Laserfiche WebLink
Special Terms and Conditions <br />(d) Apply administrative and physical security controls to Portable Devices and Portable Media <br />by: <br />Keeping them in a Secure Area when not in use, <br />ii. Using check-in/check-out procedures when they are shared, and <br />iii. Taking frequent inventories. <br />(2) When being transported outside of a Secure Area, Portable Devices and Portable Media with <br />DSHS Confidential Information must be under the physical control of Contractor staff with <br />authorization to access the Data, even if the Data is encrypted. <br />h. Data stored for backup purposes. <br />(1) DSHS Confidential Information may be stored on Portable Media as part of a Contractor's <br />existing, documented backup process for business continuity or disaster recovery purposes. <br />Such storage is authorized until such time as that media would be reused during the course of <br />normal backup operations. If backup media is retired while DSHS Confidential Information still <br />exists upon it, such media will be destroyed at that time in accordance with the disposition <br />requirements below in Section 8 Data Disposition. <br />(2) Data may be stored on non -portable media (e.g. Storage Area Network drives, virtual media, <br />etc.) as part of a Contractor's existing, documented backup process for business continuity or <br />disaster recovery purposes. If so, such media will be protected as otherwise described in this <br />exhibit. If this media is retired while DSHS Confidential Information still exists upon it, the data <br />will be destroyed at that time in accordance with the disposition requirements below in Section 8 <br />Data Disposition. <br />i. Cloud storage. DSHS Confidential Information requires protections equal to or greater than those <br />specified elsewhere within this exhibit. Cloud storage of Data is problematic as neither DSHS nor <br />the Contractor has control of the environment in which the Data is stored. For this reason: <br />(1) DSHS Data will not be stored in any consumer grade Cloud solution, unless all of the following <br />conditions are met: <br />(a) Contractor has written procedures in place governing use of the Cloud storage and <br />Contractor attests in writing that all such procedures will be uniformly followed. <br />(b) The Data will be Encrypted while within the Contractor network. <br />(c) The Data will remain Encrypted during transmission to the Cloud. <br />(d) The Data will remain Encrypted at all times while residing within the Cloud storage solution. <br />(e) The Contractor will possess a decryption key for the Data, and the decryption key will be <br />possessed only by the Contractor and/or DSHS. <br />(f) The Data will not be downloaded to non -authorized systems, meaning systems that are not <br />on either the DSHS or Contractor networks. <br />(g) The Data will not be decrypted until downloaded onto a computer within the control of an <br />Authorized User and within either the DSHS or Contractor's network. <br />DSHS Central Contract Services <br />6017CF County Program Agreement (10-31-2017) Page 22 <br />