New York Codes, Rules and Regulations
Title 9 - EXECUTIVE DEPARTMENT
Subtitle V - State Board of Elections
Part 6220 - Cyber Security Requirements for Boards of Elections
Section 6220.1 - Definitions
Current through Register Vol. 46, No. 12, March 20, 2024
(a) "Authentication" Means the process or action of verifying the identity of a user, process or device.
(b) "Board of Elections" or "County Board" Means each County Board of Elections.
(c) "Cloud Service" Means a wide range of services delivered on-demand over the Internet. These services are designed to provide affordable and easy access to applications and resources.
(d) "Complex Password Management Policy" Means a password policy on any information system that supports Election Data and is capable of complying with guidelines set forth in National Institute of Standards and Technology (NIST) Special Publication 800-63B Digital Identity Guidelines Authentication and Lifecycle Management.
(e) "Cyber Incident Reporting Procedure" Means the process created by the State Board of Elections to be followed by both the County Board and/or the State Board of Elections when reporting a cyber security incident.
(f) "Cyber Security Incident" Means any imminent or successful act to gain unauthorized access to, or create disruption resulting in the misuse of, any information system that processes election data or any non-public information by the Boards of Elections.
(g) "Data Assets" Means the data that an organization collects, manages, produces, modifies or stores either electronically or physically. This can refer to any application output file, document, database information, web page code, etc.
(h) "Domain-based Messaging, Authentication, Reporting & Conformance (DMARC) " Means an email authentication, policy, and reporting protocol that can improve email protection by monitoring email messages to help mitigate risk to the organization.
(i) "Domain Naming System (DNS)" Means a hierarchical and decentralized system for computers, services, or other resources connected to the Internet or a private network that translates a name to an Internet Protocol address.
(j) "Election Data" Means all data contained on servers, workstations and devices, other than voting systems, used for the administration of elections, including but not limited to:
(k) "Baseline Image" Means an organization's standard set of necessary, trusted applications, including operating system with up-to-date patch levels, installed for the set of systems for which it is designed.
(l) "Information System" Means integrated components that collect, store and process data which are used to provide information, or perform tasks.
(m) "Intrusion Detection System (IDS) or Intrusion Prevention System (IPS)"
Means a device that monitors a network for malicious activity or security policy violations and, in the case of an Intrusion Prevention System, blocks such activity.
(n) "Managed Services Provider" Means a vendor providing outsourced administration, maintenance, security, operations, and/or support of information technology operations and assets. The relationship is often managed with performance and service metrics outlined in a service level agreement.
(o) "Penetration Test" Means an authorized simulated cyber attack on a computer system or network, performed to evaluate the security of the system or network. A penetration test can help determine whether a system is vulnerable to attack, if the controls in place are sufficient, and which controls (if any) the test bypassed. Penetration test reports may also assess potential impacts to the organization and suggest countermeasures to reduce risk.
(p) "Phishing" Means a fraudulent attempt to obtain sensitive information or data such as usernames, passwords and credit card details, or install malicious software, by disguising oneself as a trustworthy entity in an electronic communication.
(q) "Risk Remediation Plan" Means the process of developing an approach and actions to reduce the likelihood of an adverse event from occurring due to an exploit of a vulnerability by a threat actor.
(r) "State Board of Elections" or "State Board" Means the New York State Board of Elections.
(s) "Secure Elections Center" Means the State Board of Elections organizational unit that offers services to Boards of Elections that help assess, manage, and reduce risk to the administration of elections.
(t) "Secure System Development Life Cycle (SSDLC)"Means a process for defining security requirements and tasks that must be considered and addressed within every system, project or application throughout every phase (from design through disposal).
(u) "Server Message Block (SMB) Protocol" Means a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network.
(v) "Transport Layer Security (TLS)" Means a cryptographic protocol designed to provide secure communication over a computer network.
(w) "The Principle of Least Privilege" Means any user, program, or process shall have only the bare minimum privileges necessary to perform its function.
(x) "Validated" Means a particular hardware, software, network appliance, or service is still supported by the manufacturer or vendor.
(y) "Virtual Local Area Network (VLAN)" Means a broadcast domain that is partitioned and isolated in a computer.
(z) "Vulnerability Scan" Means the process of discovering, and the inspection of, a network and networked systems to identify potential weaknesses which could be exploited.
(aa) "Authenticated vulnerability scanning" Means the process of performing a Vulnerability Scan using credentials. Authenticated vulnerability scans obtain vulnerability information on protected devices to obtain detailed and accurate information about the operating system, installed software, including configuration issues and missing security patches.
