(a)
Each county shall protect the confidentiality, integrity, and availability of the data and the election information system authorized to process, store, and transmit voter registration data. This system shall utilize system hardening and resilient architecture by means of redundancy, high availability, or other fault-tolerant methodologies.
(b)
Each county shall provide annual privacy and security awareness training to all staff and contractors, if any, utilizing its county voter registration and election information system in accordance with State Administrative Manual sections
5320
-- 5320.2 and the Information Practices Act of 1977 (Civil Code section
1798
,
et seq.
).
(c)
Each county shall complete a security assessment of its election information system prior to a statewide primary election. The security assessment shall evaluate the:
(1)
Active management (inventory, tracking, and correction) of all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
(2)
Active management (inventory, tracking, and correction) of all software on the network so that only authorized software is installed and can execute, and unauthorized and unmanaged software is found and prevented from installation or execution.
(3)
Establishment, implementation, and active management (tracking, reporting, and correction) of the security configuration of laptops, servers, and workstations in order to prevent attackers from exploiting vulnerable services and settings.
(4)
Continuous acquisition, assessment, and action on new threats in order to identify vulnerabilities, and to remediate and minimize opportunity for attacks.
(5)
Tracking, control, prevention, and correction of the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
(6)
Collection, active management, and analysis of audit logs of events that could help detect, understand, or recover from an attack.
(7)
Minimization of opportunities for attackers to manipulate human behavior through their interaction with web browsers and e-mail systems.
(8)
Control of the installation, spread, and execution of malicious code at multiple points in the election information system, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
(9)
Active management (tracking, control, and correction) of the ongoing operational use of ports, protocols, and services on networked devices in order to minimize vulnerabilities available for attack.
(10)
Proper backup of critical data to allow for timely recovery. Backups shall be made at least every 24 hours. Backups for counties with more than 50,000 registered voters as of the last Report of Registration are recommended more frequently. Each county shall review critical data backup and recovery procedures to ensure the backups are not stored on the same servers hosting the county voter registration and election information system, and that restoration procedures are detailed and complete.
(11)
Establishment, implementation, and active management (tracking, reporting, and correction) of the security configuration of network infrastructure devices in order to prevent attacks exploiting vulnerable services and settings.
(12)
Detection, prevention, and correction of the flow of information transferring between networks of different trust levels with a focus on security-damaging data.
(13)
Prevention of data exfiltration, mitigating the effects of exfiltrated data, and ensuring the privacy and integrity of sensitive information.
(14)
Tracking, controlling, preventing, correcting, and securing access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets.
(15)
Tracking, controlling, preventing, and correcting the security use of wireless local area networks, access points, and wireless client systems.
(16)
Active management of the life-cycle of system and application accounts -- their creation, use, dormancy, deletion -- in order to minimize opportunities for attackers to leverage them.
(17)
Identification of the specific knowledge, skills, and abilities needed to support defense of the election information system; development and execution of an integrated plan to assess, identify and remediate gaps, through policy, organizational planning, training, and awareness programs for all functional roles in the organization.
(18)
Active management of the security life-cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
(19)
Protection of the organization's information, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, and management oversight).
(20)
Testing of the overall strength of an organization's defenses (technology, processes, and people) by simulating the objectives and actions of an attacker.
(d)
Each county and its EMS vendor shall take the following security measures to provide security for the county's EMS and election information system, as well as for environments that interface with the statewide voter registration system and/or contain statewide voter registration system data:
(1)
At all times servers hosting county voter registration and election information systems including the county's EMS as well as any Secretary of State property, such as routers, shall be secured in a designated area away from public access. The designated area shall be secured with a method to determine the identity of each person that has accessed the designated area and unauthorized access to this designated area must be detectable.
(2)
Only staff authorized by the county shall have physical access to servers hosting the county's EMS and election information system, including servers containing the county's EMS as well as any Secretary of State property, such as routers.
(3)
The county's EMS and election information system shall only be accessible by persons authorized by the county.
(4)
No peripheral devices (e.g., disks, flash drives, smartphones, etc.) shall be attached to Secretary of State property, such as routers, installed at the county.
(5)
Secretary of State property, such as routers, installed at the county shall be exclusively for interaction with the Secretary of State, and shall not to be used for other county purposes.
(6)
The servers hosting the county EMS and election information system shall be running an operating system under mainstream support with critical and high security patches and updates applied at least monthly. All servers shall otherwise be hardened to industry best practices and government standards.
(7)
The county's EMS and election information system shall be installed and operated on a service account separate from any other services.
(8)
The county's EMS and election information system shall have anti-malware software installed and configured, and updates regularly applied.
(9)
Counties shall encrypt all voter registration and election information system data whenever stored in non-volatile memory and whenever in transit between system components or through facilities not contracted directly to the county or the Secretary of State.
(10)
All backup copies of county voter registration and election information system data, including images, shall be encrypted. Counties shall avoid the use of removable, portable media such as tape cartridges or DVD/ROM for data backup unless approved in writing by the Secretary of State based on the unique circumstances of the county, such as its information technology resources.
(11)
Data encryption shall be compliant with National Institute of Standards and Technology Special Publication 800-175B, Guideline for Using Cryptographic Standards in the Federal Government, with preferred utilization of Advanced Encryption Standard (published August, 2016; incorporated by reference). However, effective July 1, 2021, the county and its EMS vendor shall use Federal Information Processing Standards Publication 140-2 (FIPS 140-2) for data encryption for the county's EMS and election information system, as well as for environments that interface with the statewide voter registration system and/or contain statewide voter registration system data (Published May 25, 2001; incorporated by reference).
(12)
Direct user access to the county's EMS and election information system shall require, at a minimum, single sign-on authentication. However, effective July 1, 2021, direct user access to the county's EMS and election information system shall require, at a minimum, two (2) sign-on authentications.
(e)
The county's EMS and election information system shall implement security log management, which includes the following:
(1)
Log all systems and network devices with sufficient information collection.
(2)
Securely store log files separately from the systems monitored, keep these files archived, and protect these files from unauthorized modification, access, or destruction.
(3)
Use log monitoring tools to send real-time alerts and notifications.
(4)
Utilize multiple synchronized United States-based time sources.
(f)
Counties shall regularly review log(s) for any errors, abnormal activities, and any system configuration changes.
(g)
Counties shall report detected unauthorized use, suspected breach, or denial of service attack on the county's EMS and election information system to the Secretary of State Elections Division Help Desk within 24 hours of discovery.
Source
1. New section filed 8-27-2020; operative 8-27-2020 pursuant to Government Code section
11343.4
(b)(3)
. Filing deadline specified in Government Code section
11349.3
(a)
extended 60 days pursuant to Executive Order N-40-20 and an additional 60 days pursuant to Executive Order N-66-20 (Register 2020, No. 35).
History
1. New section filed 8-27-2020; operative
8/27/2020
pursuant to Government Code section
11343.4
(b)(3)
. Filing deadline specified in Government Code section
11349.3
(a)
extended 60 days pursuant to Executive Order N-40-20 and an additional 60 days pursuant to Executive Order N-66-20 (
Register 2020, No. 35
).