§ 19064. County Security.
2 CA ADC § 19064Barclays Official California Code of Regulations
2 CCR § 19064
§ 19064. County Security.
(a) Each county shall protect the confidentiality, integrity, and availability of the data and the election information system authorized to process, store, and transmit voter registration data. This system shall utilize system hardening and resilient architecture by means of redundancy, high availability, or other fault-tolerant methodologies.
(b) Each county shall provide annual privacy and security awareness training to all staff and contractors, if any, utilizing its county voter registration and election information system in accordance with State Administrative Manual sections 5320 -- 5320.2 and the Information Practices Act of 1977 (Civil Code section 1798, et seq.).
(10) Proper backup of critical data to allow for timely recovery. Backups shall be made at least every 24 hours. Backups for counties with more than 50,000 registered voters as of the last Report of Registration are recommended more frequently. Each county shall review critical data backup and recovery procedures to ensure the backups are not stored on the same servers hosting the county voter registration and election information system, and that restoration procedures are detailed and complete.
(17) Identification of the specific knowledge, skills, and abilities needed to support defense of the election information system; development and execution of an integrated plan to assess, identify and remediate gaps, through policy, organizational planning, training, and awareness programs for all functional roles in the organization.
(1) At all times servers hosting county voter registration and election information systems including the county's EMS as well as any Secretary of State property, such as routers, shall be secured in a designated area away from public access. The designated area shall be secured with a method to determine the identity of each person that has accessed the designated area and unauthorized access to this designated area must be detectable.
(6) The servers hosting the county EMS and election information system shall be running an operating system under mainstream support with critical and high security patches and updates applied at least monthly. All servers shall otherwise be hardened to industry best practices and government standards.
(10) All backup copies of county voter registration and election information system data, including images, shall be encrypted. Counties shall avoid the use of removable, portable media such as tape cartridges or DVD/ROM for data backup unless approved in writing by the Secretary of State based on the unique circumstances of the county, such as its information technology resources.
(11) Data encryption shall be compliant with National Institute of Standards and Technology Special Publication 800-175B, Guideline for Using Cryptographic Standards in the Federal Government, with preferred utilization of Advanced Encryption Standard (published August, 2016; incorporated by reference). However, effective July 1, 2021, the county and its EMS vendor shall use Federal Information Processing Standards Publication 140-2 (FIPS 140-2) for data encryption for the county's EMS and election information system, as well as for environments that interface with the statewide voter registration system and/or contain statewide voter registration system data (Published May 25, 2001; incorporated by reference).
(12) Direct user access to the county's EMS and election information system shall require, at a minimum, single sign-on authentication. However, effective July 1, 2021, direct user access to the county's EMS and election information system shall require, at a minimum, two (2) sign-on authentications.
Credits
Note: Authority cited: Section 12172.5, Government Code; and Sections 10 and 2168, Elections Code. Reference: 52 U.S.C. Section 21083.
History
1. New section filed 8-27-2020; operative 8-27-2020 pursuant to Government Code section 11343.4(b)(3). Filing deadline specified in Government Code section 11349.3(a) extended 60 days pursuant to Executive Order N-40-20 and an additional 60 days pursuant to Executive Order N-66-20 (Register 2020, No. 35).
This database is current through 4/26/24 Register 2024, No. 17.
Cal. Admin. Code tit. 2, § 19064, 2 CA ADC § 19064
End of Document |