Category Archives: Risk Assessment

Hacking the Election

voting-machine

Can an election be hacked? The short answer. Yes. I’d like to say it is more difficult than some suggest, but more and more reports point to it occurring.

Over the last several weeks we have watched security experts on both sides of this issue comment about the potential of electronic voting machines to be hacked. But the most interesting and telling thing in all of this is how the Department of Homeland Security wants to take control of the elections.

The most compelling arguments on both sides show how difficult it would be to pull off a successful hack. Why? Because each State utilizes its own systems and methods for one. Election machines are usually off-line, locked in a secured room, and have security cameras on them.

In another case, some security professionals have proven that elections and voting machines are vulnerable and can be hacked in just 7 minutes. With that said, it has been reported that hackers have already targeted election systems in 20 States.

My take on this is that yes, voting machines can be hacked, and new additional controls need to be implemented in securing both the machines and the electoral process. Though having DHS taking control over that process eliminates current controls and adds another scary factor.

As we have seen in the past it is possible to rig or even hack elections. In 1968 a major glitch or error occurred giving Dick Gregory millions of votes. While an investigation failed to find any issues the blame was placed on programming. There is or was no REAL explanation of what happened. In fact, that election was so close – it may have just been a successful hack of the election for all we really know. Though that is speculation on my part.

In recent years we have seen the voting of cartoon characters, the deceased, and now illegals. We have also seen more votes cast than exists in the precinct population.

As I mentioned before there are sudden calls to have the entire Election process to now be controlled by the DHS. So who is trying to control the election?

What if it is people within our own Government or other actors within our Country that want to hack the election? Putting All the machines and the entire election process under DHS makes it easier if you ask me. Perhaps it is already being done.

Tagged , , , , ,

Risk Assessment or Business Impact Analysis, Which Comes First?

This is a topic of great debate, and is the chicken or the egg question for contingency planners everywhere. Recently, I was asked to share an infographic that placed the Business Impact Analysis before the Risk Assessment. While there is nothing wrong with the graphic, and you can see it, Disaster Recovery infographic by Singlehop I am in some disagreement with the placement.

Interestingly enough, I just had a conversation with a colleague, whom I respect, and that works for another large company that provides business continuity and disaster recovery services, on this very topic.

With the creation of the ISO 22301, which does not specifically address the order, but does mention BIA’s first, many businesses are now conducting the BIA first. Here is my personal and professional opinion on why this is both wrong, and a mistake.

Whenever I work with a business, and we are conducting an analysis on their risks and associated impacts, we always do the risk analysis/risk assessment first. I have a great many reasons for doing it in this way, but let me share just a snippet of why we do it this way.

First, let’s look at the Risk Assessment. The Risk Assessment looks at a given hazard. It measures both, the potential likelihood of the hazard occurring, and the potential impact it may have on the business. This provides you with some system of measurement on how great the risk to your business the hazard will be.

I just want to mention here that there are many methods of scoring the actual measurement to achieve, or arrive at a final hazard score. For instance the National Fire Protection Association (NFPA) 1600 utilizes a method of scoring of High (H), Medium (M), Low (L) for probability of occurrence and the same H, M, L for impact. This provides a score, such as, ML which would be equal to Medium probability of Occurrence with a Low impact.

I use a slightly modified version of the NFPA 1600 model that I developed over the years, but it is generally the same idea. Once we look at all the potential known hazards we take the top 10, top 5, and top 3 hazards respectively to know which hazards are the biggest known threats to the business.

This process allows us to have a high-level overview of what the greatest risks are to the business, and what the potential impact will be.

Once we arrive here, it is time to take a deep dive into the impact the top threats will have on your business. It also provides us a potential outline of events that are likely to cause major disruptions to the business. This provides us with a scenario to use for context during the Business Impact Analysis.

During the deep dive into the Business Impact Analysis you will look at each individual process, individuals and applications that support each process, the interdependencies between departments and each process has upon each other, the financial impact to the business if this process is disrupted, additional financial impact of fines, penalties, SLA’s, and contractual agreements. Does this process need to be recovered immediately? Can it wait? Should it be on hold indefinitely until operations return to normal? What is the recovery costs associated with each process?

The Business Impact Analysis gets into such fine details of each business process and business unit that it can itself become a disruption. This is why they are done only every couple of years. Usually two years being the norm, but some companies may do them only every five years.

The Risk Assessment, being such a high-level overview can be done monthly, quarterly, or even yearly, with little to no disruption to the businesses normal operations. It also provides an excellent way of tracking emerging and future threats to the business.

I hope with this you can see where I am coming from, and why a risk assessment should be done both first, and more frequently. Also, as a big proponent of the NFPA 1600 standard, if you have the book, Implementing NFPA 1600 National Preparedness Standard, turning to page 12, and page 19 respectively provides an ordered list where the Risk Assessment comes before the Business Impact Analysis.

The NFPA 1600 Section number 5.3 on Risk Assessments also provides an ordered list of steps that includes identifying hazards, Assess the vulnerability, Analyze the potential impact, and then lastly to conduct a Business Impact Analysis to determine business continuity and recovery strategies.

Tagged , , , ,