Laserfiche WebLink
4. <br />DSHS Central Conlract Services <br />601 7CF County Program Agreement (10-31-2017) <br />Special Terms and Conditions <br />which defines sanctions that may be applied to'Contractor staff for violating that policy. <br />b. lf the Data shared under this agreement is classified as Category 4, the Contractor must be aware <br />of and compliant with the applicable legal or regulatory requirements for that Category 4 Dala. <br />c. lf Confidential lnformation shared under this agreement is classified as Category 4, the Contractor <br />must have a documented risk assessment for the system(s) housing the Category 4 Data. <br />Authorization, Authentication, and Access. ln order to ensure that access to the Data is limited to <br />authorized staff, the Contractor must: <br />a, Have documented policies and procedures governing access to systems with the shared Data <br />b. Restrict access through administrative, physical, and technical controls to authorized staff <br />c. Ensure that user accounts are unique and that any given user account logon lD and password <br />combination is known only to the one employee to whom that account is assigned. For purposes of <br />non-repudiation, it must always be possible to determine which employee performed a given action <br />on a system housing the Data based solely on the logon lD used to perform the action. <br />d. Ensure that only authorized users are capable of accessing the Data. <br />e. Ensure that an employee's access to the Data is removed immediately <br />(1) Upon suspected compromise of the user credentials. <br />(2) When their employment, or the contract under which the Data is made available to them, is <br />terminated. <br />(3) When they no longer need access to the Data to fulfill the requirements of the contract. <br />f. Have a process to periodically review and verify that only authorized users have access to systems <br />containing DSHS Confidential lnformation. <br />g When accessing the Data from within the Contractor's network (the Data stays within the <br />Contractor's network at all times), enforce password and logon requirements for users within the <br />Contractor's network, including : <br />(1) A minimum length of 8 characters, and containing at least three of the following character <br />classes: uppercase letters, lowercase letters, numerals, and special characters such as an <br />asterisk, ampersand, or exclamation point. <br />(2) That a password does not contain a user's name, logon lD, or any form of their full name. <br />(3) That a password does not consist of a single dictionary word. A password may be formed as a <br />passphrase which consists of multiple dictionary words. <br />(4) That passwords are significantly different from the previous four passwords. Passwords that <br />increment by simply adding a number are not considered significantly different. <br />h. When accessing Confidential lnformation from an external location (the Data will traverse the <br />lnternet or othennrise travel outside the Contractor's network), mitigate risk and enforce password <br />and logon requirements for users by employing measures including: <br />Page 11