Laserfiche WebLink
network using a Unique User ID and Hardened Password or other authentication <br />mechanisms which provide equal or greater security, such as biometrics or smart <br />cards. Data on discs attached to such servers must be located in an area which is <br />accessible only to authorized personnel, with access controlled through use of a <br />key, card key, combination lock, or comparable mechanism. <br />e. Paper documents. Any paper records must be protected by storing the records <br />in a Secure Area which is only accessible to authorized personnel. When not in <br />use, such records must be stored in a Secure Area. <br />f. Remote Access. Access to and use of the Data over the State Governmental <br />Network (SGN) or Secure Access Washington (SAW) will be controlled by DSHS <br />staff who will issue authentication credentials (e.g. a Unique User ID and <br />Hardened Password) to Authorized Users on Contractor's staff. Contractor will <br />notify DSHS staff immediately whenever an Authorized User in possession of <br />such credentials is terminated or otherwise leaves the employ of the Contractor, <br />and whenever an Authorized User's duties change such that the Authorized User <br />no longer requires access to perform work for this Contract. <br />g. Data storage on portable devices or media. <br />(1) Except where otherwise specified herein, DSHS Data shall not be stored <br />by the Lead/sub grantee on portable devices or media unless specifically <br />authorized within the terms and conditions of the Grant. If so <br />authorized, the Data shall be given the following protections: <br />(a) Encrypt the Data. <br />(b) Control access to devices with a Unique User ID and Hardened <br />Password or stronger authentication method such as a physical <br />token or biometrics. <br />(c) Manually lock devices whenever they are left unattended and set <br />devices to lock automatically after a period of inactivity, if this <br />feature is available. Maximum period of inactivity is 20 minutes. <br />(d) Apply administrative and physical security controls to Portable <br />Devices and Portable Media by: <br />i. Keeping them in a Secure Area when not in use, <br />ii. Using check-in/check-out procedures when they are <br />shared, and <br />iii. Taking frequent inventories. <br />(2) When being transported outside of a Secure Area, Portable Devices and <br />Portable Media with DSHS Confidential Information must be under the <br />physical control of Lead/sub grantee staff with authorization to access <br />the Data, even if the Data is encrypted. <br />h. Data stored for backup purposes. <br />(1) DSHS Confidential Information may be stored on Portable Media as part <br />of a Lead/sub grantee's existing, documented backup process for <br />business continuity or disaster recovery purposes. Such storage is <br />authorized until such time as that media would be reused during the <br />course of normal backup operations. If backup media is retired while <br />DSHS Confidential Information still exists upon it, such media will be <br />64 <br />