(a)
Each certified software vendor shall protect the security and integrity of the data and information stored on its servers and transmitted to CAL-ACCESS through its servers.
(b)
Each certified software vendor shall provide annual privacy training related to protecting filer information and security awareness training related to protecting its electronic filing system and filer data to all its staff and contractors, if any, who have access to its servers that host its electronic filing system or who make code changes to its electronic filing system.
(c)
Each certified software vendor shall take the following security measures to ensure the security of its electronic filing system, to the extent that system is hosted on its servers, as well as the security of all systems used to make code changes to its electronic filing system:
(1)
The servers shall be hardened to industry best practices.
(2)
The servers shall have anti-malware software installed and configured, and updates regularly applied.
(3)
Direct user access to the servers shall require, at a minimum, two-factor authentication.
(d)
Each certified software vendor shall implement security log management on its servers that host its electronic filing system as well as all systems used to make code changes to its electronic filing system by:
(1)
Enabling logging on all systems and network devices with sufficient information collection.
(2)
Reviewing logs regularly for any errors, abnormal activities, and any system configuration changes.
(3)
Securely storing log files separately from the systems monitored and protect the logs from unauthorized modification, access, or destruction.
(4)
Using log monitoring tools to send real-time alerts and notifications.
(5)
Utilizing multiple synchronized United States-based time sources.
(e)
Each certified software vendor shall report detected unauthorized use or unscheduled unavailability outages of any of its servers that host its electronic filing system or are used to make code changes to its electronic filing system to the Secretary of State within one (1) business day of discovery.
(f)
A certified software vendor shall not be responsible for the security of the systems of filers who use its electronic filing system.
(g)
The requirements in this section do not apply to filers who use an electronic filing system.
Source
1. New section filed 11-12-2020; operative 11-12-2020 pursuant to Government Code section
11343.4
(b)(3)
(Register 2020, No. 46). Filing deadline specified in Government Code section
11349.3
(a)
extended 60 calendar days pursuant to Executive Order N-40-20.
History
1. New section filed 11-12-2020; operative 11-12-2020 pursuant to Government Code section
11343.4
(b)(3)
(Register 2020, No. 46). Filing deadline specified in Government Code section
11349.3
(a)
extended 60 calendar days pursuant to Executive Order N-40-20.