Current through Register 2024 Notice Reg. No. 12, March 22, 2024
(a)
Each county shall protect the confidentiality, integrity, and availability of
the data and the election information system authorized to process, store, and
transmit voter registration data. This system shall utilize system hardening
and resilient architecture by means of redundancy, high availability, or other
fault-tolerant methodologies.
(b)
Each county shall provide annual privacy and security awareness training to all
staff and contractors, if any, utilizing its county voter registration and
election information system in accordance with State Administrative Manual
sections 5320 -- 5320.2 and the Information
Practices Act of 1977 (Civil Code section
1798,
et seq.).
(c) Each
county shall complete a security assessment of its election information system
prior to a statewide primary election. The security assessment shall evaluate
the:
(1) Active management (inventory,
tracking, and correction) of all hardware devices on the network so that only
authorized devices are given access, and unauthorized and unmanaged devices are
found and prevented from gaining access.
(2) Active management (inventory, tracking,
and correction) of all software on the network so that only authorized software
is installed and can execute, and unauthorized and unmanaged software is found
and prevented from installation or execution.
(3) Establishment, implementation, and active
management (tracking, reporting, and correction) of the security configuration
of laptops, servers, and workstations in order to prevent attackers from
exploiting vulnerable services and settings.
(4) Continuous acquisition, assessment, and
action on new threats in order to identify vulnerabilities, and to remediate
and minimize opportunity for attacks.
(5) Tracking, control, prevention, and
correction of the use, assignment, and configuration of administrative
privileges on computers, networks, and applications.
(6) Collection, active management, and
analysis of audit logs of events that could help detect, understand, or recover
from an attack.
(7) Minimization of
opportunities for attackers to manipulate human behavior through their
interaction with web browsers and e-mail systems.
(8) Control of the installation, spread, and
execution of malicious code at multiple points in the election information
system, while optimizing the use of automation to enable rapid updating of
defense, data gathering, and corrective action.
(9) Active management (tracking, control, and
correction) of the ongoing operational use of ports, protocols, and services on
networked devices in order to minimize vulnerabilities available for
attack.
(10) Proper backup of
critical data to allow for timely recovery. Backups shall be made at least
every 24 hours. Backups for counties with more than 50,000 registered voters as
of the last Report of Registration are recommended more frequently. Each county
shall review critical data backup and recovery procedures to ensure the backups
are not stored on the same servers hosting the county voter registration and
election information system, and that restoration procedures are detailed and
complete.
(11) Establishment,
implementation, and active management (tracking, reporting, and correction) of
the security configuration of network infrastructure devices in order to
prevent attacks exploiting vulnerable services and settings.
(12) Detection, prevention, and correction of
the flow of information transferring between networks of different trust levels
with a focus on security-damaging data.
(13) Prevention of data exfiltration,
mitigating the effects of exfiltrated data, and ensuring the privacy and
integrity of sensitive information.
(14) Tracking, controlling, preventing,
correcting, and securing access to critical assets (e.g., information,
resources, systems) according to the formal determination of which persons,
computers, and applications have a need and right to access these critical
assets.
(15) Tracking, controlling,
preventing, and correcting the security use of wireless local area networks,
access points, and wireless client systems.
(16) Active management of the life-cycle of
system and application accounts -- their creation, use, dormancy, deletion --
in order to minimize opportunities for attackers to leverage them.
(17) Identification of the specific
knowledge, skills, and abilities needed to support defense of the election
information system; development and execution of an integrated plan to assess,
identify and remediate gaps, through policy, organizational planning, training,
and awareness programs for all functional roles in the organization.
(18) Active management of the security
life-cycle of all in-house developed and acquired software in order to prevent,
detect, and correct security weaknesses.
(19) Protection of the organization's
information, by developing and implementing an incident response infrastructure
(e.g., plans, defined roles, training, communications, and management
oversight).
(20) Testing of the
overall strength of an organization's defenses (technology, processes, and
people) by simulating the objectives and actions of an
attacker.
(d) Each county
and its EMS vendor shall take the following security measures to provide
security for the county's EMS and election information system, as well as for
environments that interface with the statewide voter registration system and/or
contain statewide voter registration system data:
(1) At all times servers hosting county voter
registration and election information systems including the county's EMS as
well as any Secretary of State property, such as routers, shall be secured in a
designated area away from public access. The designated area shall be secured
with a method to determine the identity of each person that has accessed the
designated area and unauthorized access to this designated area must be
detectable.
(2) Only staff
authorized by the county shall have physical access to servers hosting the
county's EMS and election information system, including servers containing the
county's EMS as well as any Secretary of State property, such as
routers.
(3) The county's EMS and
election information system shall only be accessible by persons authorized by
the county.
(4) No peripheral
devices (e.g., disks, flash drives, smartphones, etc.) shall be attached to
Secretary of State property, such as routers, installed at the
county.
(5) Secretary of State
property, such as routers, installed at the county shall be exclusively for
interaction with the Secretary of State, and shall not to be used for other
county purposes.
(6) The servers
hosting the county EMS and election information system shall be running an
operating system under mainstream support with critical and high security
patches and updates applied at least monthly. All servers shall otherwise be
hardened to industry best practices and government standards.
(7) The county's EMS and election information
system shall be installed and operated on a service account separate from any
other services.
(8) The county's
EMS and election information system shall have anti-malware software installed
and configured, and updates regularly applied.
(9) Counties shall encrypt all voter
registration and election information system data whenever stored in
non-volatile memory and whenever in transit between system components or
through facilities not contracted directly to the county or the Secretary of
State.
(10) All backup copies of
county voter registration and election information system data, including
images, shall be encrypted. Counties shall avoid the use of removable, portable
media such as tape cartridges or DVD/ROM for data backup unless approved in
writing by the Secretary of State based on the unique circumstances of the
county, such as its information technology resources.
(11) Data encryption shall be compliant with
National Institute of Standards and Technology Special Publication 800-175B,
Guideline for Using Cryptographic Standards in the Federal Government, with
preferred utilization of Advanced Encryption Standard (published August, 2016;
incorporated by reference). However, effective July 1, 2021, the county and its
EMS vendor shall use Federal Information Processing Standards Publication 140-2
(FIPS 140-2) for data encryption for the county's EMS and election information
system, as well as for environments that interface with the statewide voter
registration system and/or contain statewide voter registration system data
(Published May 25, 2001; incorporated by reference).
(12) Direct user access to the county's EMS
and election information system shall require, at a minimum, single sign-on
authentication. However, effective July 1, 2021, direct user access to the
county's EMS and election information system shall require, at a minimum, two
(2) sign-on authentications.
(e) The county's EMS and election information
system shall implement security log management, which includes the following:
(1) Log all systems and network devices with
sufficient information collection.
(2) Securely store log files separately from
the systems monitored, keep these files archived, and protect these files from
unauthorized modification, access, or destruction.
(3) Use log monitoring tools to send
real-time alerts and notifications.
(4) Utilize multiple synchronized United
States-based time sources.
(f) Counties shall regularly review log(s)
for any errors, abnormal activities, and any system configuration
changes.
(g) Counties shall report
detected unauthorized use, suspected breach, or denial of service attack on the
county's EMS and election information system to the Secretary of State
Elections Division Help Desk within 24 hours of discovery.
1. New
section filed 8-27-2020; operative 8-27-2020 pursuant to Government Code
section
11343.4(b)(3).
Filing deadline specified in Government Code section
11349.3(a)
extended 60 days pursuant to Executive Order N-40-20 and an additional 60 days
pursuant to Executive Order N-66-20 (Register 2020, No.
35).
Note: Authority cited: Section
12172.5,
Government Code; and Sections
10 and
2168,
Elections Code. Reference: 52 U.S.C. Section
21083.