Laserfiche WebLink
Program against all information stored locally and off -site. Information must be encrypted <br />both in -transit and at rest and applied in such a way that it renders data unusable to anyone <br />but authorized personnel, and the confidential process, encryption key or other means to <br />decipher the information is protected from unauthorized access. <br />• It is compliant with the applicable provisions of the Washington State Office of Washington <br />Technology Solutions (WaTech) policy SEC-01 through SEC-13, Securing Information <br />Technology Assets, available at: htt s://ocio.wa.vov/)olic /securinU-information-techno ooav- <br />assets. <br />• It will provide DOH copies of its IT security policies, practices and procedures upon the <br />request of the DOH Chief Information Security Officer. <br />• DOH may at any time conduct an audit of the LHF s security practices and/or infrastructure to <br />assure compliance with the security requirements of this contract. <br />• It has implemented physical, electronic and administrative safeguards that are consistent with <br />WaTech security standard SEC-01 through SEC-13 and ISB IT guidelines to prevent <br />unauthorized access, use, modification or disclosure of DOH Confidential Information in any <br />form. <br />This includes, but is not limited to, restricting access to specifically authorized individuals and <br />services through the use of: <br />o Documented access authorization and change control procedures; <br />o Card key systems that restrict, monitor and log access; <br />o Locked racks for the storage of servers that contain Confidential Information or use <br />AES encryption (key lengths of 256 bits or greater) to protect confidential data at <br />rest, standard algorithms validated by the National Institute of Standards and <br />Technology (NIST) Cryptographic Algorithm Validation Program (CMVP); <br />o Documented patch management practices that assure all network systems are running <br />critical security updates within 6 days of release when the exploit is in the wild, and <br />within 30 days of release for all others; <br />o Documented anti -virus strategies that assure all systems are running the most current <br />anti -virus signatures within 1 day of release; <br />o Complex passwords that are systematically enforced and password expiration not to <br />exceed 120 days, dependent user authentication types as defined in WaTech security <br />standards; <br />o Strong multi -factor authentication mechanisms that assure the identity of individuals <br />who access Confidential Information; <br />o Account lock -out after 5 failed authentication attempts for a minimum of 15 minutes, <br />or for Confidential Information, until administrator reset; <br />o AES encryption (using key lengths 128 bits or greater) session for all data <br />transmissions, standard algorithms validated by NIST CMVP; <br />o Firewall rules and network address translation that isolate database servers from web <br />servers and public networks; <br />o Regular review of firewall rules and configurations to assure compliance with <br />authorization and change control procedures; <br />o Log management and intrusion detection/prevention systems; <br />o A documented and tested incident response plan <br />Any breach of this clause may result in termination of the contract and the demand for return of all personal <br />information. <br />DOH Contract CLH32635-0 Page 5 of 9 <br />July 2025 <br />