Laserfiche WebLink
Template version date: February 22, 2017 Issued by: 5 <br /> <br />numerals (0-9) and special characters (!, @, #, etc.). Passwords are not to be <br />shared and changed if revealed or compromised. All passwords must be <br />changed every (90) days or less and must not be stored in readable format on <br />the computer or server. <br /> <br />u. Contractor shall ensure that usernames for its staff authorized to access PII will <br />be promptly disabled, deleted, or the password changed upon the transfer or <br />termination of an employee within twenty- four (24) hours. Note: Twenty-four (24) <br />hours is defined as one (1) working day. <br /> <br />v. Contractor shall ensure when no longer needed, all PII must be cleared, purged, <br />or destroyed consistent with NIST SP 800-88, Guidelines for Media Sanitization, <br />such that the Personally Identifiable Information cannot be retrieved. <br /> <br />w. Contractor shall ensure that all of its systems providing access to PII must <br />provide an automatic timeout, requiring re-authentication of the user session after <br />no more than twenty (20) minutes of inactivity. <br /> <br />x. Contractor shall ensure that all of its systems providing access to PII must <br />display a warning banner stating, at a minimum that data is confidential; systems <br />are logged, systems use is for business purposes only by authorized users and <br />users shall log off the system immediately if they do not agree with these <br />requirements. <br /> <br />y. Contractor will ensure that all of its systems providing access to PII must <br />maintain an automated audit trail that can identify the user or system process <br />which initiates a request for PII, or alters PII. The audit trail shall be date and time <br />stamped; log both successful and failed accesses be read-access only; and be <br />restricted to authorized users. If PII is stored in a database, database logging <br />functionality shall be enabled. The audit trail data shall be archived for at least <br />three (3) years from the occurrence. <br /> <br />z. Contractor shall ensure that all of its systems providing access to PII shall use <br />role-based access controls for all user authentications, enforcing the principle of <br />least privilege. <br /> <br />aa. Contractor shall ensure that all data transmissions of PII outside of its secure <br />internal networks must be encrypted using a Federal Information Processing <br />Standard (FIPS) 140-2 certified algorithm that is 128 bit or higher, such as <br />Advanced Encryption Standard (AES) or Transport Layer Security (TLS). It is <br />encouraged, when available and when feasible, that 256 bit encryption be used. <br />Encryption can be end to end at the network level, or the data files containing PII <br />can be encrypted. This requirement pertains to any type of PII in motion such as <br />website access, file transfer, and email. <br /> <br />bb. Contractor shall ensure that all of its systems involved in accessing, storing, <br />transporting, and protecting PII, which are accessible through the Internet, must <br />be protected by an intrusion detection and prevention solution. <br /> <br />cc. Contractor shall ensure that audit control mechanisms are in place. All <br />Contractor systems processing and/or storing Personally Identifiable Information <br />ATTY/AGR.2021.130/County of San Mateo (Page 28 of 31)