Statutes, codes, and regulations
Oklahoma Administrative Code
Title 765 - Oklahoma Used Motor Vehicle, Dismantler, and Manufactured Housing CommissionChapter 14 - [Effective until 9/14/2025] Authorized temporary license plate vendors
Subchapter 5 - [Effective until 9/14/2025] Software and Security
Section 765:14-5-2 - [Effective until 9/14/2025] Security

Okla. Admin. Code § 765:14-5-2

Download
PDF
Current through Vol. 42, No. 7, December 16, 2024
Section 765:14-5-2 - [Effective until 9/14/2025] Security
(a) Security requirements.
(1) All information submitted during online transaction are sent via encrypted network protocols.
(2) Access must require HTTPS connection.
(3) Must require two factor authentication.
(4) Set minimum password security requirements:
(A) Passwords will be required to be a minimum of 8 characters long, containing at least one (1) numeric character,
(B) Passwords will expire in a maximum of 90 days,
(C) Passwords will be deactivated if not used for a period of 60 days, and
(D) Passwords for a given user should not be reused in a 12-month period.
(5) Firewall must be implemented permitting access only to the minimum required ports,
(6) Detection and prevention controls to protect against malicious software,
(7) All data transferred between databases is done via secure network protocols to ensure that only authorized users can access the network, and no one can intercept data.
(8) Data must be stored and served in a secured data center.
(9) Audit logs recording exceptions and other security-relevant events must be produced and kept for an agreed period to assist in future investigations and access control monitoring. Audit logs should include:
(A) user IDs,
(B) dates and times for log-on and log-off,
(C) terminal identity or location, if possible,
(D) records of successful and rejected system access attempts, and
(E) records of successful and rejected data and other resource access attempts.
(b) Back-up copies of essential business information and software must be taken regularly. Back-up media should be regularly tested to ensure that they can be relied upon for emergency use when necessary.
(c) In the event that physical media containing any data is disposed of the data must be wiped or otherwise destroyed following DoD or NIST standards. Data includes but is not limited to any database data, log files, code or configuration, including backup media. If using a cloud or other third-party provider for data storage, the vendor must verify that the provider has a data security and media destruction policy.
(d) In the event of a breach of data, the vendor must notify the Commission within 24 hours and must be able to disable access within 24 hours. The vendor must also notify the client dealership or dealerships within 24 hours of the data breach so that they may be able to determine the nature and extent of the breach and comply with all notification requirements provided for in Oklahoma and Federal law.

Okla. Admin. Code § 765:14-5-2

Adopted by Oklahoma Register, Volume 42, Issue 2, October 1, 2024, eff. 8/16/2024, exp. 9/14/2025 (Emergency)