Laserfiche WebLink
ATTACHMENT A <br />HIPAA AND DATA SECURITY REQUIREMENTS <br />by the National Institute of Standards and Technology (NIST). Within 72 hours of <br />a request from DOC, Contractor must provide documentation showing how the <br />credentials are secured during all transmissions using encrypted sessions such as <br />TLS or IPSec, and in storage using a secure hash method validated by the National <br />Institute of Standards and Technology (NIST). <br />i. Passwords or PIN codes may meet a lesser standard if used in conjunction with <br />another authentication mechanism, such as a biometric (fingerprint, face recognition, <br />iris scan) or token (software, hardware, smart card, etc.) in that case: <br />(1) The PIN or password must be at least 5 letters or numbers when used in <br />conjunction with at least one other authentication factor <br />(2) Must not be comprised of all the same letter or number (11111, 22222, aaaaa, <br />would not be acceptable) <br />(3) Must not contain a "run" of three or more consecutive numbers (12398, 98743 <br />would not be acceptable) <br />j. If the contract specifically allows for the storage of Confidential Information on a Mobile <br />Device, passcodes used on the device must: <br />(1) Be a minimum of six alphanumeric characters. <br />(2) Contain at least three unique character classes (upper case, lower case, letter, <br />number). <br />(3) Not contain more than a three consecutive character run. Passcodes consisting of <br />12345, or abcd12 would not be acceptable. <br />k. Render the device unusable after a maximum of 10 failed logon attempts. <br />I. Ensure the system/service supports single sign -on for state government employees, <br />and external users by integrating the system's authentication mechanisms with the <br />Washington State Enterprise Active Directory and Secure Authentication Gateways <br />(post listeners are typically used for processing the gateway host headers). <br />m. Utilize application authentication controls that are consistent with those described in <br />the most recent version of NIST SP 800-63 for information requiring assurance level <br />2 or higher. <br />5. Protection of Data. The Contractor agrees to store Data on one or more of the following <br />media and protect the Data as described: <br />a. Hard disk drives. For Data stored on local workstation hard disks, access to the Data <br />will be restricted to Authorized User(s) by requiring logon to the local workstation using <br />a Unique User ID and Hardened Password or other authentication mechanisms which <br />provide equal or greater security, such as biometrics or smart cards. <br />b. Network server disks. For Data stored on hard disks mounted on network servers <br />and made available through shared folders, access to the Data will be restricted to <br />Washington State K14078 Page 13 of 19 <br />Department of Corrections Attachment A 26RAD <br />