Iowa Administrative Code
Agency 721 - Secretary of State
Division II - Elections
Chapter 22 - Voting Systems and Electronic Poll Books
Rule 721-22.602 - Security Features of E-poll Books
Current through Register Vol. 47, No. 6, September 18, 2024
All e-poll book systems in use in this state, including those funded by county moneys, shall conform to the following security standards.
(1) Definitions.
"E-poll book" is as defined in rule 721-22.1(47).
"Secure, " for purposes of this rule, means "encryption" as defined by Iowa Code section 715C. 1(5).
"Vendor, " for purposes of this rule, means a person or representative of a person developing, offering, or supporting an e-poll book.
(2) Encryption of data at rest. The e-poll book system shall ensure that all voter data is encrypted at rest. "Encrypted at rest" includes encryption of the whole hard drive, database, application data deemed confidential, and removable media. The data encryption keys shall be stored separately from the e-poll book hardware and software.
(3) Encryption of data in transit. The e-poll book system shall ensure that all voter data is encrypted in transit via secure transfer protocols.
(4) Security updates. The commissioner shall ensure that the computer maintains the most recent security updates available for the computer's operating system. The vendor shall ensure that the e-poll book software remains compatible with all security updates issued for the computer's operating system. An e-poll book system in use in Iowa shall not be installed on an operating system that is no longer supported by the developer.
(5) Authentication. Every e-poll book system shall require authentication to the operating system and to the e-poll book application separately through a minimum of a username-password combination. A commissioner shall use a unique username-password combination for each precinct.
(6) Decommissioning. At the time of decommissioning, the hard drive from the computer shall be destroyed by the owner of the hardware. This shall occur before the commissioner or vendor resells, gifts, repurposes, or otherwise disposes of the equipment. A record of the destruction shall be kept by the owner.
(7) Notification. A vendor upon offering a new e-poll book platform, or upon making a change to the security features of an existing e-poll book, shall notify the state commissioner of the encryption and authentication standards utilized.
This rule is intended to implement 2017 Iowa Acts, House File 516, section 37.