GA - GAC
Rules and Regulations of the State of Georgia
Terms and Conditions of Agreement for Access to Rules and Regulations of the State of Georgia Website

(Note: certain features of this site have been disabled for the general public to prevent digital piracy. If you are an entitled government entity pursuant the Georgia Administrative Procedures Act, O.C.G.A.§ 50-13-7(d) contact the State of Georgia's Administrative Procedures Division at 678-364-3785 to enable these features for your location.)

To access this website, you must agree to the following:

These terms of use are a contract between you and/or your employer (if any), and Lawriter, LLC.

You agree not to use any web crawler, scraper, or other robot or automated program or device to obtain data from the website.

You agree that you will not sell or license anything that you download, print, or copy from this website.

THIS WEBSITE AND ITS CONTENT ARE PROVIDED "AS IS." THE STATE OF GEORGIA AND LAWRITER EXPRESSLY DISCLAIM ALL WARRANTIES, INCLUDING THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT AND ARE NOT LIABLE TO ANY PERSON FOR ANY ERRORS IN INACCURACIES CONTAINED IN THIS WEBSITE.

By accessing and/or using this website, you agree to the terms and conditions above. If you do not agree to the terms and conditions above, you must cease accessing and/or using this website and destroy all material obtained from this website without your agreement.

If you accept these terms enter the information below and click “I AGREE”.

Subject 590-8-3 SECURITY OF VOTER REGISTRATION SYSTEM

Rule 590-8-3-.01 Standards for Security of Voter Registration System

(a) Definitions:
(1) "User" means a state or county employee who was credentialed access to the Voter Registration Application.
(2) "Voter Registration Application" means the state maintained application used by county registrars to process voter registrations in Georgia in order to maintain a list of eligible and qualified voters. The Voter Registration Application does not include public-facing websites like My Voter Page or Online Voter Registration.
(3) "Voter Registration Database" means the state maintained data repository that houses the list of eligible and qualified voters entered into the Voter Registration Application.
(4) "Voter Registration System" means both the Voter Registration Application and the Voter Registration Database.
(b) Security of the Voter Registration System is vital to the administration of elections in Georgia. As such, the system shall be maintained in a manner that is consistent with the following security standards:
(1) Hardware/infrastructure assets utilized to host the Voter Registration Database shall be inventoried.
(2) Anti-malware software and endpoint protection with centralized reporting shall be utilized. Export files created from the Voter Registration System for use in other election systems shall be scanned with anti-malware software prior to distribution.
(3) All server patch requirements shall be reviewed in a timely fashion and needed patches shall be applied.
(4) The Voter Registration Application shall utilize trusted certificates for any public-facing websites.
(5) All remote connections to the Voter Registration Database shall use secure protocols.
(6) The Voter Registration Database shall utilize firewalls that shall be configured in a manner that blocks known malicious or suspicious traffic by default.
(7) The network hosting the Voter Registration Database shall be segmented in a manner that protects and isolates data.
(8) The network hosting the Voter Registration Database shall utilize intrusion detection systems such as MS-ISAC's Albert sensor.
(9) The network hosting the Voter Registration Database shall be regularly scanned to ensure only authorized devices are connected to the network. These scans should include both internal and external facing assets.
(10) The network hosting the Voter Registration Database shall be regularly scanned for vulnerabilities.
(11) Regular port scans shall be conducted to ensure that only required ports are open to the database.
(12) Server audit logs shall be securely archived for a period of no less than 60 days.
(13) Key system logs shall be reviewed on a regular basis in order to attempt to identify anomalies or abnormal events.
(14) The Voter Registration Database shall be securely backed up on at least a daily basis. Such backups shall be encrypted and securely stored for at least 60 days.
(15) Any potential cybersecurity incident or event detected in the Voter Registration System shall be handled in a manner that is consistent with the Secretary of State Incident Response Plan.
(16) A direct contact shall be kept on file for every network service provider and third-party vendor.
(17) The Voter Registration Database shall have a disaster recovery system.
(18) All Users of the Voter Registration Application shall complete regular cybersecurity training.
(19) All Users of the Voter Registration Application shall have unique User IDs.
(20) User credentials shall be encrypted or hashed.
(21) Multi-factor authentication shall be required for all Users of the Voter Registration Application.
(22) All Users of the Voter Registration Application are required to have strong passwords as defined by Secretary of State Information Technology standards.
(23) Users shall be automatically logged off the application after a period of inactivity.
(24) User accounts shall be regularly reviewed and disabled if inactive for more than 75 days.
(25) Access for any User shall be able to be immediately revoked.
(26) Administrative access shall be limited to the minimum number of required Users, and no administrative User shall be able to access the system with default credentials.
(27) No Secretary of State employee shall be a User of the Voter Registration Application unless he or she has passed a criminal background check.
(c) Assessments:
(1) The Secretary of State shall conduct or have conducted regular cybersecurity assessments of the Voter Registration System.
(2) Any vendor who has access to the Voter Registration System shall conduct regular assessments of the security of their network environment that interfaces with the Voter Registration System. The results of these assessments shall be provided to the Secretary of State upon request. The Secretary of State shall have the right to audit the network security of any vendor who has access to the Voter Registration System.
(d) Certification of Substantial Compliance:
(1) No later than December 31 of every calendar year, the Secretary of State shall certify that:
A. The Voter Registration System is being maintained in a manner consistent with the standards set forth in subsection (b) of this rule; and,
B. That the standards set forth in subsection (b) have been reviewed to ensure that they remain generally consistent with industry standards.
(2) The Secretary of State shall require vendors who have access to the Voter Registration System to certify to the Secretary that they are in substantial compliance with sections (b) and (c) of this rule and the Secretary may rely on that certification in issuing his or her own certification.