Data And Security

• • • • • • • Ability to enable Multi-factor authentication on account login. 
            • Password requirements based on latest security recommendations.
            • Role based account setups.
            • Ability to add/restrict access to reports (as needed).
            • Each pollbook (laptop) is assigned its own encrypted license key.
            • The system will work, even if there is no WiFi access.

For More Information

Click here to download our security implementation overview. 

Preparation

Within our SAAS operations, currently hosted within the Amazon Web Services environment, we have implemented multiple layers of security between the various infrastructure resources we are operating to ensure that customer and voter data is protected and only accessible to those systems that need it. In addition, we implement a least privilege model for personnel as it relates to data access, only those staff that need access to specific data have access to it for either account maintenance or troubleshooting purposes. Regarding user accounts, all user accounts are protected with encryption, at no time do we have access to any user’s password, for example. Customers can enable Multi-Factor Authentication (MFA) on their accounts, which we encourage. The login process uses smart detection to prompt for a one-time passcode upon login. The one-time passcode is obtained through a mobile phone application such as Authenticator and registered to that user account in Voter CheckList^TM.

Identification

CBT takes the responsibility to monitor our platform for any data or security breaches and to act and respond to any potential data or security breaches reported by our customers. If we discover a data breach or security event that impacts any customer, we will notify those customers affected within 24 hours of such an event. Customers take the responsibility to notify CBT of any potential data or security breaches in our platform by contacting us as soon as possible upon the discovery of a potential breach.

Containment

In the event of a data or security breach, CBT will take immediate action to identify the specifics of a data or security incident and work to immediately identify the specific of the problem, and contain the problem, up to and including any service interruptions needed to prevent further damage.

Eradication

In the event of a data or security breach, after CBT has contained any data or security breach, the necessary snapshots of the event and/or systems affected, will be captured, and documented to allow for further investigation, up to and including any necessary law enforcement intervention/investigation needed. At this point in time, in parallel with any cleanup efforts, any affected customer will be notified
with relevant details of a data or security incident and the effects it has on that customer.

Recovery

After a data or security breach has been contained and eradicated, CBT will begin recovery efforts to restore our services to normal operation. Part of this recovery will include building out any immediate, additional protected needed to continue operations and to help further prevent the same breach from occurring again.

Learning

As part of CBT’s short- and long-term strategies, enhancements to the platform will be considered planned out, implemented, and deployed to our platforms. As part of this strategy, CBT continuously looks at data protection and platform security as part of our normal operations.

Re-testing

CBT implements a standard Software Development Lifecycle which in large part includes the testing of all features and changes that go into our production platform. This testing includes re-testing any previously known data or security breach fixes (there have been no breaches to date, 8/31/2023).