems, there will be hackers. Also, citing the lack of commonly accepted security standards is both nonsensical and simple blame-shifting. There are some solid "best practices" and widely accepted guidelines for information security that should be used even if they are not written down as "standards." As an election official, you do not have much control over the number of hackers who might try to get in your systems. Neither do you have much control over the development of commonly accepted security standards. However, in our work in elections offices around the country we have seen plenty of examples of the other reasons for weak security. Your office, your county government, and your state governments have control over these factors. In many organizations, we have seen security and business planning budgets remain flat or even decline THIS YEAR after the dramatic events in New York last September. In most state and local government business offices, we still find no earmarked budget items for security and recovery management. In the vast majority of government offices, we still see no plans for spending on specific security training for network administrators or user security awareness. Given choices of receiving training in any technical area, most technical staff place security and recovery training near the bottom of the list. We would love to receive copies of user security awareness training programs in effect in any election offices around the country. Few government organizations plan spending on information security risk assessments or real network vulnerability assessments. When they do, they typically focus on the kinds of external threats (that is, hackers) that constitute a noted minority of security problems. Within the past few years we have seen several examples of vendors delivering election systems solutions that had default system settings and known security holes...and placing the full responsibility of fixing the problems on the election office customers. These problems often leave the underlying voter registration databases wide open for errors and malicious modification, even though the applications sitting on top of those databases appear to be secure. This means that someone who does not have access to the database through the application can use a tool as simple as Microsoft Access® or Microsoft Excel® can gain direct, undetected access to the database without using the main application. So, as that famous systems management guru pointed out a few hundred years ago, "The fault...lies within ourselves." One of your first first steps as an information technology manager (and if you are in charge of an elections office, you are an information technology manager) should be to conduct an information risk assessment or a business impact analysis. Properly done, those analyses, might give you both valuable information to plug security holes and the justification you need for increased resource commitments to system security and business continuity actions. Top of page Feature Election Office: Mecklenburg County (NC) Board of Elections Mecklenburg County is known for being ahead on a lot of issues. The County was so interested in independence that it got a jump on other Colonial settlements, declaring its independence from King George III a few months before the Declaration of Independence received its signatures in Philadelphia. This is just one of the reasons that you hear references to the "Great State of Mecklenburg" on the floor of the North Carolina Legislature. Looking out of the windows of the Board of Elections office in the Uptown area of Charlotte, you get a feel for the diversity of Mecklenburg County over 200 years after its rush to independence. Located just inside North Carolina’s border with South Carolina, the shining towers of one of America’s financial powerhouse cities are just minutes away from large suburban areas, factories, farm country, and a NASCAR shrine. Amid all of this is a Board of Elections (BoE) that has become a leader in the use of information technology to manage voter registration, vote tallying, and providing public information to the county’s 441,000 active and inactive registered voters. Mecklenburg County was one of the first counties in the country to put a substantial amount of voter registration data on their website in a searchable database. Similarly, it was one of the first to offer interactive maps to provide directions from a voter’s residence to a polling place. BoE Director Michael Dickerson points out, “We’ve been doing that for seven or eight years now. Our Board members are proficient in use of technology and are very supportive of our efforts. They have mentioned our web page as being a value-added part of our office without having to add staff. It is a value-added way for citizens to contact us. Twenty thousand hits on our web site in a month might mean we have answered thousands of questions without having to add more staff to do it.” Michael points out that the BoE has 16 permanent, full-time staff members, a number that has remained steady over the past five years. During that time the number of registered voters has increased as the county's population has grown and changed in its makeup. He also noted that during the same period voters' requests and legislators' requirements have increased significantly. Michael notes, "The Board's staff members have responded extremely well in using technology to meet the new demands." In addition to implementing a substantial upgrade to the County's voter registration system, the BoE is involved in a project to upgrade its vote tally equipment. The County has 1400 Microvote 464 DRE voting machines used successfully for many years in its polling places throughout the county. In the past two years, North Carolina has expanded its effort for early voting. The Mecklenburg BoE is phasing in an upgraded generation of Microvote DREs, using 100 new Infinity models in early voting sites. As a starting point in this process, Michael, Jane Cirulis-McSwain (BoE's Deputy Director, Operations), and Daniel Binford (BoE's System Administrator) put together a comprehensive strategy for user acceptance testing the new system. "The testing process lasted for several weeks and we ended up with a dozen videotapes and a CD-ROM-full of documentation. That helped us work with the system vendor to reduce the number of surprises when we put the system out in the early voting sites. It helped staff become familiar with the procedures needed to integrate the upgraded system into our operations." For each early voting site, IT staff prepared and delivered laptops loaded with required public information on all registered voters. When a voter arrives, an election worker locates the voter's information in the database, records the required information on a "smartcard," and gives the card to the voter. The voter uses the smartcard to activate the DRE, receive the correct electronic ballot, and complete the vote transaction. The Site Supervisors/Chief Election Judges, who received two days of training in the process, are there to handle problems and implement provisional voting procedures if needed. Michael points out, "We viewed early voting as a great opportunity to work out our procedures and operations with the new system in the coming September 10 primary. Jane has coordinated the entire event in such a manner that we can make adjustments and modifications necessary for November's general election, which normally has a substantially higher turnout." Michael adds that all of the work over the past few months has already shown one benefit, even before the early voting effort officially started. "A part-time election worker, who has been with us over several elections, came in and exclaimed that this was the calmest she had seen this staff before an election. We are that much more prepared than we were before the other elections, even with all the uncertainty we have had about when the election would be and where the district lines would be. The testing and preparation for the past six months made the difference." InfoSENTRY is pleased to have worked with the Mecklenburg County Board of Elections in designing and implementing user acceptance tests for voter registration system and vote tally system technology initiatives over the past two years. Top of page After Action Reviews Capture "Lessons Learned" Easily Most computer projects with a total value of over $100,000 are not completed on time, do not meet the client's core requirements, or do not finish within budget. Given that, we believe it is important to maximize your "Return on Failure" and learn as much as you can from each project. InfoSENTRY has produced a paper on "After Action Reviews" that details a straightforward, easy to use procedure for capturing and implementing lessons learned while a project is under way...to avoid having too many failures to learn from. Click here to download a PDF file of "Increasing Your Return on Failure: How After Action Reviews Make the Difference." Top of page InfoSENTRY Participates in Virginia Local Government Officials' Conference Glenn Newkirk, InfoSENTRY's President, addressed Virginia’s Election Registrars at the Local Government Officials Conference at the University of Virginia’s Weldon Cooper Center for Public Service in early August. His presentation covered the Federal election reform legislation pending in Congress, the potential impact on voter registration systems and vote tally systems when that legislation passes, and the likely growth in use of postal voting and Internet voting in the next decade. Glenn was delighted to participate in this training event and expresses his thanks once again to the wonderful hospitality of the University of Virginia, Sheri Iachetta (the City of Charlottesville's General Registrar), and Virginia's General Registrars. Top of page Please click here to visit our main election systems consulting page. It has a table of contents for previous newsletter issues. Please visit our main information technology consulting page and our information technology security and recovery page. They contain brief descriptions of some of our previous consulting engagements, including those for election jurisdictions. Please click here to visit our main system security and disaster recovery page. Please contact et@infosentry.com if you would like to get a PDF version or a laser printed copy of this newsletter for distribution in your election office. InfoSENTRY Services, Inc. 2 Hannover Square, Suite 1740 Raleigh, NC 27601 P.O. Box 28048, Raleigh, NC 27611 Phone: 919.838.8570 Glenn Newkirk's e-mail: glenn_newkirk@infosentry.com Copyright 2002, InfoSENTRY® Services, Inc. All fights reserved. Reproduction and dissemination without the express written permission of InfoSENTRY® Services, Inc. is strictly prohibited. InfoSENTRY Services, Inc. publishes Election TechReports monthly, focusing on technology trends and issues in election offices. From time to time, Election TechReports might mention the name of vendors' hardware or software products. However, InfoSENTRY® Services is completely independent from hardware and software vendors. Mentions of vendors' hardware and software products in no way constitutes an endorsement or indication of worthiness for those vendors or products.

InfoSENTRY logo
Election TechREPORTS^™
InfoSENTRY® Services www.infosentry.com info@infosentry.com
Issue 10 August 2002 Privacy Policy

FEATURE 1: Checking Vendor References Can Be A Contact Sport.
FEATURE 2: Sources of Your System's Security Weaknesses.
FEATURE 3: Mecklenburg County (NC) Board of Elections.
FEATURE 4: After Action Reviews Capture "Lessons Learned" Easily
FEATURE 5: Virginia's Local Government Officials' Conference

Checking Vendor References
Can Be A Contact Sport

One of the standard steps in buying a new voter registration system or a new vote tally system is the reference check. Typically, vendors provide names of three or four clients to whom they have provided similar services or products. Then, you call or visit one or two of the clients to get a better idea of how the vendor performed. The results are an integral part of your decision-making.

An article in the August 1, 2002, CIO magazine ("The Truth About Customer References: How Sweet Deals Can Be Rotten Business") gives pause Colorado Capitol Dome with Highlighted US Flag when looking at that entire process. It points to an alarming number of instances in which individuals and organizations had financial ties to the vendor for whom they provided references. Not only was there the occasional ticket to the big game, ticket to a concert, trip to a trade show, or preferential treatment provided by vendor to client. There was the flat out financial incentive, such as a percentage of sales, offered in exchange for a good reference.

Surely that never happens in the elections field!

Consider this situation that actually happened. Election Office A received a proposal from Vendor Z for a new technology system. A went to a site visit at Election Office B that was listed as a reference for Z. The resulting reference was glowing! A completed the procurement process and entered into contract with Z.

Over two years later Election Office A, after having serious problems implementing Z's system, discovered that Election Office B was considering litigation against Vendor Z to recover unpaid royalties on sales of the system! Imagine their surprise to learn that the "reference" had been provided by what was in effect the vendor's business partner! Election Office A considered both civil and criminal remedies, eventually deciding not to pursue either alternative. Z + B = Conflict of Reference!

Yes, it all really happened! So, when you check references, you might find yourself in the uncomfortable but necessary situation of asking if there are any particular financial relationships between the referee and the vendor. Here are some steps you can take to add meaning to reference checks.

Just like the financial news reporters these days who ask stock touts if they, or their cousins twice removed, have any relationships with the stocks they are recommending, you need to be sure there is no financial relationship between potential vendors and their references.
You also want to use the systems you might purchase in an environment as close to yours as possible. A demonstration by the vendor is no substitute for using the system. Ask the reference site if you can use the system to perform (or see it performing) some of your most common and most difficult business operations.
Ask detailed questions of the references, not just "beauty contest" questions. Be specific in your questions. ("What has been the worst example of the vendor's support and assistance?" "How many outstanding assistance calls do you have with the vendor and what is the average age of the assistance calls?" "May I talk with some of the department managers who have staff using the system?")
Carry out the reference checks and site visits in person and without the vendor being present. If you are preparing to spend hundreds of thousands or millions of dollars for a new voter registration or vote tally system, it is worth more than a phone call.
Select a client who is on the vendor's client list, but not on the reference list, for a phone call to discuss past performance.

There are no guarantees for stepping through reference checks. There is only a substantial amount of due diligence and hard work to make sure business ethics are in place and operating.

Top of page

Sources of Your System's Security Weaknesses

A recent article by P.J. Connelly in Information Week highlight results of a survey by the System Administration, Networking, and Securty (SANS) Institute. In April 2002 SANS asked 1220 security professionals why information technology (IT) security is weak. The results?

64% of the respondents say management's skimping on budgets and undermining IT security efforts.
47% said the fault lies with end users who do not understand their own responsibilities and vendors that ship products with insecure default settings or known security holes.
41% cited the lack of commonly accepted security standards.
39% mentioned the lack of effective risk assessments.
38% blamed the constant presence of hackers trying to get in to systems.
38% chose a shortage of trained security professionals for weak system security.

(The survey allowed multiple responses, explaining why the figures total more than 100%.)

We agree with Mr. Connelly that managers who blame the weak security of their systems on the existence of hackers have insight that ranks right up there with the simple wisdom of Willie Sutton. When asked why he robbed banks, Mr. Sutton reportedly answered with "Because that's where the money is." As long as there are systems, there will be hackers.

Also, citing the lack of commonly accepted security standards is both nonsensical and simple blame-shifting. Illinois County Courthouse There are some solid "best practices" and widely accepted guidelines for information security that should be used even if they are not written down as "standards."

As an election official, you do not have much control over the number of hackers who might try to get in your systems. Neither do you have much control over the development of commonly accepted security standards.

However, in our work in elections offices around the country we have seen plenty of examples of the other reasons for weak security. Your office, your county government, and your state governments have control over these factors.

In many organizations, we have seen security and business planning budgets remain flat or even decline THIS YEAR after the dramatic events in New York last September. In most state and local government business offices, we still find no earmarked budget items for security and recovery management.

In the vast majority of government offices, we still see no plans for spending on specific security training for network administrators or user security awareness. Given choices of receiving training in any technical area, most technical staff place security and recovery training near the bottom of the list. We would love to receive copies of user security awareness training programs in effect in any election offices around the country.

Few government organizations plan spending on information security risk assessments or real network vulnerability assessments. When they do, they typically focus on the kinds of external threats (that is, hackers) that constitute a noted minority of security problems.

Within the past few years we have seen several examples of vendors delivering election systems solutions that had default system settings and known security holes...and placing the full responsibility of fixing the problems on the election office customers. These problems often leave the underlying voter registration databases wide open for errors and malicious modification, even though the applications sitting on top of those databases appear to be secure. This means that someone who does not have access to the database through the application can use a tool as simple as Microsoft Access® or Microsoft Excel® can gain direct, undetected access to the database without using the main application.

So, as that famous systems management guru pointed out a few hundred years ago, "The fault...lies within ourselves." One of your first first steps as an information technology manager (and if you are in charge of an elections office, you are an information technology manager) should be to conduct an information risk assessment or a business impact analysis. Properly done, those analyses, might give you both valuable information to plug security holes and the justification you need for increased resource commitments to system security and business continuity actions.

Top of page

Feature Election Office:
Mecklenburg County (NC) Board of Elections

Mecklenburg County is known for being ahead on a lot of issues. The County was so interested in independence that it got a jump on other Colonial settlements, declaring its independence from King George III a few months before the Declaration of Independence received its signatures in Philadelphia. This is just one of the reasons that you hear references to the "Great State of Mecklenburg" on the floor of the North Carolina Legislature.

Looking out of the windows of the Board of Elections office in the Uptown area of Charlotte, you get a feel for the diversity of Mecklenburg County over 200 years after its rush to independence. Located just inside North Carolina’s border with South Carolina, the shining towers of one of America’s financial powerhouse cities are just minutes away from large suburban areas, factories, farm country, and a NASCAR shrine.

Amid all of this is a Board of Elections (BoE) that has become a leader in the use of information technology to manage voter registration, vote tallying, and providing public information to the county’s 441,000 active and inactive registered voters.

Mecklenburg County was one of the first counties in the country to put a substantial amount of voter registration data on their website in a searchable database. Similarly, it was one of the first to offer interactive maps to provide directions from a voter’s residence to a polling place. BoE Director Michael Dickerson points out, “We’ve been doing that for seven or eight years now. Our Board members are proficient in use of technology and are very supportive of our efforts. They have mentioned our web page as being a value-added part of our office without having to add staff. It is a value-added way for citizens to contact us. Twenty thousand hits on our web site in a month might mean we have answered thousands of questions without having to add more staff to do it.”

Michael points out that the BoE has 16 permanent, full-time staff members, a number that has remained steady over the past five years. During that time the number of registered voters has increased as the county's population has grown and changed in its makeup. He also noted that during the same period voters' requests and legislators' requirements have increased significantly. Michael notes, "The Board's staff members have responded extremely well in using technology to meet the new demands."

In addition to implementing a substantial upgrade to the County's voter registration system, the BoE is involved in a project to upgrade its vote tally equipment. The County has 1400 Microvote 464 DRE voting machines used successfully for many years in its polling places throughout the county. In the past two years, North Carolina has expanded its effort for early voting. The Mecklenburg BoE is phasing in an upgraded generation of Microvote DREs, using 100 new Infinity models in early voting sites.

As a starting point in this process, Michael, Jane Cirulis-McSwain (BoE's Deputy Director, Operations), and Daniel Binford (BoE's System Administrator) put together a comprehensive strategy for user acceptance testing the new system. "The testing process lasted for several weeks and we ended up with a dozen videotapes and a CD-ROM-full of documentation. That helped us work with the system vendor to reduce the number of surprises when we put the system out in the early voting sites. It helped staff become familiar with the procedures needed to integrate the upgraded system into our operations."

For each early voting site, IT staff prepared and delivered laptops loaded with required public information on all registered voters. When a voter arrives, an election worker locates the voter's information in the database, records the required information on a "smartcard," and gives the card to the voter. The voter uses the smartcard to activate the DRE, receive the correct electronic ballot, and complete the vote transaction. The Site Supervisors/Chief Election Judges, who received two days of training in the process, are there to handle problems and implement provisional voting procedures if needed.

Michael points out, "We viewed early voting as a great opportunity to work out our procedures and operations with the new system in the coming September 10 primary. Jane has coordinated the entire event in such a manner that we can make adjustments and modifications necessary for November's general election, which normally has a substantially higher turnout."

Michael adds that all of the work over the past few months has already shown one benefit, even before the early voting effort officially started. "A part-time election worker, who has been with us over several elections, came in and exclaimed that this was the calmest she had seen this staff before an election. We are that much more prepared than we were before the other elections, even with all the uncertainty we have had about when the election would be and where the district lines would be. The testing and preparation for the past six months made the difference."

InfoSENTRY is pleased to have worked with the Mecklenburg County Board of Elections in designing and implementing user acceptance tests for voter registration system and vote tally system technology initiatives over the past two years.

Top of page

After Action Reviews Capture
"Lessons Learned" Easily

Most computer projects with a total value of over $100,000 are not completed on time, do not meet the client's core requirements, or do not finish within budget. Given that, we believe it is important to maximize your "Return on Failure" and learn as much as you can from each project. InfoSENTRY has produced a paper on "After Action Reviews" that details a straightforward, easy to use procedure for capturing and implementing lessons learned while a project is under way...to avoid having too many failures to learn from.

Click here to download a PDF file of "Increasing Your Return on Failure: How After Action Reviews Make the Difference."

Top of page

InfoSENTRY Participates in Virginia Local Government Officials' Conference

Glenn Newkirk, InfoSENTRY's President, addressed Virginia’s Election Registrars at the Local Government Officials Conference at the University of Virginia’s Weldon Cooper Center for Public Service in early August. His presentation covered the Federal election reform legislation pending in Congress, the potential impact on voter registration systems and vote tally systems when that legislation passes, and the likely growth in use of postal voting and Internet voting in the next decade.

Glenn was delighted to participate in this training event and expresses his thanks once again to the wonderful hospitality of the University of Virginia, Sheri Iachetta (the City of Charlottesville's General Registrar), and Virginia's General Registrars.

Top of page

Please click here to visit our main election systems consulting page. It has a table of contents for previous newsletter issues.

Please visit our main information technology consulting page and our information technology security and recovery page. They contain brief descriptions of some of our previous consulting engagements, including those for election jurisdictions.

Please click here to visit our main system security and disaster recovery page.

Please contact et@infosentry.com if you would like to get a PDF version or a laser printed copy of this newsletter for distribution in your election office.

InfoSENTRY Services, Inc.
2 Hannover Square, Suite 1740 Raleigh, NC 27601
P.O. Box 28048, Raleigh, NC 27611
Phone: 919.838.8570
Glenn Newkirk's e-mail: glenn_newkirk@infosentry.com

Copyright 2002, InfoSENTRY® Services, Inc. All fights reserved. Reproduction and dissemination without the express written permission of InfoSENTRY® Services, Inc. is strictly prohibited. InfoSENTRY Services, Inc. publishes Election TechReports monthly, focusing on technology trends and issues in election offices. From time to time, Election TechReports might mention the name of vendors' hardware or software products. However, InfoSENTRY® Services is completely independent from hardware and software vendors. Mentions of vendors' hardware and software products in no way constitutes an endorsement or indication of worthiness for those vendors or products.