Laserfiche WebLink
10.8 Appendix H: Access to the DSHS Benefits Verification System Data Security Requirements <br />1. Definitions. The words and phrases listed below, as used in this Appendix, shall each have <br />the following definitions: <br />a. "Authorized User(s)" means an individual or individuals with an authorized business <br />requirement to access DSHS Confidential Information. <br />b. "Hardened Password" means a string of at least eight characters containing at least one <br />alphabetic character, at least one number and at least one special character such as an <br />asterisk, ampersand or exclamation point. <br />c. "Unique User ID" means a string of characters that identifies a specific user and which, in <br />conjunction with a password, passphrase or other mechanism, authenticates a user to an <br />information system. <br />d. "Contractor" means CHG Lead/subgrantees. <br />2. Data Transport. When transporting DSHS Confidential Information electronically, including <br />via email, the Data will be protected by: <br />a. Transporting the Data within the (State Governmental Network) SGN or Contractor's <br />internal network, or; <br />b. Encrypting any Data that will be in transit outside the SGN or Contractor's internal network. <br />This includes transit over the public Internet. <br />3. Protection of Data. The Contractor agrees to store Data on one or more of the following <br />media and protect the Data as described: <br />a. Hard disk drives. Data stored on local workstation hard disks. Access to the Data will be <br />restricted to Authorized User(s) by requiring logon to the local workstation using a Unique <br />User ID and Hardened Password or other authentication mechanisms which provide equal <br />or greater security, such as biometrics or smart cards. <br />b. Network server disks. Data stored on hard disks mounted on network servers and made <br />available through shared folders. Access to the Data will be restricted to Authorized Users <br />through the use of access control lists which will grant access only after the Authorized User <br />has authenticated to the network using a Unique User ID and Hardened Password or other <br />authentication mechanisms which provide equal or greater security, such as biometrics or <br />smart cards. Data on disks mounted to such servers must be located in an area which is <br />accessible only to authorized personnel, with access controlled through use of a key, card <br />key, combination lock, or comparable mechanism. <br />For DSHS Confidential Information stored on these disks, deleting unneeded Data is <br />sufficient as long as the disks remain in a Secured Area and otherwise meet the <br />requirements listed in the above paragraph. Destruction of the Data as outlined in Section <br />5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken <br />out of the Secured Area. <br />c. Optical discs (CDs or DVDs) in local workstation optical disc drives. Data provided by DSHS <br />on optical discs which will be used in local workstation optical disc drives and which will not <br />be transported out of a Secured Area. When not in use for the contracted purpose, such <br />discs must be locked in a drawer, cabinet or other container to which only Authorized Users <br />have the key, combination or mechanism required to access the contents of the container. <br />Workstations which access DSHS Data on optical discs must be located in an area which is <br />55 <br />