Section 999.146 - Auditable Events, Incidents and Reporting(a) Auditable ERDS events shall be logged for purposes of audit, local inspection and review, incident response, and reporting. Auditable events may be logged using automated or manual processes. Logs shall be safely stored and maintained in a manner that ensures their availability for (1) a period of at least twenty-four (24) months, or (2) at least one (1) computer security audit, whichever occurs later.(b) The County Recorder shall establish ERDS operating procedures for handling and responding to an incident as defined by this chapter.(c) Incident reporting shall comply with provisions contained within this chapter.(d) All of the following are auditable ERDS events, unless otherwise stated, and shall be logged, and, when applicable, processed only as an incident or processed as an incident and reported. (1) Login successes and failures.(2) Session starts and ends.(4) ERDS payload submittals, retrievals and returns, when applicable.(5) ERDS transactions not conducted within a preset timeout limit. Criteria for setting the timeout shall be established by the County Recorder.(6) ERDS sessions terminated within a preset timeout limit without receiving a logout command.(7) Unauthorized access attempts, including, but not limited to unauthorized users attempting either physical or logical access to ERDS storage areas. This is an Incident and shall be reported if fraud is suspected.(8) Use of expired or revoked credentials. This is an Incident and shall be reported if fraud is suspected.(9) Privilege elevation. This is an Incident and shall be reported.(10) Unauthorized access to an ERDS server or a logged-in session. This is an Incident and shall be reported if fraud is suspected.(11) Authentication failures.(12) ERDS accounts locked out and/or disabled due to failed consecutive login attempts. This is an Incident and shall be reported if intrusion is suspected.(13) Auditable events that overwrite other logged events. This is an Incident and shall be reported if intrusion is suspected.(14) Auditable events that cannot be logged. This is an Incident.(15) Logs that cannot be safely stored. This is an Incident(16) ERDS account creation, modification, deletion, suspension, termination or revocation, whether authorized or not. This is an Incident only if not authorized and shall be reported if fraud is suspected.(17) Hardware or software configuration changes. This is an Incident only if not authorized and shall be reported.(18) Dates and times the ERDS payload was submitted, retrieved or, when applicable, returned. This is an Incident only if the dates and times are not current.(19) Identity of an individual, who submitted, retrieved, or, when applicable, returned an ERDS payload. This is an Incident only if the individual is not authorized for Secure Access to the ERDS.(20) Name of the organization that an individual represented while submitting, retrieving or, when applicable, returning an ERDS payload. This is an Incident only if the individual is not authorized for Secure Access to the ERDS.(21) A transmission failure.(23) A decryption failure. This is an Incident and shall be reported if fraud is suspected.(24) A hash failure. This is an Incident and shall be reported if fraud is suspected.(25) A validity check failure. This is an Incident and shall be reported if fraud is suspected.(26) An instrument submitted unencrypted. This is an Incident and shall be reported.(27) Unauthorized components that draw data or images from sources external to the digital or digitized record. This is an Incident and shall be reported if intrusion is suspected.(28) Unauthorized transactions submitted via an ERDS. This is an Incident and shall be reported if fraud is suspected.(29) Server failures, including, but not limited to, hardware, software, and network component failures, that causes the ERDS to be unavailable or that exposes the ERDS server directly to the Internet. This is an Incident and shall be reported if intrusion is suspected.(30) Events for which an ERDS System Administrator is alerted of possible or actual intrusion. This is an Incident and shall be reported if intrusion is suspected.(31) Unauthorized changes to the ERDS operational configuration. This is an Incident and shall be reported if fraud or intrusion is suspected.(32) Network failures that cause the ERDS to be unavailable or that expose the ERDS server directly to the Internet. This is an Incident and shall be reported if intrusion is suspected.(33) Events for which an ERDS System Administrator is alerted of possible or actual intrusion. This is an Incident and shall be reported if intrusion is suspected.(34) Inability to obtain and employ up-to-date anti-malware software.(35) Inability to obtain and employ cryptography, including hashing, encryption, and decryption. This is an Incident and shall be reported.(36) Inability to obtain and employ the most up-to-date patches and hot-fixes.(37) Unauthorized access or changes to storage media and improper sanitization of storage media. This is an Incident and shall be reported if compromise of the storage media is suspected.(38) Any other event that compromises the security of the ERDS. This is an Incident and shall be reported.Cal. Code Regs. Tit. 11, § 999.146
1. New section filed 7-31-2007; operative 8-30-2007 (Register 2007, No. 31).
2. Amendment of subsection (d)(7), repealer of subsections (d)(11), (d)(12), (d)(33), (d)(41) and (d)(44)-(46) and subsection renumbering filed 8-11-2014; operative 10-1-2014 (Register 2014, No. 33).
3. Amendment filed 10-7-2019; operative 1-1-2020 (Register 2019, No. 41). Note: Authority cited: Section 27393, Government Code. Reference: Sections 27392(b), 27393(b)(2), 27394 and 27396, Government Code.
1. New section filed 7-31-2007; operative 8-30-2007 (Register 2007, No. 31).
2. Amendment of subsection (d)(7), repealer of subsections (d)(11), (d)(12), (d)(33), (d)(41) and (d)(44)-(46) and subsection renumbering filed 8-11-2014; operative 10/1/2014 (Register 2014, No. 33).
3. Amendment filed 10-7-2019; operative 1/1/2020 (Register 2019, No. 41).