SEQUOIA VOTING SYSTEMS: MAINTAINING THE QUALITY OF THE VOTE<br />Quality Systems Update<br />12/8/2008<br /><br />BY LAURA SMITH<br /><br />Sequoia Voting Systems Inc. is one of the largest developers and manufacturers of voting technologies and infrastructures in the United States. It operates offices in California, Colorado, and New York, and in 1890 produced the first lever-based mechanical voting equipment used in the United States. In 2004, Sequoia was the first organization in its market to incorporate Voter Verified Paper Audit Trail technology into its voting equipment for live elections. In this month's presidential election, Sequoia deployed more than 100,000 of its voting machines to 17 states and the District of Columbia.<br /><br />In an effort to maximize the security of its information and products, all four of Sequoia's facilities are registered to ISO 27001. Its Denver headquarters and Oakland, California, areadevelopment office were registered in November 2007, and its Porterville, California, ballot printing facility and Chicago office were registered soon after. <br /><br />Here, Ed Smith, Sequoia's vice president for quality, compliance, certification, and manufacturing discusses the road to certification and how it has improved U.S. voter security.<br /><br />1) Why did Sequoia decide to pursue registration to ISO 27001?<br /><br />Elections are critical, both in terms of time and importance to society. Unlike in other technology departments, such as during a server upgrade, Election Day cannot be pushed out a day or two simply because a component did not arrive or because a database was not ready. More important, Election Day cannot be delayed or called into question due to an intrusion into the jurisdiction's voting system. The voting technology currently deployed in the United States includes the familiar electronic voting machines (most of which are touchscreen units) and the election-central infrastructures used by different jurisdictions, which is less familiar to the public. Election-central infrastructure is an isolated network that contains the jurisdiction's geographic information relative to elections, the various software applications that enable election workflow to proceed from election definition to election night reporting, post-election canvass, and verification of the results. The ISO 27001 registration that Sequoia holds is a framework for secure elections. The standard includes such salient aspects as secure networking within the confines of the jurisdiction and business continuity to guard elections in case of a disastrous event that could delay elections.<br /><br />2) How has the registration affected the business?<br /><br />Our ISO 27001 registration has raised the awareness of our staff to likely means of attacks on our systems, how to maintain legal compliance with copyrights, and how to be more secure when working from home offices and while traveling. Our information security training also contains elements of home-computing security, such as how to avoid phishing and other scams. We communicate this information to our customers in an effort to help educate them on security. In 2009, we plan to do more work to communicate the importance of preventive security measures and to elevate the level of external communication on our ISO 27001 registration in an effort to differentiate our company from others in our market.<br /><br />3) Were there challenges to earn the registration?<br /><br />Sequoia had many of the requirements of ISO 27001 in place due to requirements imposed on voting systems by the federal government and various state governments. This was of tremendous assistance in progressing to registration. Challenges did emerge in dispelling the mindset that ISO is a "paperwork mill," i.e., much work generating records for little value added to the organization. At Sequoia, this myth was initiated by prior experiences with ISO 9000 consultants who did provide a paperintensive, less practical quality system implementation. By contrast, when Sequoia's management was shown that attaining registration to ISO 27001 could be done by extending what was already being done toward information security, management support and employee buy-in followed. Another challenge was the diversity of operations that Sequoia Voting Systems performs in support of elections. The four facilities registered contain such diverse functional areas as product development, corporate management, and ballot printing. Additionally, our facility in Chicago is in place to serve Sequoia's largest customer. Two of the facilities are specialized to ballot printing and field service. The very different missions of each facility cause differences in staff training, procedures, and slight differences in information security systems implementation.<br /><br />4) Do you think your registration to ISO 27001 prevented or minimized any problems you might have had?<br /><br />Yes, it has both prevented and minimized issues. The staff training that came along with the registration effort has prevented network intrusions and malware infections. Attempts to infect our information technology system have been reported to the compliance department before they manifested as infestations. Internal auditing uncovered some file shares that could have allowed unauthorized access to Sequoia financial records. An interdepartmental effort of quality assurance, development, and compliance resulted in the development of an operating system method and procedure for jurisdictions to employ to harden their election-central infrastructures. This hardening was deployed in multiple states for this month's election. Concepts from ISO 27001 have affected product development and aided developers in defining new security measures and methods. Sequoia's voting products currently in federal certification testing contain many new security features. The subsequent generation of our product line has further refinement-a testament to continuous improvement and attention to market requirements.<br /><a href='http://www.qsuonline.com/' target='_blank'>READ MORE</a>
