|
1
<br />SPecial Terms and Conditions
<br />Exhibit A - Data Security Requirements
<br />The words and phrases listed below, as used in this Exhibit, shall each have the followingDefinitions
<br />definitions:
<br />a
<br />b
<br />"AES' means the Advanced Encryption Standard, a specification of Federal lnformation Processing
<br />Standards publications for the en-cryption of electronic data issued by the National lnstitute of
<br />Standards and Technology (https://hvlpubs.nist.gov/nistpubs/FIPS/NlST.FlPS.197-upd1.pdf).
<br />,,Authorized Users(s)" means an individual or individuals with a business need to access DSHS
<br />Confidential lnformation, and who has or have been authorized to do so.
<br />c. ,,Category 4 Data" is data that is confidential and requires special handling due to statutes or
<br />regulalions that require especially strict protection of the data and from which especially serious
<br />consequences may arise in the event of any compromise of such data. For purposes of this
<br />contract, data classified as Category 4 refeis to data protected by: the Health lnsurance Portability
<br />and AccountabilitY Act (HIPAA).
<br />d. "CloLid" means data storage on servers hosted by an entity other than the Contractor and on a
<br />network outside the control of the Contractor. Physical storage of data in the cloud typically spans
<br />multiple servers and often multiple locations. Cloud storage can be divided between consumer
<br />grade storage for personal files and enterprise grade for companies and governmental entities.
<br />Examples oT aonrrr"r grade storage would include iCloud, Dropbox, Box.com, and many other
<br />entities. Enterprise clou? vendors include Microsoft Azure, Amazon Web Services, 0365, and
<br />Rackspace.
<br />e. ,,Encrypt" means to encode Confidential lnformation into a format that can only be read by those
<br />possessing a "key"; a password, digital certificate or other mechanism available only to authorized
<br />users. Eniryption must use a key length of at least 128 bits (256 preferred) for symmetric keys, or
<br />204g bits foi asymmetric keys. Wt en a symmetric key is used, the Advanced Encryption Standard
<br />(AES) must be used if available.
<br />f. ,,Hardened password" means a string of at least eight characters containing at least three of the
<br />following four character classes: Uppercase alphabetic, lowercase alphabetic, numeral, and special
<br />characters such as an asterisk, ampersand, or exclamation point.
<br />g "Mobile Device" means a computing device, typically smaller lhan I notebook, which runs a mobile
<br />operating system, such as iod, Android, or Windows Phone. Mobile Devices include smart phones,
<br />most tablets, and other form factors.
<br />h. ',Multi-factor Authentication" means controlling access to computers and other lT resources by
<br />requiring two or more pieces of evidence thaithe user is who they claim to be. These pieces of
<br />evidence consist of something the user knows, such as a password or PIN; something the user has
<br />such as a key card, smart cafu, or physical token; and something the user is, a biometric identifier
<br />such as a finierprint, facial scan, or retinal scan. "PlN" means a personal identification number, a
<br />series of numbers which act as a password for a device. Since PlNs are typically only four to six
<br />characters, plNs are usually used in conjunction with another factor of authentication, such as a
<br />fingerPrint.
<br />i. ,,portable Device" means any computing device with a small form factor, designed to be transported
<br />from place to place. portablb devices are primarily battery powered devices with base computing
<br />resources in the form of a processor, memory, storage, and network access. Examples include, but
<br />Page 19
<br />DSHS Central Contract Services
<br />1 769CS County Agreement (05-06-2025)
|