Laserfiche WebLink
Template version date: February 22, 2017 Issued by: 4 <br /> <br /> <br />n. Contractor shall ensure that PII shall not be left unattended at any time in <br />airplanes, buses, trains, etc., including baggage areas. This should be included <br />in training due to the nature of the risk. <br /> <br />o. Contractor shall ensure that all workstations and laptops, which use, store and/or <br />process PII, must be encrypted using a FIPS 140-2 certified algorithm 128 bit or <br />higher, such as Advanced Encryption Standard (AES). The encryption solution <br />must be full disk. It is encouraged, when available and when feasible, that the <br />encryption be 256 bit. <br /> <br />p. Contractor shall ensure that servers containing unencrypted PII must have <br />sufficient administrative, physical, and technical controls in place to protect that <br />data, based upon a risk assessment/system security review. It is recommended <br />to follow the guidelines documented in the latest revision of the National Institute <br />of Standards and Technology (NIST) Special Publication (SP) 800-53, Security <br />and Privacy Controls for Federal Information Systems and Organizations. <br /> <br />q. Contractor agrees that only the minimum necessary amount of PII required to <br />perform required business functions will be accessed, copied, downloaded, or <br />exported. <br /> <br />r. Contractor shall ensure that all electronic files, which contain PII data is <br />encrypted when stored on any mobile device or removable media (i.e. USB <br />drives, CD/DVD, smartphones, tablets, backup tapes etc.). Encryption must be a <br />FIPS 140-2 certified algorithm 128 bit or higher, such as AES. It is encouraged, <br />when available and when feasible, that the encryption be 256 bit. <br /> <br />s. Contractor shall ensure that all workstations, laptops and other systems, which <br />process and/or store PII, must install and actively use an antivirus software <br />solution. Antivirus software should have automatic updates for definitions <br />scheduled at least daily. In addition, Contractor shall ensure that: <br /> <br />i. All workstations, laptops and other systems, which process and/or store <br />PII, must have critical security patches applied, with system reboot if <br />necessary. <br />ii. There must be a documented patch management process that <br />determines installation timeframe based on risk assessment and vendor <br />recommendations. <br />iii. At a maximum, all applicable patches deemed as critical must be installed <br />within thirty (30) days of vendor release. It is recommended that critical <br />patches which are high risk be installed within seven (7) days. <br />iv. Applications and systems that cannot be patched within this time frame, <br />due to significant operational reasons, must have compensatory controls <br />implemented to minimize risk. <br /> <br />t. Contractor shall ensure that all of its staff accessing Personally Identifiable <br />Information on applications and systems will be issued a unique individual <br />password that is a least eight (8) characters, a non-dictionary word, composed of <br />characters from at least three (3) of the following four (4) groups from the <br />standard keyboard: upper case letters (A-Z); lower case letters (a-z); Arabic <br />ATTY/AGR.2021.130/County of San Mateo (Page 27 of 31)