Sec. 36.04.01.22. Minimum Design Standards Applicable to Equipment, a System, or Software

Latest version.

A. Equipment, a system, or software required to be tested, certified, and approved under this chapter shall:

(1) Conform to the minimum design standards of this regulation; and

(2) If applicable, conform to any specific additional design standards enumerated in this chapter.

B. Equipment, a system, or software required to be tested, certified, and approved under this chapter shall, at a minimum, control logical access through:

(1) Generation of daily monitoring logs documenting:

(a) User access; and

(b) Security incidents;

(2) Assignment of rights and privileges to an individual user including specific protocols addressing:

(a) Creation, modification, and termination of a unique system account for each user;

(b) Password parameters which:

(i) Require a minimum length;

(ii) Incorporate an expiration interval; and

(iii) Result in lockout; and

(c) Administrator and override capabilities;

(3) Use of access permissions to restrict an unauthorized user from performing any the following with regard to critical files and directories:

(a) Reading;

(b) Altering; or

(c) Deleting; and

(4) Restricted access to critical files and directories through:

(a) Encryption; or

(b) If approved by the Commission, internal controls provided the internal controls include:

(i) The effective segregation of duties and responsibilities with regard to the system; and

(ii) The automatic monitoring and recording by the system of access by an individual to its files and directories.

C. Equipment, a system or software required to be tested, certified, and approved under this chapter shall, at a minimum, control system operations through:

(1) Generation of daily monitoring logs and alert messages documenting:

(a) System performance;

(b) Hardware problems; and

(c) Software errors;

(2) Authentication of the source of a data transmission;

(3) Transmission completeness and accuracy checks;

(4) Detection of corrupt or lost data packets;

(5) Rejection of a transmission;

(6) Use of cryptographic controls for critical transmissions of data; and

(7) Daily synchronization of its real time clock with that of equipment, systems, or software to which it is linked.

D. Equipment, a system, or software required to be tested, certified, and approved under this chapter shall, at a minimum, control the integrity of data through:

(1) Validation of inputs to critical fields including data:

(a) Type; and

(b) Format;

(2) Rejection of corrupt data;

(3) Automatic and independent recordation of critical data;

(4) Independent verification of the accuracy of data; and

(5) Segregation of all security critical system programs, files, and directories from other programs, files, and directories.

E. Equipment, a system, or software required to be tested, certified, and approved under this chapter shall, at a minimum, ensure continuity through:

(1) Data redundancy to permit a complete and prompt recovery of all information in the event of malfunction or power interruption; and

(2) Environmental protections, including an uninterruptible power supply to protect critical hardware.

                    
                        var val = document.getElementById('citecontent').innerHTML;
                        art.dialog.defaults.title = window.location.href;
                        art.dialog.data('cite', val);
                        art.dialog.data('homeDemoPath', '/Scripts/plus/artDialog/');
                        art.dialog.open('/Scripts/plus/artDialog/citeiframe.html');