(a) Any person who has directly or indirectly obtained voter registration information from a source agency must exercise due diligence in maintaining and securing the voter registration information in order to reduce the risk of information exposure and/or breach.
(b) Any person who has directly or indirectly obtained voter registration information from a source agency shall:
(1) Use a strong and unique password (“strong password hygiene”) per account with access to the voter registration information or privileges to grant access.
(2) Apply security best practices, which includes the following:
(A) Obtain training on security awareness to avoid social engineering and phishing attacks.
(B) Practice the principles of “least privilege” By restricting user access to the minimum need based on users' job necessity.
(C) Ensure user accounts are logged off or the session is locked after a period of inactivity, which shall be no more than 15 minutes.
(D) Remove, deactivate, or disable accounts or default credentials.
(E) Erase or wipe voter registration information that is no longer needed for its retention and sanitized following National Institute of Standards and Technology (NIST) 800-88 Guidelines for media sanitization.
(F) Restrict physical access by not leaving your computer in places unlocked and unattended.
(G) Limit the use of portable devices. If a portable device is used, strong storage encryption procedures must be applied utilizing Federal Information Processing Standards (FIPS) 197, commonly referred to as “Advanced Encryption Standard” or “AES.”
(H) Use wireless technology securely with Wi-Fi Protected Access 2 (WPA2) or better.
(c) In addition to the requirements set forth in (b) above, any vendor shall:
(1) Apply additional security best practices, which include the following:
(A) Use strong identity and access management, preferring multi-factor authentication for any and all privilege accounts and/or accounts with access to voter registration data.
(B) Initiate an account lockout after a pre-defined number of failed attempts, no more than 10. Any automated account unlock actions must wait no less than 30 minutes from the lockout event.
(C) Force password changes on a pre-defined basis, but not less than 365 days.
(D) Backups of voter registration information shall be securely stored separately and utilizing FIPS 197 encryption at rest.
(2) Implement security log management, which includes the following:
(A) Enable logging on all systems and network devices with sufficient information collection that answers the following:
(i) What activity was performed?
(ii) Who or what performed the activity, including where or on what system the activity was performed?
(iii) What activity was the action performed on?
(iv) What tool(s) were used to perform or performed the activity?
(v) What was the status, outcome, or results of the activity?
(B) Review log(s) regularly for any errors, abnormal activities and any system configuration changes.
(C) Securely store log files separately from the systems monitored, archived, and protect from unauthorized modification, access, or destruction.
(D) Use log monitoring tools to send real-time alerts and notifications.
(E) Utilize multiple synchronized United States-based time sources.
(3) Employ system hardening techniques, which include the following:
(A) Update and install all firmware and patches from a trusted and verifiable source.
(B) Use only the most up-to-date and certified version of vendor software.
(C) Install and maintain active malware and anti-virus software.
(D) Implement firewalls, also known as host-based firewalls, and/or port filtering tools with host-based intrusion protection services.
(E) Encrypt voter registration information using FIPS 197 at rest.
(F) Encrypt voter registration information in transit such as Transport Layer Security (TLS) 1.2 or better with a valid certificate and certificate chain.
(G) Do not use self-signed certificates.
(H) Conduct regular vulnerability scanning and testing for known or unknown weaknesses.
(I) Use application whitelisting on all endpoints and systems.
Credits
Note: Authority cited: Section 2188.2, Elections Code; and Sections 6254.4 and 12172.5, Government Code. Reference: Sections 2188 and 2194, Elections Code.
History
1. New section filed 5-11-2022; operative 7-1-2022. Transmission deadline specified in Government Code section 11346.4(b) extended 60 calendar days pursuant to Executive Order N-40-20 and an additional 60 calendar days pursuant to Executive Order N-71-20 (Register 2022, No. 19).
This database is current through 4/19/24 Register 2024, No. 16.
