Presented @ the eNigeria Annual Conference 2015
Theme: ”The Role of ICT & Information Security Towards an Effective Electoral Process in Nigeria”
@ the International Conference Centre, Abuja, Nigeria.
05 November 2015
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
• Overview of changes and clarification
• Additional requirements for service providers
• Additional requirements for change control processes
• Multifactor authentication
• Penetration testing changes
• SSL/TLS changes and implications
• Timing of changes
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...IJERA Editor
The Payment Card Industry Data Security Standard (PCI DSS) aims to enhance the security of cardholder data and is required when cardholder data or authentication data are stored, processed or transmitted. The implementation of enabling processes from COBIT 5 can complement compliance to PCI DSS. COBIT 5 assists enterprises in governance and management of enterprise IT and, at the same time, supports the need to meet security requirements with supporting processes and management activities. This paper provides analysis of mapping of COBIT 5 supporting processes to PCI DSS 3.0 security requirements. It also presents domains which support the simultaneous application of COBIT 5 and PCI DSS 3.0 which would help create collaborations within the enterprise
PCI DSS mandates organizations to make compliance a business as usual activity instead of an annual audit. ControlCase covers the following in this presentation:
- PCI DSS requirements that can be made business as usual
- PCI DSS processes that can be made business as usual
- Techniques and methodologies
- Evidence to be provided to QSA for compliance
- Key success factors
- Challenges
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
• Overview of changes and clarification
• Additional requirements for service providers
• Additional requirements for change control processes
• Multifactor authentication
• Penetration testing changes
• SSL/TLS changes and implications
• Timing of changes
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...IJERA Editor
The Payment Card Industry Data Security Standard (PCI DSS) aims to enhance the security of cardholder data and is required when cardholder data or authentication data are stored, processed or transmitted. The implementation of enabling processes from COBIT 5 can complement compliance to PCI DSS. COBIT 5 assists enterprises in governance and management of enterprise IT and, at the same time, supports the need to meet security requirements with supporting processes and management activities. This paper provides analysis of mapping of COBIT 5 supporting processes to PCI DSS 3.0 security requirements. It also presents domains which support the simultaneous application of COBIT 5 and PCI DSS 3.0 which would help create collaborations within the enterprise
PCI DSS mandates organizations to make compliance a business as usual activity instead of an annual audit. ControlCase covers the following in this presentation:
- PCI DSS requirements that can be made business as usual
- PCI DSS processes that can be made business as usual
- Techniques and methodologies
- Evidence to be provided to QSA for compliance
- Key success factors
- Challenges
Making PCI Compliance Business as Usual. Contact ksimon@controlcase.com if you would like additional information on our "Compliance as a Service" offering which includes just about everything you need to achieve and maintain compliance. CaaS also automates the evidence collection process and includes a mix of hardware, software, onsite and offsite services.
Spirit of PCI DSS by Dr. Anton Chuvakin
PCI compliance is seen by many merchants as “a checklist exercise” which is disconnected from reducing their fraud costs, security risks and other losses. It is sometimes perceived as a painful exercise in futility, enforced by some “higher powers” who don’t care about merchants. This presentation will discuss how to bring back the real spirit of PCI DSS, the spirit of data security, risk reduction and trustworthy business transactions. It will discuss, in particular, how to use the controls of PCI DSS to protect your business from online threats and highly damaging hacker attacks. Moreover, focusing on the spirit of PCI DSS will help merchants to both simplify compliance and improve security, while protecting their customers and their sensitive data and keeping acquirers and brands happy.
This is the presentation from Null/OWASP/g4h Bangalore October MeetUp by Manasdeep.
http://technology.inmobi.com/events/null-october-meetup
This talk will focus on the general overview of the PCI-DSS standard and how does it help to protect the cardholder data. Changes introduced in the new PCI DSS v3.0 standard will further explore how it safeguards the Cardholder data environment for the various entities.
Talk Outline:
- PCI DSS v3 : An Overview
- PCI DSS: How it is different from other similar standards?
- PCI DSS vs ISO 27001
- Protecting Cardholder data through PCI DSS v3
- Common Myths regarding PCI DSS
- Security vs Compliance
Accelerating Regulatory Compliance for IBM i SystemsPrecisely
In a recent survey of IBM Power Systems users, 52% state they are focusing security investments on compliance auditing and reporting while 28% said they anticipate increased regulatory complexity as a security challenge for the remainder of the year.
Do you need to accelerate compliance for your IBM i systems? Whether it be for PCI, SOX, GDPR or other regulations, view this 15-minute webcast on-demand to learn more about:
• The importance of security risk assessments for compliance
• Implementing compliance policies that align with regulations
• Generating reports and alerts that flag compliance issues
• Trade-offs between do-it-yourself and third-party solutions
Topics Covered In Webinar
Basics of PCI DSS
Lifecycle changes to PCI DSS
Evolution of PCI DSS Version 1.1 to version 3.21
Introduction of PCI DSS 4.0
PCI DSS 4.0 Implementation Timeline
Upgrading from PCI DSS 3.21 to PCI DSS 4.0
Key changes anticipated in the latest pci dss 4.0
Making PCI Compliance Business as Usual. Contact ksimon@controlcase.com if you would like additional information on our "Compliance as a Service" offering which includes just about everything you need to achieve and maintain compliance. CaaS also automates the evidence collection process and includes a mix of hardware, software, onsite and offsite services.
Spirit of PCI DSS by Dr. Anton Chuvakin
PCI compliance is seen by many merchants as “a checklist exercise” which is disconnected from reducing their fraud costs, security risks and other losses. It is sometimes perceived as a painful exercise in futility, enforced by some “higher powers” who don’t care about merchants. This presentation will discuss how to bring back the real spirit of PCI DSS, the spirit of data security, risk reduction and trustworthy business transactions. It will discuss, in particular, how to use the controls of PCI DSS to protect your business from online threats and highly damaging hacker attacks. Moreover, focusing on the spirit of PCI DSS will help merchants to both simplify compliance and improve security, while protecting their customers and their sensitive data and keeping acquirers and brands happy.
This is the presentation from Null/OWASP/g4h Bangalore October MeetUp by Manasdeep.
http://technology.inmobi.com/events/null-october-meetup
This talk will focus on the general overview of the PCI-DSS standard and how does it help to protect the cardholder data. Changes introduced in the new PCI DSS v3.0 standard will further explore how it safeguards the Cardholder data environment for the various entities.
Talk Outline:
- PCI DSS v3 : An Overview
- PCI DSS: How it is different from other similar standards?
- PCI DSS vs ISO 27001
- Protecting Cardholder data through PCI DSS v3
- Common Myths regarding PCI DSS
- Security vs Compliance
Accelerating Regulatory Compliance for IBM i SystemsPrecisely
In a recent survey of IBM Power Systems users, 52% state they are focusing security investments on compliance auditing and reporting while 28% said they anticipate increased regulatory complexity as a security challenge for the remainder of the year.
Do you need to accelerate compliance for your IBM i systems? Whether it be for PCI, SOX, GDPR or other regulations, view this 15-minute webcast on-demand to learn more about:
• The importance of security risk assessments for compliance
• Implementing compliance policies that align with regulations
• Generating reports and alerts that flag compliance issues
• Trade-offs between do-it-yourself and third-party solutions
Topics Covered In Webinar
Basics of PCI DSS
Lifecycle changes to PCI DSS
Evolution of PCI DSS Version 1.1 to version 3.21
Introduction of PCI DSS 4.0
PCI DSS 4.0 Implementation Timeline
Upgrading from PCI DSS 3.21 to PCI DSS 4.0
Key changes anticipated in the latest pci dss 4.0
Bagaimanakah menjadi auditor millenial yang handal di masa depan? Pandemi Covid-19 telah memberikan pelajaran penting bagi kita semua, termasuk para auditor. Auditor millenial dapat mengambil pelajaran penting dari Pandemi Covid-19 ini, terutama bagaimana mereka bisa berperan di masa depan agar tetap sustain keberadaannya.
Materi ini disampaikan pada acara AuditZone di Poltek Keuangan STAN tanggal 15 Januari 2021. Semoga menginspirasi Anda semua.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
With the legal industry moving more and more towards automated and technical solutions and the increase in home working, legal firms are facing a period of dramatic transformation.
One of our CSP directors, Kevin Else, guided attendees through some of the pitfalls and easy wins you can make to help you secure client data in a legal environment and ensuring compliance with both regulatory and legal requirements.
Implementing a Security Management FrameworkJoseph Wynn
Given at the Pittsburgh ISSA April 2017 chapter meeting.
This presentation discussed how to improve the success of your information security program by organizing it using a security management framework.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 14 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...i2Coalition
The Internet Infrastructure Coalition (i2Coalition) supports those who build the nuts and bolts of the Internet, and we treat it like the noble profession that it is. We believe the continued growth of the Internet is vital for growing an environment of innovation and seek to engage in ways to foster success of the Internet and Internet infrastructure industry. We seek to influence decision makers to weigh decisions on whether they are good or bad for the Internet economy and its foundational industries. In short, we seek to foster growth within the Internet infrastructure industry by driving others to harness the Internet’s full potential. To learn more about i2Coalition, visit www.i2Coalition.com.
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
RDX teams up with MegaplanIT, a nationally known PCI Qualified Security Assessor, to provide strategies and best practices that can be used to adhere to all regulatory compliance frameworks.
The presentation begins with a quick overview of the most popular industry standards and regulatory requirements. MegaplanIT continues with a deep dive into the 12 PCI DSS requirements and discusses risk assessment key considerations.
RDX then follows with a discussion on AICPA's SOC 1, SOC 2 and SOC 3 compliance frameworks and 5 Trust Principles. RDX finishes the webinar by sharing numerous helpful hints, tips and best practices for implementation and ongoing adherence.
A link to a video of the presentations is provided on the last slide.
Similar to STRATEGIES FOR DEVELOPING & IMPLEMENTING INFORMATION SECURITY POLICIES BASED ON ISO 27001: 2013 (20)
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Pushing the limits of ePRTC: 100ns holdover for 100 days
STRATEGIES FOR DEVELOPING & IMPLEMENTING INFORMATION SECURITY POLICIES BASED ON ISO 27001: 2013
1. Consultancy Support Services (CS2) Limited., info@consultancyss.com
by
Abdul-Hakeem Ajijola
info@consultancyss.com
@ the International Conference Centre, Abuja, Nigeria.
05 November 2015
presented @ the
Theme:
Hosted by the:
2. Consultancy Support Services (CS2) Limited., info@consultancyss.com
DEFINITIONS
ISO27001
An International Standard
Information Security
Management System (ISMS)
Adopted by organizations
regardless of type or size
Published by International
Standard Organization (ISO)
http://www.iso.org/iso/home/standa
rds/management-
standards/iso27001.htm
Build from British Standard
BS7799-2
Electoral Process
A formal decision-making process
A population chooses an individual to hold public office
Must meet standards to be credible:
• Article 25 of the UN International Covenant for Civil and
Political Rights (ICCPR of 1966)
• Article 21(3) in the Universal Declaration of Human Rights
(1948)
• 1990 Copenhagen Document of the Conference on Security and
Cooperation in Europe (CSCE)
• 2002 Venice Commission’s Code of Good Practice in Electoral
Matters
• OSCE Election Observation Handbook.
• UN General Assembly resolution 63/163 (April 12, 2012)
Conventions, treaties, protocols, and guidelines:
• UN General Assembly,
• Organization for Security & Cooperation in Europe (OSCE),
• Organization of American States (OAS),
• African Union (AU),
• United Nations member states
Electoral Integrity Project
https://sites.google.com/site/electoralintegrityproject4/home
ElectionGuide is provided by the International Foundation for
Electoral Systems (IFES) http://www.electionguide.org/
5. Consultancy Support Services (CS2) Limited., info@consultancyss.com
ELECTRONIC & ELECTORAL PROCESS
Transparency Integrity
Accountability Confidentiality
TRUST
6. Consultancy Support Services (CS2) Limited., info@consultancyss.com
TRANSPARENCY
Open Access
to how the
system works
Visibility of
the key
process
Compliance
Certification
7. Consultancy Support Services (CS2) Limited., info@consultancyss.com
INTEGRITY
Preventing
unauthorized
modification of user’s
information
Strong mechanism to
prevent unauthorized
changes to data (Votes
Cast)
Including an insider
8. Consultancy Support Services (CS2) Limited., info@consultancyss.com
•Prevent
eavesdropping
by third parties
on
communications
•User Choices
(Casted ballots)
collected
anonymously
CONFIDENTIALITY
9. Consultancy Support Services (CS2) Limited., info@consultancyss.com
ACCOUNTABILITY
Providing
reliable
verified
records
effective for
process
auditing
11. Consultancy Support Services (CS2) Limited., info@consultancyss.com
STRATEGIC APPROACH TO ISO27001:2013
Define the Implementation Scope
Draft ISMS Policy
Determine ISO 27001 Maturity Level
Design Risk Management Strategy
Perform Gap Analysis
12. Consultancy Support Services (CS2) Limited., info@consultancyss.com
Source: http://www.vanguardngr.com/2015/03/inec-website-hacked/
LEARNING FROM THE PAST: MARCH 28, 2015
13. Consultancy Support Services (CS2) Limited., info@consultancyss.com
ELECTORAL PROCESS
1. Legal
Framework
2. Planning &
Implementati
on
3. Training &
Education
4. Voter
Registration
5. Election
Campaign
6. Voting
Operations &
Election Day
7. Verification
of Results
8. Post-Election
14. Consultancy Support Services (CS2) Limited., info@consultancyss.com
LEGAL FRAMEWORK
Constitution
Legislation
• Develop & Review
Information
Security Policies
• ISO/IEC 27001
Certification
Standard, Section
5.1.1 & 5.1.2
Electoral
System &
Bodies
• Establish
Procedures &
Responsibilities
• Section 12.1
Codes of
Conduct
• Personnel Security
Management
• Logs to Records
Security Events
• Sections 7 & 12.4
15. Consultancy Support Services (CS2) Limited., info@consultancyss.com
ENHANCING LEGAL FRAMEWORKS
Enhance
electoral
process
roadmap
with key
performance
indicators for
all INEC
staff:
Address process issues to facilitate incremental
improvements;
Develop storyboards to
track progress:
Permanent Voters Card
tracking mechanisms
Improve
documentation of
procedures and
electronic
accountability process
Track who did/ took/
got what and when?
Articulate a
revised
technology
project
management
plan
Effective project
accountability
17. Consultancy Support Services (CS2) Limited., info@consultancyss.com
IMPLEMENTATION ISSUES
Seek ways to add value to existing systems
• Understand the finger print reader challenges & how to
overcome these issues
Decide on if to develop a new voter register database, or not:
• There have already been at least 3 voter database efforts;
• The Current administrations lack of appetite for expenditure
unless proven to be essential
• INEC must explore possible alternative/ complimentary
funding sources & lower cost alternatives
Existing voter registration databases INEC will need to decide:
• Merge the existing databases;
• Use one or more database; or
• Start afresh
18. Consultancy Support Services (CS2) Limited., info@consultancyss.com
TRAINING & EDUCATION
Operational
Training for
Election Officials
• Deliver
information
security
awareness
programs
• Section 7.2.2
Civic & Voter
Education
• Deliver
information
security
awareness
programs
• Section 7.2.2
19. Consultancy Support Services (CS2) Limited., info@consultancyss.com
CAPACITY BUILDING
Facilitate multi-stakeholder Electoral ecosystem
eLearning and e-Library platforms for continuous
capacity building of permanent and adhoc staff
e-courses & Apps on Electoral Process for Public
Awareness
Online crowdsourcing allows reporting of voting
irregularities
Information can even be plotted onto an interactive
map online with dashboards
21. Consultancy Support Services (CS2) Limited., info@consultancyss.com
VOTER REGISTRATION MATTERS ARISING
• Fibre Optic between Headquarters,
Regional Data Centres & State Offices
• Wireless Connectivity between local
Accreditation and Collation Equipment
Ensure INEC has
requisite connectivity
for online access and
backup
• Chairman Gubadia registration database
with basic text
• Chairman Iwu database added voter
pictures
• Chairman Jega database added fingerprint
biometrics
The 3 voter registration
database efforts include:
• Merging structurally different databases is
inherently problematic
• Database clean-up process is challenging
Disparate Voter
databases
22. Consultancy Support Services (CS2) Limited., info@consultancyss.com
ELECTION CAMPAIGN
•Manage all user
access rights
Media
Access
•Personnel
Security
Management
Code of
Conduct
23. Consultancy Support Services (CS2) Limited., info@consultancyss.com
VERIFICATION OF VOTERS DURING ELECTIONS
Explore alternate ways to mitigate the challenges of voter
accreditation/ authentication so as to compare biometric
databases as part of the INEC data clean-up process
• National Identity Management Commission
• Immigration
• Population Commission
• Central Bank of Nigeria (Bank Verification Number)
• Federal Road Safety Corps (Drivers Licence)
• Nigeria Communications Commission (SIM Card Registration)
Fully activate INEC regional Data and Card reader production &
Data Backup centres
• Umahia
• Dutse
• Abeokuta
24. Consultancy Support Services (CS2) Limited., info@consultancyss.com
VOTING OPERATIONS & ELECTION DAY
Special
&
External
Voting
Voting
Voting
Count
• Protect user
authentication
• Control access to
systems
• Cryptography Policy
Management
• Physical Security
Management
• Establish procedures and
responsibilities
• Control your operational
software
• Address your technical
vulnerabilities
• Network Security
Management
• Security Incident &
Continuity Management
• Comply with security
requirements
• Section 9.3, 9.4, 10, 11,
12.1, 12.5, 12.6, 13, 16,
17, & 18.1
25. Consultancy Support Services (CS2) Limited., info@consultancyss.com
“Card
Reader”
“Read
Card”
“Capture
finger-prints”
Verify/
Authorise
“Upload same
to server?”
CARD READING PROCESS
Many INEC applications are not online including voter
registration
Adhoc staff & none-core databases could be managed using
cloud apps with regular backups to the various INEC data
centres as a cost cutting option
Cloud processing options while cost effective have risks
with limitations and can only be used for selective activities
26. Consultancy Support Services (CS2) Limited., info@consultancyss.com
VERIFICATION OF RESULTS
Tabulation
of results
• Comply with legal
requirements
• Section 18.1
Official
result
• Information Access,
Cryptography Policy,
Physical Security, &
Operational Security
Management
• Protect information
transfers
• Security Compliance
Management
• Section 9, 10, 11, 12,
13.2, & 18
27. Consultancy Support Services (CS2) Limited., info@consultancyss.com
crypto-
currency?
ElectronicCardsCashGoldCowries
Any method of verifying that someone is who they
claim to be
AUTHENTICATION
28. Consultancy Support Services (CS2) Limited., info@consultancyss.com
POST-ELECTION
• Use logs to record
events
• Identify & respond
to incidents
• Section 12.4 & 16.1
Audits &
Evaluations
• Security Policy
Management
• Section 5
Legal
Reform
• Information Access
Management
• Section 9
Archiving &
research
29. Consultancy Support Services (CS2) Limited., info@consultancyss.com
ISO27001:2013 MATTERS ARISING
Compliance Increases Probability but Does NOT Guarantee
Absolute Security
Signifies Managing Security in-line with
Standards
Weaknesses Not following established processes
Organizational Commitment
Lack of Expertise
Requirements Management’s commitment
Individual ownership & responsibility for
Information Security
Effective Information Security education &
awareness
30. Consultancy Support Services (CS2) Limited., info@consultancyss.com
Types of
e-Voting
systems
• Punch-card: Holes punched into the Ballot Card next to the voters
choice
• Optical scan: Optical scanner reads and counts marked ballot papers
• Direct-recording electronic (DRE): Voter pushes a button or touch
screen next to their choice. DRE machine tabulates voting data stored
in a removable memory component/ printed copy/ transmits
• Internet: Use of Internet to cast/ transmit vote. Remote Internet is
uncontrolled; using Polling Site Voting, Kiosk Voting controlled
Considerations
when selecting
• Auditing
• Building Trust
• Design and Usability Aspects
• International Standards & Handbooks on E-Voting
• National Legislative Framework
• Open Source vs. Proprietary Software
• Secrecy of the Vote
• Verifiability
• Voter Authentication
Current
Realities:
• Voter-verified paper audit trail (VVPAT): Voting systems must have an
auditable paper trail
• Mechanisms must be in place for detecting changes to votes
• Voting systems must not be subject to wide-scale service disruptions
• Infrastructure & Human Capacity Limitations in Nigeria
NEW VOTING TECHNOLOGY/ E-VOTING
31. Consultancy Support Services (CS2) Limited., info@consultancyss.com
EVOTING & INTERNET VOTING?
Section 52 of the Electoral Act, 2010
• “The use of electronic voting machine
for the time being is prohibited.”
•Source: Electoral Act 2010, Section 52 Para 2
Estonia
• World's First National
Internet Election
• Internet voting 7 times
Internet voting is vulnerable
• Cyber-Attack & Fraud
• Inherent Weakness in Hardware & Software
• Manner in which the Internet is Organized
Research found it possible to:
• Change votes,
• Compromise a secret ballot,
• Disrupt voting, or
• Cast doubt on the legitimacy of the
election process
Unlikely that these Vulnerabilities
will be Eliminated in the near Future
Source:
http://www.heritage.org/research/reports/2015/07/the-
dangers-of-internet-voting
32. Consultancy Support Services (CS2) Limited., info@consultancyss.com
INTERNET VOTING FAILURES
California USA - California Internet
Voting Task Force report:
•“additional technical innovations
are necessary before remote
Internet voting can be widely
implemented….”
USA National Science Foundation -
2001 report
•“remote Internet voting systems
pose significant risk to the
integrity of the voting process,
and should not be fielded for use
in public elections until
substantial technical and social
science issues are addressed.”
USA Pentagon Internet Voting
Project report:
•“these vulnerabilities are
fundamental in the architecture of
the Internet and of the PC
hardware and software that is
ubiquitous today.”
Washington, D.C. USA 2010,
•A computer science professor and
his students broke into the
system, changed the results of
the mock election, and “gained
near-complete control” of the
election server
France. 2013,
•Reporters from “the news site
Metronews proved that it was
easy to breach the allegedly strict
security of the election and vote
several times using different
names.”
Norway Municipal elections in 2011
and 2013 but cancelled the project
in 2014,
•citing security concerns and the
government’s conclusion that,
contrary to expectations, the new
system had not improved turnout.
Canada. In 2014,
•“…voting over the Internet has a
set of unique challenges that
inevitably introduce a number of
additional risks.”
Australia 2015
•“…. uncovered severe
vulnerabilities that could be
leveraged to manipulate votes,
violate ballot privacy, and subvert
the verification mechanism.”
Spain, held a referendum in
Barcelona in 2010 using the
Internet.
•“encountered problems in relation
to voter identification and identity
theft…”
Without major technological changes, there is almost no possibility that a secure Internet voting system can be
designed for the foreseeable future. When combined with other less technical questions like equal access by voters
to the Internet, Internet voting is definitely a technology whose time has not come—and may never come.
Source: Hans A. von Spakovsky http://www.heritage.org/research/reports/2015/07/the-dangers-of-internet-voting
33. Consultancy Support Services (CS2) Limited., info@consultancyss.com
Adopt
ISO
27001:
2013
Patronize
Indigenous
Solution
Providers
Sanitize Data
(Biometric)
Clear
Procedures
Implement
IPV6
Robust
Connectivity
Caution on
eVoting
Research
Estonia, Australia,
USA, France,
Norway, Canada
CONCLUSION
34. Consultancy Support Services (CS2) Limited., info@consultancyss.com
for
your
attention
O ṣeun,
fun
akiyesi rẹ
Na gode,
don
kulawa
Imela na
igere anyi
nti
info@consultancyss.com
Editor's Notes
19/07/2017
ISO27001 is an International Standard
Electoral Process is a formal decision-making activity where a population chooses an individual to hold public office.
However, It must meet global standards to be credible.
Both the ISO standards & our Electoral Processes flow in cycles and in this presentation we will endeavour to demonstrate where they are congruent and complimentary.
Democratic and Electronic process must be trusted by users to be effective.
To gain TRUST both Process must display Transparency, Integrity, Accountability and Confidentiality.
TRANSPARENCY is fostered by the Visibility of the key sub-process.
Integrity includes Preventing unauthorized modification of user’s information and mechanisms to prevent unauthorized changes to data.
Furthermore, a critical source of security threats and vulnerability is the insider.
Confidentiality demands secure information transmission and a degree of anonymity of the users e.g. voters.
Accountability auditing includes field, operational, accounting & related sub-processes.
ISO 27001: 2013 is a reputable and trusted global platform that supports compliance with other regulations while facilitating Secure Sourcing, Storage and Exchange of Information.
The optimal Strategic Approach to ISO implementation is to
1. Define the Implementation Scope;
2. Draft ISMS Policy;
3. Determine ISO 27001 Maturity Level;
4. Design Risk Management Strategy &
5. Perform Gap Analysis
On 28 March 2015 the INEC website was hacked.
Thus we must consider the threats of what could happen in the context what has already happened.
The Electoral Process in Nigeria has 8 phases of which voting is only one aspect of a single phase.
In the case of the Nigeria Electoral Legal Framework we have mapped it to Section 5.1.1 & 5.1.2 of the ISO standard which addresses Certification Standards that include the Development & Review Information Security Policies.
We suggest that INEC Enhances its Frameworks by:
1. Facilitating incremental improvements;
2. Improve documentation of procedures and electronic accountability, &
3. Articulating a revised technology project management plan.
Election Planning & Implementation require a high-level of Security Management for, and by INEC Personnel, as well as strengthening the security of the various value and supply chains.
When implementing, we suggest that INEC:
1. Seek ways to add value to existing systems like the finger print reader;
2. Decide on if to develop a new voter register database or merge existing ones
Noting that at least 3 voter database efforts have been made in the recent past;
3. Use one or more database or Start afresh voter registration process.
Various Information security awareness programs need to be directed at:
1. Operational & Election Officials
2. Voters, candidates, other participants & the public at-large.
We recommend that INEC Training & Education efforts focus on:
1. Facilitate a multi-stakeholder Electoral ecosystem
2. eLearning and e-Library platforms for continuous capacity building of permanent and adhoc staff
3. e-courses & Apps on Electoral Process for Public Awareness
4. Crowdsourcing system that allows reporting of irregularities where Information can be plotted onto online maps and dashboards.
The Voter Registration sub-process requires:
1. Physical Security Management
2. Operational Security Management
As defined in ISO 27001 Section 9, 10, 11, 12, & 13.2
Several matters arise from the Voter Registration phase such as:
1.Types of connectivity.
2. Merging structurally different databases is inherently problematic and the Database clean-up process is challenging.
Story of Multiprocessor Video Cards for parallel processing for the clean-up of voter databases @ Mimos Behard, Malaysia
Nigerian Researchers and Institutes can learn from Mimos
The Election Campaign sub-process requires:
1. Finesse in granting Media Access as well as
2. Enforcement of a Code of Conduct for INEC and related officials.
President Buhari has had cause to wonder why Nigeria has many different biometric databases?
This is cause for concern as what can be done once your biometric data has been compromised e.g. copied by a miscreant on to an identity card with your name but their face/ finger print or vice-versa?
How do we reset our biometric data once it has been compromised?
For the Verification and clean-up of the Voters database we advise INEC partner with:
1. National Identity Management Commission
2. National Population Commission
3. Nigeria Communications Commission (SIM Card Registration)
We further suggest that INEC fully activate its regional Data, Card production & Data Backup centres:
1. Umahia,
2. Dutse, and
3. Abeokuta
On election day Transmitted data needs:
1. Cryptography Policy Management
2. Network Security Management
While any Channels of communication used must Comply with legal security requirements
The Card Reading and Voter Authentication Process remains unclear.
Are the users biometric details Uploaded to an INEC server in real time and then authenticated or does the card reader “trust” the content of the card?
If so, what happens if a card has your name but a miscreants face and finger print?
What is the consequence of losing trust in your voters card?
It seems possible that some INEC applications could move online.
We suggest that:
1. Adhoc staff & none-core databases could be managed using cloud apps with regular backups to the various INEC data centres as a cost cutting option.
2. That said we must caution that Cloud processing options while cost effective have risks with limitations and can only be used for selective activities.
Verification of Results phase requires compliance with our nations legal requirements and ISO standards.
The formal results must be secured physically and electronically prior to formal and controlled release.
Why is Authentication a big deal?
What is Authentication?
It is any method of verifying that someone is who they claim to be.
For a credible and acceptable election, only Authenticated Voters & their votes can count.
We now must ask ourselves “What is money?”
1. Money is “Trusted” INTERMEDIARY of value
2. Electronic currencies are replacing paper currency
Future electronic crypto-currencies will be based on Authentication data, Servers & Infrastructure
The new golden rule: “He who has the Authentication, Rules!!!”
Important Post-Election activities such as:
1. Audits & Evaluations which rely on event and incident logs, especially when post-election tribunal forensic activities are initiated in line with our laws.
2. ISO 27001: 2013 compliance is a plus to minimize INECs liability.
3. Significant amounts of data such as election as well as voter biometric details and authentication logs details must be archived.
4. Subsequent research must depersonalise identification details.
These Information Access Management requirements are guided by ISO 27001: 2013.
We must note that:
1. Compliance ISO 27001: 2013 Increases Probability security but Does NOT Guarantee Absolute Security
2. ISO 27001: 2013 show significant Weaknesses when:
a. Established processes are NOT followed
b. Organizational Commitment is low
c. Lack of Expertise
3. ISO 27001: 2013 requires Individual, as well as organizational, ownership & responsibility for Information Security
Nigerians have been discussing New Voting Technology/ e-Voting
1. There are several types of e‑Voting systems.
2. We Note that Internet voting is a sub-set of e-Voting.
Nigeria must Consider the following when selecting an e‑Voting system
1. Design and Usability Aspects
2. International Standards of E-Voting
3. National Legislative Framework
Our Current Realities demand that we consider as priority:
1. Voting systems must have an auditable paper trail
2. Mechanisms must be in place for detecting changes to votes
3. Voting systems must not be subject to wide-scale service disruptions
4. Infrastructure & Human Capacity Limitations in Nigeria
Section 52, Para 2, of the Electoral Act, 2010 states that “The use of electronic voting machine for the time being is prohibited.”
Current e‑Voting systems have challenges:
Take the case of Estonia which claims to have held the World's First National Internet Election and have used Internet voting 7 times so far.
2. Subsequent Research has found it possible to Cast doubt on the legitimacy of the election process
We Note that Internet voting is vulnerable due to:
1. Inherent Weakness in current Hardware & Software systems
2. The Manner in which the Internet is Organized
As is often the case the challenge it is more about people than systems.
Unfortunately, it is Unlikely that these Vulnerabilities will be Eliminated in the near Future.
In 2008, 32 respected computer scientists & Technologists’ issued a Statement on Internet Voting.
They recommended that Internet voting not be adopted until and unless the “…. technical challenges have been overcome.”
The challenges listed included:
Preventing malicious software, firmware, or hardware that can change, fabricate, or delete votes, deceive the user in myriad ways including modifying the ballot presentation, leaking information about votes to enable voter coercion, preventing or discouraging voting, or performing online electioneering;
We must find strong mechanisms to prevent changes to votes not only by outsiders, but also by insiders such as:
1. equipment manufacturers,
2. technicians,
3. system administrators, and
4. election officials who have legitimate access to election software and data;
Furthermore, research has found that, Internet Voting did NOT increase voter participation
Internet voting is definitely a technology whose time has not come—and may never come.
Our recommendations to the Nigerian Electoral process and INEC in particular are:
1. Adopt ISO 27001: 2013
2. Patronize Indigenous Solution Providers
3 .Sanitize Biometric Databases
4. Employ Clear Procedures
5. Implement Internet Protocol version 6 (IPV6)
6. Ensure Robust & Secure Connectivity at all levels
7. Exercise Caution on e-Voting & follow the ongoing Research in Estonia, Australia, USA, France, Norway, Canada as well as fund indigenous e-Voting research initiatives.