Section 999.143 - ERDS Server Security Requirements(a) An ERDS that employs one or more servers shall be required to meet all of the server security requirements as follows: (1) Separate physical servers dedicated to performing ERDS server functions are not required provided that ERDS server functions can be isolated from other server functions, as evidenced by audit.(2) ERDS servers shall be configured to prevent unauthorized access, modification, or use.(3) At a minimum, servers shall be Hardened according to the standards established by the County Recorder. The County Recorder shall ensure that all servers used for an ERDS are Hardened according to one of the following checklists or guidelines: (A) For all ERDS certified before January 1, 2019, NIST Special Publication 800-70 Revision 4, National Checklist Program for IT Products -- Guidelines for Checklist Users and Developers (publication date, February 2011), until January 1, 2020. After January 1, 2020, for all ERDS certified before January 1, 2019, NIST Special Publication 800-70 Revision 4, National Checklist Program for IT Products -- Guidelines for Checklist Users and Developers (publication date, February 2018). Any extensions require written justification for review by the ERDS Program. Such an update is to be considered a substantive modification. For all ERDS certified after January 1, 2019, NIST Special Publication 800-70 Revision 4, National Checklist Program for IT Products -- Guidelines for Checklist Users and Developers (publication date, February 2018).(B) Checklists published by the following government and private entities shall be used before any other: United States Government Configuration Baseline (USGCB), Defense Information Systems Agency (DISA), United States Department of Defense (DOD), National Security Agency (NSA), Center for Internet Security (CIS), and The MITRE Corporation. All non-compliance shall be documented in a manner that states the reason for non-compliance and a plan of action to obtain compliance, mitigation, or acceptance of the risk by the applicable counties.(4) All county servers used for an ERDS shall have a file integrity checking system.(5) All county servers used for an ERDS shall be configured to alert the ERDS System Administrator of an operating system file change to the ERDS server.(6) All county servers used for an ERDS shall have anti-malware software installed that operates upon boot-up.(7) Digitized electronic records submitted to an ERDS must be scanned by anti-malware software.(8) All inputed fields shall have input validation.(9) All county servers used for an ERDS shall have a Licensed and Supported Operating System and application software with the most up-to-date patches and hot-fixes.Cal. Code Regs. Tit. 11, § 999.143
1. New section filed 7-31-2007; operative 8-30-2007 (Register 2007, No. 31).
2. Amendment of subsection (a)(8)(A) filed 8-11-2014; operative 10-1-2014 (Register 2014, No. 33).
3. Amendment filed 10-7-2019; operative 1-1-2020 (Register 2019, No. 41). Note: Authority cited: Section 27393, Government Code. Reference: Sections 27393(b)(2) and 27397.5, Government Code.
1. New section filed 7-31-2007; operative 8-30-2007 (Register 2007, No. 31).
2. Amendment of subsection (a)(8)(A) filed 8-11-2014; operative 10/1/2014 (Register 2014, No. 33).
3. Amendment filed 10-7-2019; operative 1/1/2020 (Register 2019, No. 41).