Laserfiche WebLink
5. Accounts are locked out when a user attempts but fails to log in successfully 5 times in <br />10 minutes; such accounts remain locked out until released by NCRPCD staff or assigned <br />state administrators. <br />6. Accounts are automatically logged out after 60 minutes when there is no transmission to <br />the server, unless the DOH adjusts this time-out expiration period in coordination with <br />NCRPCD. <br />7. The Receiver and/or the DOH may terminate a user's access to the system at any time. <br />F. Data Storage <br />1. All data submitted via the Internet using the CDR-CRS are stored on a server located <br />within the MPHI Data Center. <br />2. Data are stored on this server indefinitely unless the Holder CDR staff terminate the data <br />use agreement. <br />3. The Receiver ensures the security of these servers in the following ways: <br />a. Data transmitted to and from the web server are authenticated and encrypted with <br />2048-bit SSL (Secured Sockets Layer), which is the strongest currently available <br />commercially. The certificate authority is GoDaddy and is renewed annually. <br />b. Two stateful firewalls are utilized, as well as intrusion protection and detection <br />products. The database server sits in a protected data network with a firewall <br />between the database and the web server. <br />c. The servers are in a physically secure location with restricted access and a <br />complete automatic temperature alarm system and fire sprinkler protection <br />system. The server rooms have separate air conditioning systems, and electrical <br />supplies are backed up with uninterruptible power supplies, which are backed up <br />by a diesel generator for long term power outages. <br />d. When the MPHI Data Center is closed during non-business hours, the building is <br />locked, an electronic alarm system is activated, and access into the building is <br />permitted only through the use of electronic reader cards. The MPHI Data Center <br />is also equipped with a video surveillance system. <br />e. The Receiver continuously updates virus-scanning software on all servers and <br />workstations. <br />f. A small group of Receiver authorized staff have access to the server room for <br />server management and maintenance. These staff abide by strict confidentiality <br />agreements. These individuals will be identified and their signed confidentiality <br />agreements provided upon request ofthe Holder. <br />g. Custodial and building maintenance staff are not allowed in the server area except <br />in the presence of authorized Receiver staff. <br />h. The Receiver staff regularly audit database servers to ensure there are no security <br />violations. <br />4. For disaster recovery, the Receiver's network servers are backed-up nightly online to disk <br />storage and replicated to disk in a second location nightly. Daily backups are kept on <br />disk for 30 days. Data is sent to encrypted tape weekly, and weekly backups are kept off- <br />sil~ fur 30 days. Monthly backups are saved on the encrypted backup tapes for 7 years. <br />The tapes are delivered in locked containers via courier and stored off-site in a physically <br />secure location. <br />3