Section 999.217 - Security Audits(a) The ERDS Program is responsible for oversight and regulation of an ERDS. This responsibility shall be met through the initial system audit, biennial audit, modified system audit, and modified system incident audit, and local inspection process as set forth in this section and in Section 999.219.(b) The primary process for monitoring the effectiveness of security controls shall be a computer security audit conducted by a Computer Security Auditor. A County Recorder shall contract with a Computer Security Auditor in order to meet all ERDS audit requirements. A list of Computer Security Auditors shall be provided on the ERDS Program Internet page.(c) A Computer Security Auditor shall conduct a security audit of an ERDS for the purpose of: 1) verifying that the system is secure from vulnerabilities and unauthorized penetration;2) ensuring ERDS operating procedures are in place and are being followed; and3) that the ERDS has no capability to modify, manipulate, insert, or delete information in the public record.(d) The ERDS initial system audit is a full system audit and is required to obtain initial system certification. "Initial" is defined as the "first time" application for certification for either a Single-County or a Multi-County ERDS. This audit shall be performed prior to activating an ERDS for production and operation and shall be completed by a Computer Security Auditor. A copy of the successful initial system audit report shall be submitted to the County Recorder of a Single-County ERDS or the Lead County of a Multi-County ERDS, which must then submit it to ERDS Program as an attachment to the Application for System Certification form #ERDS 0001A. A successful initial system audit report shall be sufficient to meet the first year audit requirement and shall include, but is not limited to, all of the following:(1) A description of deposit materials showing that the source code has been deposited in escrow with an approved escrow facility.(2) Demonstration of the proposed system in its intended production/operational environment.(3) Confirmation of all of the following: (A) ERDS payloads are neither transmitted nor stored in an unencrypted format anywhere in the system.(B) Transmissions only occur between authorized parties.(C) Remnants of sessions, transmissions, and ERDS payloads are not stored once the user initiating the session and transmitting ERDS payloads has logged out or been disconnected (either physically or logically).(D) Authorized and unauthorized users are limited in terms of roles assigned to operate the system.(E) Auditable events are logged correctly.(F) Known vulnerabilities have been eliminated or mitigated.(G) The ERDS implementation is not susceptible to published exploits.(H) ERDS operating procedures and/or features within the ERDS design have been incorporated in order to restrict the content to meet the requirements of this chapter.(I) The ERDS has no capabilities to modify, manipulate, insert, or delete information in the public record.(4) Confirmation that all of the following were included in the audit: (A) A review of the system design that includes all servers, workstations, and network devices employed for, or in support of, the proposed system.(B) A review of source code, either selected software components or all software.(C) An inventory of hardware, software, and network devices comprising the proposed system.(D) An inventory of all users and roles authorized to access and operate the proposed system.(E) A mapping or diagram of the production/operational environment that identifies the servers, workstations, and network devices visible from an ERDS server, and the ERDS servers visible from a non-ERDS workstation or server.(F) A review of the ERDS operating procedures proposed by the County Recorder.(G) A review of all security checklists proposed for auditing the ERDS.(H) A review of contracts with Authorized Submitters.(I) Confirmation that the requirements of this chapter are met.(e) A biennial audit is required to meet the ongoing oversight requirements for an existing certified Single-County ERDS or Multi-County ERDS. The biennial audit is a full system audit and shall be performed in the production and operational environment by a Computer Security Auditor. A copy of the successful biennial audit report shall be submitted to the County Recorder of a Single-County ERDS or the Lead County of a Multi-County ERDS, which shall then submit it to the ERDS Program. A biennial security audit report shall include, but is not limited to, all of the following:(1) A description of deposit materials showing that the source code has been deposited in escrow with an approved escrow facility.(2) Demonstration of the ERDS in its production/operational environment.(3) Confirmation of all of the following: (A) ERDS payloads are neither transmitted nor stored in an unencrypted format anywhere in the system.(B) Transmissions only occur between authorized parties.(C) Remnants of sessions, transmissions, and ERDS payloads are not stored once the user initiating the session and transmitting ERDS payloads has logged out or been disconnected (either physically or logically).(D) Authorized and unauthorized users are limited in terms of roles assigned to operate the system.(E) Auditable events are logged correctly.(F) Known vulnerabilities have been eliminated or mitigated.(G) The ERDS implementation is not susceptible to published exploits and that the published updates to the standards and guidelines as described in this chapter shall be implemented within two (2) years.(H) ERDS operating procedures and/or features within the ERDS design have been incorporated in order to restrict the content to meet the requirements of this chapter.(I) The ERDS has no capabilities to modify, manipulate, insert, or delete information in the public record.(4) Confirmation that all of the following were included in the audit: (A) A review of the system design that includes all servers, workstations and network devices employed for, or in support of, the system.(B) A review of source code, either selected software components or all software.(C) An inventory of hardware, software, and network devices comprising the system.(D) An inventory of all users and roles authorized to access and operate the system.(E) A mapping or diagram of the production/operational environment that identifies the servers, workstations, and network devices visible from an ERDS server, and the ERDS servers visible from a non-ERDS workstation or server.(F) A review of the ERDS operating procedures established by the County Recorder.(G) A review of all security checklists established for auditing the ERDS.(H) A review of contracts with Authorized Submitters.(I) A review of collected audit data showing that auditable events are collected for audit and that audit data correlates to actual activities.(J) A review of incident reports and a determination that the cause of each incident has been eliminated or mitigated.(K) Confirmation that the requirements of this chapter are met.(g) A modified system audit is required for ERDS Program approval of any substantive modification to an existing certified Single-County ERDS or Multi-County ERDS. A modified system audit shall pertain to only the components that are proposed to be modified and/or changed in the production environment. This modified system audit shall be performed by a Computer Security Auditor. A copy of the successful modified system audit report shall be submitted to the County Recorder of a Single-County ERDS or the Lead County of a Multi-County ERDS, which shall then submit it to the ERDS Program within fifteen (15) business days of the provisional implementation of the proposed substantive modification as an attachment to an Application for a Request for Approval of Substantive Modification(s) form #ERDS 0013. A successful modified system audit may satisfy the biennial audit requirement when the modified system audit is conducted as a full biennial audit and not limited to the components proposed to be modified. A successful modified system audit report shall include, but is not limited to, all of the following: (1) A description of deposit materials showing that the modified source code has been deposited in escrow with an approved escrow facility.(2) Demonstration of the substantive modification in its intended production/operational environment.(3) Confirmation that the functions of the substantive modification comply with all of the following: (A) ERDS payloads are neither transmitted nor stored in an unencrypted format anywhere in the system.(B) Transmissions only occur between authorized parties.(C) Remnants of sessions, transmissions, and ERDS payloads are not stored once the user initiating the session and transmitting ERDS payloads has logged out or been disconnected (either physically or logically).(D) Authorized and unauthorized users are limited in terms of roles assigned to operate the system.(E) Auditable events are logged correctly.(F) Known vulnerabilities have been eliminated or mitigated.(G) The ERDS implementation is not susceptible to published exploits.(H) ERDS operating procedures and/or features within the ERDS design have been incorporated in order to restrict the content to meet the requirements of this chapter.(I) The ERDS has no capabilities to modify, manipulate, insert, or delete information in the public record.(4) Confirmation that all of the following were included in the audit: (A) A review of the system design that includes all servers, workstations, and network devices employed for, or in support of, the proposed system.(B) A review of source code, either selected software components or all software.(C) An inventory of hardware, software, and network devices comprising the proposed system.(D) An inventory of all users and roles authorized to access and operate the system.(E) A mapping or diagram of the production/operational environment that identifies the servers, workstations, and network devices visible from an ERDS server, and the ERDS servers visible from a non-ERDS workstation or server.(F) A review of the ERDS operating procedures established by the County Recorder.(G) A review of all security checklists established for auditing the ERDS.(H) A review of contracts with Authorized Submitters.(I) A review of collected audit data showing that auditable events are collected for audit and that audit data correlates to actual activities.(J) A review of incident reports and a determination that the cause of each incident has been eliminated or mitigated.(K) That the requirements of this chapter are met.(h) A modified system incident audit is required to meet the audit requirement resulting from an incident, as defined and described in chapter, that compromises the security of an ERDS. A modified system incident audit shall pertain to only the components that were found to compromise the production environment and shall be performed prior to activating the correction in the ERDS for production and operation. This modified system incident audit shall be performed by a Computer Security Auditor. A copy of the successful modified system incident audit report shall be submitted to the County Recorder of a Single-County ERDS or the Lead County of a Multi-County ERDS, which shall then submit it to the ERDS Program. A successful modified system incident audit may not replace the biennial audit requirement. A successful modified system incident audit report shall include, but is not limited to, all of the following: (1) Demonstration of the ERDS in its intended production/operational environment.(2) Confirmation that the correction to the cause of the incident of fraud complies with all of the following: (A) ERDS payloads are neither transmitted nor stored in an unencrypted format anywhere in the system.(B) Transmissions only occur between authorized parties.(C) Remnants of sessions, transmissions, and ERDS payloads are not stored once the user initiating the session and transmitting ERDS payloads has logged out or been disconnected (either physically or logically).(D) Authorized and unauthorized users are limited in terms of roles assigned to operate the system.(E) Auditable events are logged correctly.(F) Known vulnerabilities have been eliminated or mitigated.(G) The ERDS implementation is not susceptible to published exploits and that the published updates to the standards and guidelines as described in this chapter shall be implemented within two years.(H) ERDS operating procedures and/or features within the ERDS design have been incorporated in order to restrict the content to meet the requirements of this chapter.(I) The ERDS has no capabilities to modify, manipulate, insert, or delete information in the public record.(3) Confirmation that all of the following were included in the audit: (A) A review of the system design that includes all servers, workstations, and network devices employed for, or in support of, the system.(B) A review of source code, either selected software components or all software.(C) An inventory of hardware, software, and network devices comprising the system.(D) An inventory of all users and roles authorized to access and operate the system.(E) A mapping or diagram of the production/operational environment that identifies the servers, workstations, and network devices visible from an ERDS server, and the ERDS servers visible from a non-ERDS workstation or server.(F) A review of the ERDS operating procedures established by the County Recorder.(G) A review of all security checklists established for auditing the ERDS.(H) A review of contracts with Authorized Submitters.(I) A review of collected audit data showing that auditable events are collected for audit and that audit data correlates to actual activities.(J) A review of incident reports and a determination that the cause of each incident has been eliminated or mitigated.(K) That the requirements of this chapter are met.(i) Upon receipt of the modified system incident audit report, the ERDS Program shall: send a written notification within ten (10) business days to the County Recorder acknowledging receipt of the audit report; send a notification of the investigative results and the appropriate action to be taken, if any, to the Computer Security Auditor, County Recorder, Board of Supervisors, and District Attorney; maintain a copy of the report for statistical purposes.Cal. Code Regs. Tit. 11, § 999.217
1. New article 9 (sections 999.217-999.223) and section filed 7-31-2007; operative 8-30-2007 (Register 2007, No. 31).
2. Amendment of subsections (d), (e) and (f) filed 8-11-2014; operative 10-1-2014 (Register 2014, No. 33).
3. Amendment filed 10-7-2019; operative 1-1-2020 (Register 2019, No. 41).
4. Change without regulatory effect amending Application for System Certification form #ERDS 0001A and Request for Approval of Substantive Modification(s) form #ERDS 0013 (incorporated by reference) and amending subsections (d) and (g) filed 5-27-2021 pursuant to section 100, title 1, California Code of Regulations (Register 2021, No. 22). Filing deadline specified in section 100, title 1, California Code of Regulations extended 60 calendar days pursuant to Executive Order N-40-20 and an additional 60 calendar days pursuant to Executive Order N-71-20. Note: Authority cited: Section 27393, Government Code. Reference: Sections 27390(b)(2), 27392(a), 27393(b)(2), 27393(b)(3), 27393(b)(6) and 27394(c)-(f), Government Code.
1. New article 9 (sections 999.217-999.223) and section filed 7-31-2007; operative 8-30-2007 (Register 2007, No. 31).
2. Amendment of subsections (d), (e) and (f) filed 8-11-2014; operative 10/1/2014 (Register 2014, No. 33).
3. Amendment filed 10-7-2019; operative 1/1/2020 (Register 2019, No. 41).
4. Change without regulatory effect amending Application for System Certification form #ERDS 0001A and Request for Approval of Substantive Modification(s) form #ERDS 0013 (incorporated by reference) and amending subsections (d) and (g) filed 5-27-2021 pursuant to section 100, title 1, California Code of Regulations (Register 2021, No. 22). Filing deadline specified in section 100, title 1, California Code of Regulations extended 60 calendar days pursuant to Executive Order N-40-20 and an additional 60 calendar days pursuant to Executive Order N-71-20.