California Code of Regulations
Title 2 - Administration
Division 7 - Secretary of State
Chapter 16 - Political Reform
Article 1 - Cal-Access Software Vendor Certification
Section 22704 - Certified Software Vendor Security

Universal Citation: 2 CA Code of Regs 22704

Current through Register 2024 Notice Reg. No. 38, September 20, 2024

(a) Each certified software vendor shall protect the security and integrity of the data and information stored on its servers and transmitted to CAL-ACCESS through its servers.

(b) Each certified software vendor shall provide annual privacy training related to protecting filer information and security awareness training related to protecting its electronic filing system and filer data to all its staff and contractors, if any, who have access to its servers that host its electronic filing system or who make code changes to its electronic filing system.

(c) Each certified software vendor shall take the following security measures to ensure the security of its electronic filing system, to the extent that system is hosted on its servers, as well as the security of all systems used to make code changes to its electronic filing system:

(1) The servers shall be hardened to industry best practices.

(2) The servers shall have anti-malware software installed and configured, and updates regularly applied.

(3) Direct user access to the servers shall require, at a minimum, two-factor authentication.

(d) Each certified software vendor shall implement security log management on its servers that host its electronic filing system as well as all systems used to make code changes to its electronic filing system by:

(1) Enabling logging on all systems and network devices with sufficient information collection.

(2) Reviewing logs regularly for any errors, abnormal activities, and any system configuration changes.

(3) Securely storing log files separately from the systems monitored and protect the logs from unauthorized modification, access, or destruction.

(4) Using log monitoring tools to send real-time alerts and notifications.

(5) Utilizing multiple synchronized United States-based time sources.

(e) Each certified software vendor shall report detected unauthorized use or unscheduled unavailability outages of any of its servers that host its electronic filing system or are used to make code changes to its electronic filing system to the Secretary of State within one (1) business day of discovery.

(f) A certified software vendor shall not be responsible for the security of the systems of filers who use its electronic filing system.

(g) The requirements in this section do not apply to filers who use an electronic filing system.

1. New section filed 11-12-2020; operative 11-12-2020 pursuant to Government Code section 11343.4(b)(3) (Register 2020, No. 46). Filing deadline specified in Government Code section 11349.3(a) extended 60 calendar days pursuant to Executive Order N-40-20.

Note: Authority cited: Section 84602, Government Code. Reference: Section 84602, Government Code.

Disclaimer: These regulations may not be the most recent version. California may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.