Laserfiche WebLink
d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Data provided by <br />DSHS on optical discs which will be attached to network servers and which will not be transported <br />out of a Secured Area. Access to Data on these discs will be restricted to Authorized Users through <br />the use of access control lists which will grant access only after the Authorized User has <br />authenticated to the network using a Unique User ID and Hardened Password or other <br />authentication mechanisms which provide equal or greater security, such as biometrics or smart <br />cards. Data on discs attached to such servers must be located in an area which is accessible only <br />to authorized personnel, with access controlled through use of a key, card key, combination lock, or <br />comparable mechanism. <br />e. Paper documents. Any paper records must be protected by storing the records in a Secured Area <br />which is only accessible to authorized personnel. When not in use, such records must be stored in <br />a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons <br />have access. <br />Remote Access. Access to and use of the Data over the State Governmental Network (SGN) or <br />Secure Access Washington (SAW) will be controlled by DSHS staff who will issue authentication <br />credentials (e.g. a Unique User ID and Hardened Password) to Authorized Users on Contractor <br />staff. Contractor will notify DSHS staff immediately whenever an Authorized User in possession of <br />such credentials is terminated or otherwise leaves the employ of the Contractor, and whenever an <br />Authorized User's duties change such that the Authorized User no longer requires access to <br />perform work for this Contract. <br />g. Data storage on portable devices or media. <br />(1) Except where otherwise specified herein, DSHS Data shall not be stored by the Contractor on <br />portable devices or media unless specifically authorized within the terms and conditions of the <br />Contract. If so authorized, the Data shall be given the following protections: <br />(a) Encrypt the Data with a key length of at least 128 bits <br />(b) Control access to devices with a Unique User ID and Hardened Password or stronger <br />authentication method such as a physical token or biometrics. <br />(c) Manually lock devices whenever they are left unattended and set devices to lock <br />automatically after a period of inactivity, if this feature is available. Maximum period of <br />inactivity is 20 minutes. <br />Physically Secure the portable device(s) and/or media by <br />(d) Keeping them in locked storage when not in use <br />(e) Using check-in/check-out procedures when they are shared, and <br />(f) Taking frequent inventories <br />(2) When being transported outside of a Secured Area, portable devices and media with DSHS <br />Confidential Information must be under the physical control of Contractor staff with authorization <br />to access the Data. <br />(3) Portable devices include, but are not limited to; smart phones, tablets, flash memory devices <br />(e.g. USB flash drives, personal media players), portable hard disks, and <br />laptop/notebook/netbook computers if those computers may be transported outside of a <br />Secured Area. <br />DSHS Central Contract Services <br />1644CS Prevention Services - County (6-26-2015) Page 31 <br />