N.Y. Comp. Codes R. & Regs. tit. 9, § 6220.3
(a) A cyber security program shall have the following elements:
(1) Data classification.
(2) Asset inventory.
(3) Patch management.
(4) Vulnerability scanning.
(i) Each Board of Elections shall run vulnerability scans and, where practicable, authenticated vulnerability scanning tools, against all information systems and electronic equipment that accesses, stores, processes, and transmits election data on the network. At a minimum, such vulnerability scanning tools shall comply with the following:
(5) Backups of election data.
(6) Restoration of data.
(7) Network segmentation.
(8) Remote access.
(i) Each Board of Elections shall follow best practices for remote access to its network segment(s), which shall include, but is not limited to:
(9) Logging.
(10) Incident response.
(iv) Each Board of Elections shall report to the State Board of Elections, through the cyber incident reporting procedure, all cyber security incidents or any disruptions which impact or have the potential to impact election operations. Cyber security incidents includes, but is not limited to:
(11) Continuity of operations.
(12) Credential management and access.
(13) Multi-factor authentication.
(14) Email and web protections.
(15) Third party risk management.
(16) (Continuous monitoring and reporting.
(17) Removable media.
(18) Security awareness training.
(19) Elections infrastructure information sharing and analysis center.