Compilation of Rules and Regulations of the State of Georgia
Department 590 - RULES OF OFFICE OF SECRETARY OF STATE
Chapter 590-8 - ELECTIONS DIVISION
Subject 590-8-3 - SECURITY OF VOTER REGISTRATION SYSTEM
Rule 590-8-3-.01 - Standards for Security of Voter Registration System
Universal Citation: GA Rules and Regs r 590-8-3-.01
Current through Rules and Regulations filed through March 20, 2024
(a) Definitions:
(1) "User" means a state or county employee
who was credentialed access to the Voter Registration Application.
(2) "Voter Registration Application" means
the state maintained application used by county registrars to process voter
registrations in Georgia in order to maintain a list of eligible and qualified
voters. The Voter Registration Application does not include public-facing
websites like My Voter Page or Online Voter Registration.
(3) "Voter Registration Database" means the
state maintained data repository that houses the list of eligible and qualified
voters entered into the Voter Registration Application.
(4) "Voter Registration System" means both
the Voter Registration Application and the Voter Registration
Database.
(b) Security of the Voter Registration System is vital to the administration of elections in Georgia. As such, the system shall be maintained in a manner that is consistent with the following security standards:
(1)
Hardware/infrastructure assets utilized to host the Voter Registration Database
shall be inventoried.
(2)
Anti-malware software and endpoint protection with centralized reporting shall
be utilized. Export files created from the Voter Registration System for use in
other election systems shall be scanned with anti-malware software prior to
distribution.
(3) All server patch
requirements shall be reviewed in a timely fashion and needed patches shall be
applied.
(4) The Voter Registration
Application shall utilize trusted certificates for any public-facing
websites.
(5) All remote
connections to the Voter Registration Database shall use secure
protocols.
(6) The Voter
Registration Database shall utilize firewalls that shall be configured in a
manner that blocks known malicious or suspicious traffic by default.
(7) The network hosting the Voter
Registration Database shall be segmented in a manner that protects and isolates
data.
(8) The network hosting the
Voter Registration Database shall utilize intrusion detection systems such as
MS-ISAC's Albert sensor.
(9) The
network hosting the Voter Registration Database shall be regularly scanned to
ensure only authorized devices are connected to the network. These scans should
include both internal and external facing assets.
(10) The network hosting the Voter
Registration Database shall be regularly scanned for vulnerabilities.
(11) Regular port scans shall be conducted to
ensure that only required ports are open to the database.
(12) Server audit logs shall be securely
archived for a period of no less than 60 days.
(13) Key system logs shall be reviewed on a
regular basis in order to attempt to identify anomalies or abnormal
events.
(14) The Voter Registration
Database shall be securely backed up on at least a daily basis. Such backups
shall be encrypted and securely stored for at least 60 days.
(15) Any potential cybersecurity incident or
event detected in the Voter Registration System shall be handled in a manner
that is consistent with the Secretary of State Incident Response
Plan.
(16) A direct contact shall
be kept on file for every network service provider and third-party
vendor.
(17) The Voter Registration
Database shall have a disaster recovery system.
(18) All Users of the Voter Registration
Application shall complete regular cybersecurity training.
(19) All Users of the Voter Registration
Application shall have unique User IDs.
(20) User credentials shall be encrypted or
hashed.
(21) Multi-factor
authentication shall be required for all Users of the Voter Registration
Application.
(22) All Users of the
Voter Registration Application are required to have strong passwords as defined
by Secretary of State Information Technology standards.
(23) Users shall be automatically logged off
the application after a period of inactivity.
(24) User accounts shall be regularly
reviewed and disabled if inactive for more than 75 days.
(25) Access for any User shall be able to be
immediately revoked.
(26)
Administrative access shall be limited to the minimum number of required Users,
and no administrative User shall be able to access the system with default
credentials.
(27) No Secretary of
State employee shall be a User of the Voter Registration Application unless he
or she has passed a criminal background check.
(c) Assessments:
(1) The Secretary of State shall conduct or
have conducted regular cybersecurity assessments of the Voter Registration
System.
(2) Any vendor who has
access to the Voter Registration System shall conduct regular assessments of
the security of their network environment that interfaces with the Voter
Registration System. The results of these assessments shall be provided to the
Secretary of State upon request. The Secretary of State shall have the right to
audit the network security of any vendor who has access to the Voter
Registration System.
(d) Certification of Substantial Compliance:
(1)
No later than December 31 of every calendar year, the Secretary of State shall
certify that:
A. The Voter Registration
System is being maintained in a manner consistent with the standards set forth
in subsection (b) of this rule; and,
B. That the standards set forth in subsection
(b) have been reviewed to ensure that they remain generally consistent with
industry standards.
(2)
The Secretary of State shall require vendors who have access to the Voter
Registration System to certify to the Secretary that they are in substantial
compliance with sections (b) and (c) of this rule and the Secretary may rely on
that certification in issuing his or her own certification.
O.C.G.A. §§ 45-13-20(14.1), 21-2-211.
Disclaimer: These regulations may not be the most recent version. Georgia may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.