Laserfiche WebLink
Contract Template <,000 <br />May 2021 <br /> Page 33 <br />REV: 06-16-22 SK <br />patches which are high risk be installed within seven (7) days. <br />iv. Applications and systems that cannot be patched within this time frame, <br />due to significant operational reasons, must have compensatory controls <br />implemented to minimize risk. <br />t. Contractor shall ensure that all of its staff accessing Personally Identifiable <br />Information on applications and systems will be issued a unique individual <br />password that is a least eight (8) characters, a non-dictionary word, composed of <br />characters from at least three (3) of the following four (4) groups from the standard <br />keyboard: upper case letters (A-Z); lower case letters (a-z); Arabic numerals (0-9) <br />and special characters (!, @, #, etc.). Passwords are not to be shared and changed <br />if revealed or compromised. All passwords must be changed every (90) days or <br />less and must not be stored in readable format on the computer or server. <br />u. Contractor shall ensure that usernames for its staff authorized to access PII will be <br />promptly disabled, deleted, or the password changed upon the transfer or <br />termination of an employee within twenty- four (24) hours. Note: Twenty-four (24) <br />hours is defined as one (1) working day. <br />v. Contractor shall ensure when no longer needed, all PII must be cleared, purged, <br />or destroyed consistent with NIST SP 800-88, Guidelines for Media Sanitization, <br />such that the Personally Identifiable Information cannot be retrieved. <br />w. Contractor shall ensure that all of its systems providing access to PII must provide <br />an automatic timeout, requiring re-authentication of the user session after no more <br />than twenty (20) minutes of inactivity. <br />x. Contractor shall ensure that all of its systems providing access to PII must display <br />a warning banner stating, at a minimum that data is confidential; systems are <br />logged, systems use is for business purposes only by authorized users and users <br />shall log off the system immediately if they do not agree with these requirements. <br />y. Contractor will ensure that all of its systems providing access to PII must maintain <br />an automated audit trail that can identify the user or system process which initiates <br />a request for PII, or alters PII. The audit trail shall be date and time stamped; log <br />both successful and failed accesses be read-access only; and be restricted to <br />authorized users. If PII is stored in a database, database logging functionality shall <br />be enabled. The audit trail data shall be archived for at least three (3) years from <br />the occurrence. <br />z. Contractor shall ensure that all of its systems providing access to PII shall use role- <br />based access controls for all user authentications, enforcing the principle of least <br />privilege. <br />aa. Contractor shall ensure that all data transmissions of PII outside of its secure <br />internal networks must be encrypted using a Federal Information Processing <br />ATTY/AGR.2022.153/County of San Mateo (HSA Contract June 2022) (Page 33 of 37) <br />DocuSign Envelope ID: F5FF63A3-8103-4442-8F5F-F37301405123