Laserfiche WebLink
Template version date: February 22, 2017 Issued by: 6 <br /> <br />must have a least an annual system risk assessment/security review that ensure <br />administrative, physical, and technical controls are functioning effectively and <br />provide an adequate level of protection. Review shall include vulnerability <br />scanning tools. <br /> <br />dd. Contractor shall ensure that all of its systems processing and/or storing PII must <br />have a process or automated procedure in place to review system logs for <br />unauthorized access. <br /> <br />ee. Contractor shall ensure that all of its systems processing and/or storing PII must <br />have a documented change control process that ensures separation of duties <br />and protects the confidentiality, integrity and availability of data. <br /> <br />ff. Contractor shall establish a documented plan to enable continuation of critical <br />business processes and protection of the security of PII kept in an electronic <br />format in the event of an emergency. Emergency means any circumstance or <br />situation that causes normal computer operations to become unavailable for use <br />in performing the work required under this Agreement for more than twenty-four <br />(24) hours. <br /> <br />gg. Contractor shall ensure its data centers with servers, data storage devices, and <br />critical network infrastructure involved in the use, storage and/or processing of <br />PII, must include environmental protection such as cooling, power, and fire <br />prevention, detection, and suppression. <br /> <br />hh. Contractor shall establish documented procedures to backup PII to maintain <br />retrievable exact copies of PIII. The documented backup procedures shall <br />contain a schedule which includes incremental and full backups, storing backups <br />offsite, inventory of backup media, recovery of PII data, an estimate of the <br />amount of time needed to restore PII data. <br /> <br />ii. Contractor shall ensure that PII in paper form shall not be left unattended at any <br />time, unless it is locked space such as a file cabinet, file room, desk or office. <br />Unattended means that information may be observed by an individual not <br />authorized to access the information. Locked spaces are defined as locked file <br />cabinets, locked file rooms, locked desks, or locked offices in facilities which are <br />multi-use, meaning that there are Contractor’s staff and non-Contractor functions <br />in one building in work areas that are not securely segregated from each other. It <br />is recommended that all PII be locked up when unattended at any time, not just <br />within multi-use facilities. <br /> <br />jj. Contractor shall ensure that any PII that must be disposed of will be through <br />confidential means, such as cross cut shredding or pulverizing. <br /> <br />kk. Contractor agrees that PII must not be removed from its facilities except for <br />identified routine business purposes or with express written permission of the <br />County. <br /> <br />ll. Contractor shall ensure that faxes containing PII shall not be left unattended and <br />fax machines shall be in secure areas. Faxes containing PII shall contain a <br />confidentiality statement notifying persons receiving faxes in error to destroy <br />ATTY/AGR.2021.130/County of San Mateo (Page 29 of 31)