Compilation of Rules and Regulations of the State of Georgia
Department 590 - RULES OF OFFICE OF SECRETARY OF STATE
Chapter 590-8 - ELECTIONS DIVISION
Subject 590-8-3 - SECURITY OF VOTER REGISTRATION SYSTEM
Rule 590-8-3-.01 - Standards for Security of Voter Registration System

(1) "User" means a state or county employee who was credentialed access to the Voter Registration Application.

(2) "Voter Registration Application" means the state maintained application used by county registrars to process voter registrations in Georgia in order to maintain a list of eligible and qualified voters. The Voter Registration Application does not include public-facing websites like My Voter Page or Online Voter Registration.

(3) "Voter Registration Database" means the state maintained data repository that houses the list of eligible and qualified voters entered into the Voter Registration Application.

(4) "Voter Registration System" means both the Voter Registration Application and the Voter Registration Database.

(1) Hardware/infrastructure assets utilized to host the Voter Registration Database shall be inventoried.

(2) Anti-malware software and endpoint protection with centralized reporting shall be utilized. Export files created from the Voter Registration System for use in other election systems shall be scanned with anti-malware software prior to distribution.

(3) All server patch requirements shall be reviewed in a timely fashion and needed patches shall be applied.

(4) The Voter Registration Application shall utilize trusted certificates for any public-facing websites.

(5) All remote connections to the Voter Registration Database shall use secure protocols.

(6) The Voter Registration Database shall utilize firewalls that shall be configured in a manner that blocks known malicious or suspicious traffic by default.

(7) The network hosting the Voter Registration Database shall be segmented in a manner that protects and isolates data.

(8) The network hosting the Voter Registration Database shall utilize intrusion detection systems such as MS-ISAC's Albert sensor.

(9) The network hosting the Voter Registration Database shall be regularly scanned to ensure only authorized devices are connected to the network. These scans should include both internal and external facing assets.

(10) The network hosting the Voter Registration Database shall be regularly scanned for vulnerabilities.

(11) Regular port scans shall be conducted to ensure that only required ports are open to the database.

(12) Server audit logs shall be securely archived for a period of no less than 60 days.

(13) Key system logs shall be reviewed on a regular basis in order to attempt to identify anomalies or abnormal events.

(14) The Voter Registration Database shall be securely backed up on at least a daily basis. Such backups shall be encrypted and securely stored for at least 60 days.

(15) Any potential cybersecurity incident or event detected in the Voter Registration System shall be handled in a manner that is consistent with the Secretary of State Incident Response Plan.

(16) A direct contact shall be kept on file for every network service provider and third-party vendor.

(17) The Voter Registration Database shall have a disaster recovery system.

(18) All Users of the Voter Registration Application shall complete regular cybersecurity training.

(19) All Users of the Voter Registration Application shall have unique User IDs.

(20) User credentials shall be encrypted or hashed.

(21) Multi-factor authentication shall be required for all Users of the Voter Registration Application.

(22) All Users of the Voter Registration Application are required to have strong passwords as defined by Secretary of State Information Technology standards.

(23) Users shall be automatically logged off the application after a period of inactivity.

(24) User accounts shall be regularly reviewed and disabled if inactive for more than 75 days.

(25) Access for any User shall be able to be immediately revoked.

(26) Administrative access shall be limited to the minimum number of required Users, and no administrative User shall be able to access the system with default credentials.

(27) No Secretary of State employee shall be a User of the Voter Registration Application unless he or she has passed a criminal background check.

(1) The Secretary of State shall conduct or have conducted regular cybersecurity assessments of the Voter Registration System.

(2) Any vendor who has access to the Voter Registration System shall conduct regular assessments of the security of their network environment that interfaces with the Voter Registration System. The results of these assessments shall be provided to the Secretary of State upon request. The Secretary of State shall have the right to audit the network security of any vendor who has access to the Voter Registration System.

(1) No later than December 31 of every calendar year, the Secretary of State shall certify that:

(2) The Secretary of State shall require vendors who have access to the Voter Registration System to certify to the Secretary that they are in substantial compliance with sections (b) and (c) of this rule and the Secretary may rely on that certification in issuing his or her own certification.