Laserfiche WebLink
Page 12 <br />tablets, backup tapes etc.). Encryption must be a FIPS 140-2 certified algorithm 128 bit or <br />higher, such as AES. It is encouraged, when available and when feasible, that the encryption be <br />256 bits. <br />s. Contractor shall ensure that all workstations, laptops and other systems, which process <br />and/or store PII, must install and actively use an antivirus software solution. Antivirus software <br />should have automatic updates for definitions scheduled at least daily. In addition, Contractor <br />shall ensure that: <br />i. All workstations, laptops and other systems, which process and/or store PII, must have <br />critical security patches applied, with system reboot if necessary. <br />ii. There must be a documented patch management process that determines installation <br />timeframe based on risk assessment and vendor recommendations. <br />iii. At a maximum, all applicable patches deemed as critical must be installed within thirty <br />(30) days of vendor release. It is recommended that critical patches which are high risk be <br />installed within seven (7) days. <br />iv. Applications and systems that cannot be patched within this time frame, due to <br />significant operational reasons, must have compensatory controls implemented to <br />minimize risk. <br />t. Contractor shall ensure that all of its staff accessing Personally Identifiable Information on <br />applications and systems will be issued a unique individual password that is a least eight (8) <br />characters, a non-dictionary word, composed of characters from at least three (3) of the <br />following four (4) groups from the standard keyboard: upper case letters (A-Z); lower case <br />letters (a-z); Arabic numerals (0-9) and special characters (!, @, #, etc.). Passwords are not to <br />be shared and changed if revealed or compromised. All passwords must be changed every (90) <br />days or less and must not be stored in readable format on the computer or server. <br />u. Contractor shall ensure that usernames for its staff authorized to access PII will be promptly <br />disabled, deleted, or the password changed upon the transfer or termination of an employee <br />within twenty- four (24) hours. Note: Twenty-four (24) hours is defined as one (1) working day. <br />v. Contractor shall ensure when no longer needed, all PII must be cleared, purged, or destroyed <br />consistent with NIST SP 800-88, Guidelines for Media Sanitization, such that the Personally <br />Identifiable Information cannot be retrieved. <br />w. Contractor shall ensure that all of its systems providing access to PII must provide an <br />automatic timeout, requiring re-authentication of the user session after no more than twenty (20) <br />minutes of inactivity. <br />x. Contractor shall ensure that all of its systems providing access to PII must display a warning <br />banner stating, at a minimum that data is confidential; systems are logged, systems use is for <br />business purposes only by authorized users and users shall log off the system immediately if <br />they do not agree with these requirements. <br />y. Contractor will ensure that all of its systems providing access to PII must maintain an <br />automated audit trail that can identify the user or system process which initiates a request for PII <br />or alters PII. The audit trail shall be date and time stamped; log both successful and failed <br />accesses be read-access only; and be restricted to authorized users. If PII is stored in a <br />iv. Applications and systems that cannot be patched within this time iv. Applications and systems that cannot be patched within this time frame, dueframe, due <br />significant operational reasons, must have compensatory significant operational reasons, must have compensatory controls implementedcontrols implemented <br />ATTY/AGR/2025.134/ CORE SERVICE AGENCY CONTRACT (SMC AND RWC) <br />REV: 06-04-25 VR Page 12 of 48 <br />6.L. - Page 15 of 51 <br />112