Laserfiche WebLink
ATTACHMENT A <br />HIPAA AND DATA SECURITY REQUIREMENTS <br />violating that policy. <br />b. Any data center security controls must meet or exceed those expected by the Federal <br />Information Security Management Act (FISMA) for low to moderate impact systems as <br />described in FIPS 199 and 200, and in the most current release of National Institute of <br />Standards and Technology (NIST) Special Publications SP800- 53, including all other <br />referenced NIST publications. <br />c. Contractor warrants that all data collected, processed, routed, and/or stored by or <br />through the service, or third -party service providers, remains at all times within the <br />United States. <br />If the Data shared under this agreement is classified as Category 4, the Contractor <br />must be aware of and compliant with the applicable legal or regulatory requirements <br />for that Category 4 Data. <br />e. If Confidential Information shared under this agreement is classified as Category 4, <br />the Contractor must have a documented risk assessment for the system(s) housing <br />the Category 4 Data. <br />4. Authorization, Authentication, and Access. In order to ensure that access to the Data <br />is limited to authorized staff, the Contractor must: <br />a. Have documented policies and procedures governing access to systems with the <br />shared Data. <br />b. Restrict access through administrative, physical, and technical controls to authorized <br />staff. <br />c. Ensure that user accounts are unique and that any given user account logon ID and <br />password combination is known only to the one employee to whom that account is <br />assigned. For purposes of non -repudiation, it must always be possible to determine <br />which employee performed a given action on a system housing the Data based solely <br />on the logon ID used to perform the action. <br />d. Ensure that only authorized users are capable of accessing the Data. <br />e. Ensure that an employee's access to the Data is removed immediately: <br />(1) Upon suspected compromise of the user credentials. <br />(2) When their employment, or the contract under which the Data is made available to <br />them, is terminated. <br />(3) When they no longer need access to the Data to fulfill the requirements of the <br />contract. <br />f. Have a process to periodically review and verify that only authorized users have <br />access to systems containing DOC Confidential Information. <br />Washington State K14078 Page 11 of 19 <br />Department of Corrections Attachment A 26RAD <br />