DISTRICT OF COLUMBIA BOARD OF ELECTIONS WASHINGTON, D.C. 20001-2745 FOR IMMEDIATE RELEASE October 13, 2016 Contact: Tamara L. Robinson (202) 442-4966; press@dcboee.org District of Columbia Board of Elections Statement on Cybersecurity The District of Columbia Board of Elections’ (DCBOE) Voter Registration System, also known as Integrity, resides within a private network within the District Government’s internal network. The Office of the Chief Technology Officer (OCTO) protects, monitors, and controls the external perimeter of all District Government agency networks. OCTO’s Citywide Information Technology Security Department (CWITS) protects all District Government agencies with services such as Intrusion Detections, Monitoring Services, and Firewall services which block unwanted and malicious traffic. Even though our external perimeter is protected and monitored by CWITS, DCBOE has in place its own firewall services installed to stop unwanted and malicious traffic from entering our internal network. All of our servers are protected by Anti-Virus and malware protection, scanned for vulnerabilities, and monitored for abnormal behaviors. There are no direct connections between any external systems and Integrity. Only internal DCBOE staff members, who have been provided access due to their assigned roles, may access Integrity and the internal network using our assigned credentials. All import data from our mobile application or external partners are validated prior to entering Integrity. Any data which is irregular or otherwise does not meet applicable security standards is tracked and discarded. The following information is in relation to VOTEM our current Mobile application vendor: A. Website Security In order to protect connections to our website, Votem uses the Hypertext Transfer Protocol Secure. Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server. This is then coupled with an SSL certificate that guarantees the user is in fact connecting to our servers. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems. B. Data Security Our data security policies are centered on privacy and protection of personal data. Some of the measures in place to secure access to the data include: multi-level roles for system access, strong password protection for web access, and time out at for idle users. ---more--- Data is encrypted while sent through SSL/TLS protocols and while it is briefly present in the database. All cryptographic functionality is implemented using (National Institute of Standards and Technology) NIST-approved cryptographic algorithms and schemas. Voter selections made on smart phones or tablets are stored in the mobile device itself in a temporary cache and never pass through the internet containing information identifying the specific voter. This cache is promptly cleared after the submission has been made or if the application is closed. Voter selections made on a computer web browser are stored in a temporary cache on the server as the voter makes their selections, then wiped from memory when the voter finishes and closes. When a voter finishes using the system, the temporary cache clears and the sensitive information is erased. C. Architectural Security Our network architecture and infrastructure guards against security threats through multiple safeguards. For example, IP address restrictions are used to monitor access to all the data points. Our system establishes a firewall between testing data and actual data this prevents our programmers and testers from viewing or alters an actual voter’s data during testing or debugging phases. Votem services are hosted on Microsoft’s Secure eGovernment Cloud Platform and are protected by Microsoft’s 228bit encryption and world-class security standards. Microsoft uses industry standard access mechanisms to protect Votem’s applications and its data located in their datacenter facilities. We are confident that voters will have a positive voting experience on Election Day in the District of Columbia. The District of Columbia Board of Elections is an independent agency of the District government responsible for the administration of elections, ballot access, and voter registration. ###