Improving electoral systems with new international quality management guidance

Newly revised international guidance for electoral organizations will help them do just that, by applying the principles of ISO’s most widely known standard for quality, ISO 9001.

The technical specification ISO/TS 54001, Quality management systems – Particular requirements for the application of ISO 9001:2015 for electoral organizations at all levels of government creates the framework for a quality management system that helps electoral bodies provide more reliable and transparent electoral services. It is based on ISO 9001 Quality management systems with specific sector requirements. It has been recently updated to reflect updates to ISO 9001 to keep it more in line with market needs.

Every electoral body will have its own legal framework based on international and national law, so this is not intended to replace it

Katie Altoft, chair of the ISO technical committee responsible for its development said it is an important tool for electoral organizations because it helps to build confidence in elections through enabling transparency, effective planning and management, and efficiency in electoral processes.

Read entire post Improving electoral systems with new international quality management guidance | Clare Naden | ISO.org
Advertisements

How natural disasters impact elections



The way politicians handle themselves in the wake of a natural disaster can greatly influence their careers and subsequent elections.

> Read entire article How natural disasters impact elections | AccuWeather

Millions of US voter records for sale

Anomali and Intel 471 researchers discovered a seller offering full names, phone numbers, physical addresses, voting history and other unspecified voting data.

Some 23 million records are up for sale for just three states, although no record counts were provided for the remaining 16 states. The sales price for each voter list ranges from $150 to $12,500 depending on the state.

A crowdfunding project is underway to pay the seller: a move which would offer the full lists for free to members of a particular hacking forum. Records for Kansas have apparently already been published, with Oregon next in line. Although access to state voter registration lists is provided to political campaigns, journalists and academic researchers, there are rules forbidding their use for commercial purposes or republishing online.

> Read entire article Millions of US Voter Records for Sale | Phil Muncaster | InfoSecurity

Elections Quebec warns of fraudulent calls and texts circulating for today’s vote

Elections Quebec is warning voters that fraudulent messages are going around indicating that today’s election has been postponed.

The agency took to Twitter Sunday evening, a little more than 12 hours before voters are supposed to head to the polls, to say that the election is most definitely not postponed and that people should disregard any automated calls that suggest otherwise.

Elections Quebec also tweeted that some people have reported receiving a text message that implies voters will be paid to go out and vote on Monday.

> Read entire article Elections Quebec warns of fraudulent calls, texts circulating ahead of Monday’s vote | CBC

Cambridge Analytica’s Kenya election role ‘must be investigated’

A full investigation must be carried out into a UK consultancy firm which helped take Kenya’s President Uhuru Kenyatta to victory, the main opposition coalition has told the BBC.

Published on BBC

Cambridge Analytica say they played a massive role in the election of Kenya’s President Uhuru Kenyatta, left, who beat Raila Odinga, right, last year.

National Super Alliance (Nasa) official Norman Magaya accused Cambridge Analytica and the ruling party of trying to “subvert the people’s will”.

Cambridge Analytica bosses were apparently caught on camera boasting of the control they had exerted in Kenya. The company denies any wrongdoing. Mr Kenyatta’s Jubilee party have downplayed the impact of the group, saying they employed the company’s parent company, SCL, to help with branding.

Cambridge Analytica first hit the headlines after helping US President Donald Trump to his shock win in 2016. However, questions are now being raised around the world over its methods – including the use of data harvested from people’s Facebook pages.

Cambridge Analytica say they played a massive role in the election of Kenya’s President Uhuru Kenyatta, left, who beat Raila Odinga, right, last year

Read entire article Cambridge Analytica’s Kenya election role ‘must be investigated’ | BBC

What is Cambridge Analytica?

Cambridge Analytica is a company that offers services to businesses and political parties who want to “change audience behaviour”.

It claims to be able to analyse huge amounts of consumer data and combine that with behavioural science to identify people who organisations can target with marketing material. It collects data from a wide range of sources, including social media platforms such as Facebook, and its own polling.

With its headquarters in London, the firm was set up in 2013 as an offshoot of another company called SCL Group, which offers similar services around the world.

Top 10 cyber security myths that must be busted!

But many of these threats aren’t new and will never really go away.

This post will cover some misconceptions about cybersecurity itself. There are many cybersecurity myths, but an accurate understanding of these 10 is critical to your cyber posture as an individual, as a business, or as a government.

1. “Cyber risk” is a separate category of risk

There’s no such thing as “cyber risk” – it’s risk. It’s the same risk that encompasses everything from protecting intellectual property to competitiveness and safety of personnel, and needs the same level of attention from the board of directors and the executive team. The concept of cybersecurity risk isn’t useful by itself, and treating it as a separate form is a distraction you can’t afford.

2. Cybersecurity is just an IT issue

Earmarking online threats as something for the IT department is one of the best ways to help those threats proliferate. It’s important to remember that cybersecurity cuts across departments and is the same regardless of the IT implementation or vertical. Once information is digitized, everything from accuracy, privacy and availability to integrity needs to be protected. Cybersecurity requirements are paramount across an organization, from the data center to the branch office and mobile device.

3. Protecting yourself is good enough

Organizations must be aware of others in their community and how they’re acting when it comes to cybersecurity questions. Some of the biggest headline-grabbing breaches of recent years involved third parties or organizations subordinate to the entity that was hacked. Everything in your ecosystem, from subcontractors to subsidiaries, vendors and accounting firms, can be a threat vector. Security is only as strong as the weakest link, and sometimes that weak link is beyond your four walls.

10 cybersecurity myths that must be busted

Cybersecurity was huge in 2016. From ransomware to weaponized Internet of Things (IoT) devices to foreign hacking of elections – last year saw it all. But many of these threats aren’t new and will never really go away.

This post will cover some misconceptions about cybersecurity itself. There are many cybersecurity myths, but an accurate understanding of these 10 is critical to your cyber posture as an individual, as a business, or as a government.

1. “Cyber risk” is a separate category of risk.

There’s no such thing as “cyber risk” – it’s risk. It’s the same risk that encompasses everything from protecting intellectual property to competitiveness and safety of personnel, and needs the same level of attention from the board of directors and the executive team. The concept of cybersecurity risk isn’t useful by itself, and treating it as a separate form is a distraction you can’t afford.

2. Cybersecurity is just an IT issue.

Earmarking online threats as something for the IT department is one of the best ways to help those threats proliferate. It’s important to remember that cybersecurity cuts across departments and is the same regardless of the IT implementation or vertical. Once information is digitized, everything from accuracy, privacy and availability to integrity needs to be protected. Cybersecurity requirements are paramount across an organization, from the data center to the branch office and mobile device.

3. Protecting yourself is good enough.

Organizations must be aware of others in their community and how they’re acting when it comes to cybersecurity questions. Some of the biggest headline-grabbing breaches of recent years involved third parties or organizations subordinate to the entity that was hacked. Everything in your ecosystem, from subcontractors to subsidiaries, vendors and accounting firms, can be a threat vector. Security is only as strong as the weakest link, and sometimes that weak link is beyond your four walls.

4. Digital and physical security are separate systems.

In today’s automated world, more and more devices, such as the elevator in your building and components in the public transit system, are getting connected and being controlled digitally. It’s now common for attackers to modify device software and potentially destroy physical infrastructure – at a minimum, creating tremendous inconvenience with potential catastrophic consequences.

5. Going back to paper (or disconnecting from the internet) minimizes risk.

The unplugging approach can lead to many problems apart from the potential damage to efficiency and productivity. Disconnecting, implementing “air gaps” or going back to paper can actually increase vulnerabilities. One can’t know if paper copies of data have been illicitly copied or removed. Meanwhile, air-gapped and disconnected networks are harder to monitor because of less logging of data that takes place; also, due to the inconvenience, they’re not updated with security patches as often. Ironically, increasing your attack surface this way makes it easier for criminals to find the valuable information and strike unnoticed.

6. Getting hacked is an embarrassment.

Many people hesitate to share their stories about getting hacked. This can be perceived as losing face, especially in Asian countries. However, it’s important to understand that everyone is vulnerable and it’s better to learn from one another by communicating. Unfortunately, there are only two types of organizations today: those that have been hacked and those that have been hacked but just don’t know it yet. Hiding a breach and letting it fester will only worsen the long-term damage.

7. Using antivirus software is enough.

AV might have worked in 1997, but 20 years later it sure won’t. Hackers have found multiple ways to subvert antivirus software and hide their own attacks in a system, in many cases for an average of six months. With the advent of ransomware, the timeframe from infection to damage has become almost instantaneous. In today’s world of quick and persistent threats, a prevention mindset to mitigate both known and unknown threats is essential. AV is terribly outdated.

8. Cybersecurity is just a form of defense.

Again, this is a shortsighted view of an essential resource and way of thinking. Security needs to be positioned as a strategic advantage since it can boost efficiency and save money. Not only is security by design and by default important for protection, creating an integrated implementation will enhance usability products and services and generate a competitive advantage. At a minimum, it will allow us to take back the many benefits ICT provides, and in a safe and secure manner. Stop thinking of cybersecurity as merely a cost center and understand its value as a business enabler.

9. New features of IoT devices trump security.

Security by design is becoming increasingly common in IoT devices. It basically means implementing features so devices can work and survive in a “zero trust” environment. Security should be integrated, automatic and transparent. Usability is key. You can’t expect people, especially elderly users, to jump through technical hoops to ensure security at the expense or productivity or efficiency.

10. You’ll never get attacked or breached.

This kind of thinking – that it will never happen to me – is almost a guarantee that it will. It’s equally unwise to have total confidence in the strength of one’s security and especially one’s security devices. There’s no such thing as perfect security – the key here is resilience. That’s the ability to take a hit and keep going, or in certain cases failure, to default to a protected state. You should architect security with a prevention-first mindset, and also view attacks as an opportunity to learn about vulnerabilities and grow stronger based on that knowledge.

Source: Forbes

Read entire post grey  Related Training grey