Laserfiche WebLink
drives, and internal hard drives that have been removed from a computing device. <br />m. "Secure Area" means an area to which only authorized representatives of the entity <br />possessing the Confidential Information have access, and access is controlled <br />through use of a key, card key, combination lock, or comparable mechanism. Secure <br />Areas may include buildings, rooms or locked storage containers (such as a filing <br />cabinet or desk drawer) within a room, as long as access to the Confidential <br />Information is not available to unauthorized personnel. In otherwise Secure Areas, <br />such as an office with restricted access, the Data must be secured in such a way as to <br />prevent access by non -authorized staff such as janitorial or facility security staff, <br />when authorized Contractor staff are not present to ensure that non -authorized <br />staff cannot access it. <br />n. "Trusted Network" means a network operated and maintained by the Contractor, <br />which includes security controls sufficient to protect DSHS Data on that network. <br />Controls would include a firewall between any other networks, access control lists <br />on networking devices such as routers and switches, and other such mechanisms <br />which protect the confidentiality, integrity, and availability of the Data. <br />o. "Unique User ID" means a string of characters that identifies a specific user and <br />which, in conjunction with a password, passphrase or other mechanism, <br />authenticates a user to an information system. <br />2. Authority. The security requirements described in this document reflect the applicable <br />requirements of Standard 141.10 (https://ocio.wa.gov/policies) of the Office of the <br />Chief Information Officer for the state of Washington, and of the DSHS Information <br />Security Policy and Standards Manual. Reference material related to these <br />requirements can be found here: htt s: www.dshs.wa, ov fsa central-contract- <br />services/keepin -dshs-client-information- rivate-and-secure, which is a site developed <br />by the DSHS Information Security Office and hosted by DSHS Central Contracts and Legal <br />Services. <br />3. Administrative Controls. The Lead/sub grantee must have the following controls in <br />place: <br />a. A documented security policy governing the secure use of its computer network <br />and systems, and which defines sanctions that may be applied to Lead/sub <br />grantee staff for violating that policy. <br />4. Authorization, Authentication, and Access. In order to ensure that access to the Data is <br />limited to authorized staff, the Lead/sub grantee must: <br />a. Have documented policies and procedures governing access to systems with the <br />shared Data. <br />b. Restrict access through administrative, physical, and technical controls to <br />authorized staff. <br />C. Ensure that user accounts are unique and that any given user account logon ID <br />and password combination is known only to the one employee to whom that <br />account is assigned. For purposes of non -repudiation, it must always be possible <br />to determine which employee performed a given action on a system housing the <br />Data based solely on the logon ID used to perform the action. <br />d. Ensure that only authorized users are capable of accessing the Data. <br />61 <br />