Laserfiche WebLink
Contract Template <,000 <br />May 2021 <br /> Page 34 <br />REV: 06-16-22 SK <br />Standard (FIPS) 140-2 certified algorithm that is 128 bit or higher, such as <br />Advanced Encryption Standard (AES) or Transport Layer Security (TLS). It is <br />encouraged, when available and when feasible, that 256 bit encryption be used. <br />Encryption can be end to end at the network level, or the data files containing PII <br />can be encrypted. This requirement pertains to any type of PII in motion such as <br />website access, file transfer, and email. <br />bb. Contractor shall ensure that all of its systems involved in accessing, storing, <br />transporting, and protecting PII, which are accessible through the Internet, must <br />be protected by an intrusion detection and prevention solution. <br />cc. Contractor shall ensure that audit control mechanisms are in place. All Contractor <br />systems processing and/or storing Personally Identifiable Information must have a <br />least an annual system risk assessment/security review that ensure administrative, <br />physical, and technical controls are functioning effectively and provide an <br />adequate level of protection. Review shall include vulnerability scanning tools. <br />dd. Contractor shall ensure that all of its systems processing and/or storing PII must <br />have a process or automated procedure in place to review system logs for <br />unauthorized access. <br />ee. Contractor shall ensure that all of its systems processing and/or storing PII must <br />have a documented change control process that ensures separation of duties and <br />protects the confidentiality, integrity and availability of data. <br />ff. Contractor shall establish a documented plan to enable continuation of critical <br />business processes and protection of the security of PII kept in an electronic format <br />in the event of an emergency. Emergency means any circumstance or situation <br />that causes normal computer operations to become unavailable for use in <br />performing the work required under this Agreement for more than twenty-four (24) <br />hours. <br />gg. Contractor shall ensure its data centers with servers, data storage devices, and <br />critical network infrastructure involved in the use, storage and/or processing of PII, <br />must include environmental protection such as cooling, power, and fire prevention, <br />detection, and suppression. <br />hh. Contractor shall establish documented procedures to backup PII to maintain <br />retrievable exact copies of PIII. The documented backup procedures shall contain <br />a schedule which includes incremental and full backups, storing backups offsite, <br />inventory of backup media, recovery of PII data, an estimate of the amount of time <br />needed to restore PII data. <br />ii. Contractor shall ensure that PII in paper form shall not be left unattended at any <br />time, unless it is locked space such as a file cabinet, file room, desk or office. <br />Unattended means that information may be observed by an individual not <br />authorized to access the information. Locked spaces are defined as locked file <br />ATTY/AGR.2022.153/County of San Mateo (HSA Contract June 2022) (Page 34 of 37) <br />DocuSign Envelope ID: F5FF63A3-8103-4442-8F5F-F37301405123