Laserfiche WebLink
Page 11 <br />h. Contractor shall ensure that PII is used and stored in an area that is physically safe from <br />access by unauthorized persons at all times and safeguard PII from loss, theft, or inadvertent <br />disclosure by securing all areas of its facilities staff assist in the <br />disclose, or store PII. <br />i. Contractor shall ensure that each physical location, where PII is used, disclosed, or stored, <br />has procedures and controls that ensure an individual who is terminated from access to the <br />facility is promptly escorted from the facility by an authorized employee of Contractor and <br />access is revoked. <br />j. Contractor shall ensure that there are security guards or a monitored alarm system at all times <br />five hundred (500) or more individually <br />identifiable records of PII is used, disclosed, or stored. Video surveillance systems are <br />recommended. <br />k. Contractor shall ensure that data centers with servers, data storage devices, and/or critical <br />network infrastructure involved in the use, storage, and/or processing of PII have perimeter <br />security and physical access controls that limit access to only those authorized by this <br />Agreement. Visitors to any Contractor data centers area storing PII as a result of administration <br />of a county program must <br />l. Contractor shall have policies that include, based on applicable risk factors, a description of <br />the circumstances under which Contractor staff can transport PII, as well as the physical <br />security requirements during transport. <br />m. Contractor shall ensure that any PII stored in a vehicle shall be in a non-visible area such as <br />a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a <br />vehicle overnight or for other extended periods of time. <br />n. Contractor shall ensure that PII shall not be left unattended at any time in airplanes, buses, <br />trains, etc., including baggage areas. This should be included in training due to the nature of the <br />risk. <br />o. Contractor shall ensure that all workstations and laptops, which use, store and/or process PII, <br />must be encrypted using a FIPS 140-2 certified algorithm 128 bit or higher, such as Advanced <br />Encryption Standard (AES). The encryption solution must be full disk. It is encouraged, when <br />available and when feasible, that the encryption be 256 bits. <br />p. Contractor shall ensure that servers containing unencrypted PII must have sufficient <br />administrative, physical, and technical controls in place to protect that data, based upon a risk <br />assessment/system security review. It is recommended to follow the guidelines documented in <br />the latest revision of the National Institute of Standards and Technology (NIST) Special <br />Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and <br />Organizations. <br />q. Contractor agrees that only the minimum necessary amount of PII required to perform <br />required business functions will be accessed, copied, downloaded, or exported. <br />r. Contractor shall ensure that all electronic files, which contain PII data is encrypted when <br />stored on any mobile device or removable media (i.e. USB drives, CD/DVD, smartphones, <br />network infrastructure involved in the use, storage, and/network infrastructure involved in the use, storage, and/or processing of PII have perimeter <br />security and physical access controls that security and physical access controls that limit accesslimit access to only thosto only those authorized by this e authorized by this <br />Agreement. Visitors to any Contractor data centers area storing PII as a result of administration Agreement. Visitors to any Contractor data centers area storing PII as a result of administration <br />ATTY/AGR/2025.134/ CORE SERVICE AGENCY CONTRACT (SMC AND RWC) <br />REV: 06-04-25 VR Page 11 of 48 <br />6.L. - Page 14 of 51 <br />111