Section 999.142 - ERDS Role-Based Security Requirements(a) All ERDS shall be required to meet all of the role-based security requirements as follows: (1) ERDS access shall be controlled by the County Recorder using a role-based access control system. Textual disclaimers or verbal disclaimers alone shall not be sufficient to control access to digital and digitized records under the control of an ERDS. The role-based access control system shall control all of the following characteristics: (A) Whether or not a session may be established with an ERDS.(B) Which ERDS payloads will be displayed.(C) Whether or not ERDS payloads may be submitted, retrieved, and, when applicable, returned.(2) The County Recorder shall also be responsible for controlling the assignment of user accounts and identity credentials. User accounts and identity credentials shall be issued to the person, and a role shall be assigned to control transactions performed under that user account. The security system shall be capable of controlling this electronic access based on the roles authorized at the time a user successfully logs into an ERDS.(3) Upon notification of a user's status change so that access to ERDS is no longer required, the user's ERDS account and identity credentials shall be disabled and revoked by the County Recorder within 30 days from the date of the notice or subject to the terms of the County Recorder's documented procedure on how to decommission users.(4) ERDS user accounts and identity credentials are not transferable.(5) Identity credentials shall be recognized across a Multi-County ERDS provided that the County Recorders involved have consented, by mutual agreement, to recognize the credentials. The agreement shall be made part of the ERDS operating procedures of all County Recorders who are parties to the agreement.(6) The security system of a Multi-County ERDS shall be capable of controlling access based on the county to which ERDS payloads are to be delivered, and, when applicable, returned.(7) With the exception of a county data center or an outsourced county data center in which physical access is already managed by security controls, persons granted Physical Access to an ERDS server shall be subject to fingerprinting.(8) An Authorized Submitter and Agent, if any, shall be limited to those privileges granted by the County Recorder. The Authorized Submitter and Agent are prohibited from submitting ERDS payloads on behalf of another Authorized Submitter, or Agent, except as authorized by contract with the County Recorder. Shared user accounts may not be issued.(9) An Agent named in more than one contract shall be required to indicate which Authorized Submitter is being represented in each transaction.(10) An Authorized Submitter who has no access to an ERDS and submits through an Agent is not subject to the requirements of Government Code Section 27395.(11) An Authorized Submitter pursuant to Government Code Section 27391(c)(1) who has no access to an ERDS and submits through an Agent is subject to the requirements of Government Code Section 27391(c)(2).Cal. Code Regs. Tit. 11, § 999.142
1. New section filed 7-31-2007; operative 8-30-2007 (Register 2007, No. 31).
2. Amendment of section and NOTE filed 10-7-2019; operative 1-1-2020 (Register 2019, No. 41). Note: Authority cited: Section 27393, Government Code. Reference: Sections 27390(b)(1), 27391, 27393(b)(2) and 27395, Government Code.
1. New section filed 7-31-2007; operative 8-30-2007 (Register 2007, No. 31).
2. Amendment of section and Note filed 10-7-2019; operative 1/1/2020 (Register 2019, No. 41).