Laserfiche WebLink
Ensure that an employee's access to the Data is removed immediately: <br />(1) Upon suspected compromise of the user credentials. <br />(2) When their employment is terminated. <br />(3) When they no longer need access to the Data. <br />Have a process to periodically review and verify that only authorized users have <br />access to systems containing DSHS Confidential Information. <br />When accessing the Data from within the Lead/sub grantee's network (the Data <br />stays within the Lead/sub grantee's network at all times), enforce password and <br />logon requirements for users within the Lead/sub grantee network, including: <br />(1) A minimum length of 8 characters, and containing at least three of the <br />following character classes: uppercase letters, lowercase letters, <br />numerals, and special characters such as an asterisk, ampersand, or <br />exclamation point. <br />(2) That a password does not contain a user's name, logon ID, or any form of <br />their full name. <br />(3) That a password does not consist of a single dictionary word. A password <br />may be formed as a passphrase which consists of multiple dictionary <br />words. <br />(4) That passwords are significantly different from the previous four <br />passwords. Passwords that increment by simply adding a number are not <br />considered significantly different. <br />h. When accessing Confidential Information from an external location (the Data will <br />traverse the Internet or otherwise travel outside the Lead/sub grantee network), <br />mitigate risk and enforce password and logon requirements for users by <br />employing measures including: <br />(1) Ensuring mitigations applied to the system don't allow end -user <br />modification. <br />(2) Not allowing the use of dial -up connections. <br />(3) Using industry standard protocols and solutions for remote access. <br />Examples would include RADIUS and Citrix. <br />(4) Encrypting all remote access traffic from the external workstation to <br />Trusted Network or to a component within the Trusted Network. The <br />traffic must be encrypted at all times while traversing any network, <br />including the Internet, which is not a Trusted Network. <br />(5) Ensuring that the remote access system prompts for re -authentication or <br />performs automated session termination after no more than 30 minutes <br />of inactivity. <br />(6) Ensuring use of Multi -factor Authentication to connect from the external <br />end point to the internal end point. <br />Passwords or PIN codes may meet a lesser standard if used in conjunction with <br />another authentication mechanism, such as a biometric (fingerprint, face <br />recognition, iris scan) or token (software, hardware, smart card, etc.) in that <br />case: <br />(1) The PIN or password must be at least 5 letters or numbers when used in <br />conjunction with at least one other authentication factor <br />62 <br />