Laserfiche WebLink
Exhibit A — Data Security Requirements <br />1. Definitions. The words and phrases listed below, as used in this Exhibit, shall each have the following <br />definitions: <br />a. "Authorized User(s)" means an individual or individuals with an authorized business requirement to <br />access DSHS Confidential Information. <br />b. "Hardened Password" means a string of at least eight characters containing at least one alphabetic <br />character, at least one number and at least one special character such as an asterisk, ampersand <br />or exclamation point. <br />c. "Unique User ID" means a string of characters that identifies a specific user and which, in <br />conjunction with a password, passphrase or other mechanism, authenticates a user to an <br />information system. <br />2. Data Transport. When transporting DSHS Confidential Information electronically, including via email, <br />the Data will be protected by: <br />a. Transporting the Data within the (State Governmental Network) SGN or Contractor's internal <br />network, or; <br />b. Encrypting any Data that will be in transit outside the SGN or Contractor's internal network. This <br />includes transit over the public Internet. <br />3. Protection of Data. The Contractor agrees to store Data on one or more of the following media and <br />protect the Data as described: <br />a. Hard disk drives. Data stored on local workstation hard disks. Access to the Data will be <br />restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID <br />and Hardened Password or other authentication mechanisms which provide equal or greater <br />security, such as biometrics or smart cards. <br />b. Network server disks. Data stored on hard disks mounted on network servers and made available <br />through shared folders. Access to the Data will be restricted to Authorized Users through the use of <br />access control lists which will grant access only after the Authorized User has authenticated to the <br />network using a Unique User ID and Hardened Password or other authentication mechanisms <br />which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted <br />to such servers must be located in an area which is accessible only to authorized personnel, with <br />access controlled through use of a key, card key, combination lock, or comparable mechanism. <br />For DSHS Confidential Information stored on these disks, deleting unneeded Data is sufficient as <br />long as the disks remain in a Secured Area and otherwise meet the requirements listed in the <br />above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be <br />deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. <br />c. Optical discs (CDs or DVDs) in local workstation optical disc drives. Data provided by DSHS <br />on optical discs which will be used in local workstation optical disc drives and which will not be <br />transported out of a Secured Area. When not in use for the contracted purpose, such discs must be <br />locked in a drawer, cabinet or other container to which only Authorized Users have the key, <br />combination or mechanism required to access the contents of the container. Workstations which <br />access DSHS Data on optical discs must be located in an area which is accessible only to <br />authorized personnel, with access controlled through use of a key, card key, combination lock, or <br />comparable mechanism. <br />DSHS Central Contract Services <br />1644CS Prevention Services - County (6-26-2015) Page 30 <br />