Laserfiche WebLink
Page 13 <br />database, database logging functionality shall be enabled. The audit trail data shall be archived <br />for at least three (3) years from the occurrence. <br />z. Contractor shall ensure that all of its systems providing access to PII shall use role-based <br />access controls for all user authentications, enforcing the principle of least privilege. <br />aa. Contractor shall ensure that all data transmissions of PII outside of its secure internal <br />networks must be encrypted using a Federal Information Processing Standard (FIPS) 140-2 <br />certified algorithm that is 128 bit or higher, such as Advanced Encryption Standard (AES) or <br />Transport Layer Security (TLS). It is encouraged, when available and when feasible, that 256-bit <br />encryption be used. Encryption can be ended to end at the network level, or the data files <br />containing PII can be encrypted. This requirement pertains to any type of PII in motion such as <br />website access, file transfer, and email. <br />bb. Contractor shall ensure that all of its systems involved in accessing, storing, transporting, <br />and protecting PII, which are accessible through the Internet, must be protected by an intrusion <br />detection and prevention solution. <br />cc. Contractor shall ensure that audit control mechanisms are in place. All Contractor systems <br />processing and/or storing Personally Identifiable Information must have a least an annual <br />system risk assessment/security review that ensure administrative, physical, and technical <br />controls are functioning effectively and provide an adequate level of protection. Review shall <br />include vulnerability scanning tools. <br />dd. Contractor shall ensure that all of its systems processing and/or storing PII must have a <br />process or automated procedure in place to review system logs for unauthorized access. <br />ee. Contractor shall ensure that all of its systems processing and/or storing PII must have a <br />documented change control process that ensures separation of duties and protects the <br />confidentiality, integrity and availability of data. <br />ff. Contractor shall establish a documented plan to enable continuation of critical business <br />processes and protection of the security of PII kept in an electronic format in the event of an <br />emergency. Emergency means any circumstance or situation that causes normal computer <br />operations to become unavailable for use in performing the work required under this Agreement <br />for more than twenty-four (24) hours. <br />gg. Contractor shall ensure its data centers with servers, data storage devices, and critical <br />network infrastructure involved in the use, storage and/or processing of PII, must include <br />environmental protection such as cooling, power, and fire prevention, detection, and <br />suppression. <br />hh. Contractor shall establish documented procedures to backup PII to maintain retrievable <br />exact copies of PIII. The documented backup procedures shall contain a schedule which <br />includes incremental and full backups, storing backups offsite, inventory of backup media, <br />recovery of PII data, an estimate of the amount of time needed to restore PII data. <br />ii. Contractor shall ensure that PII in paper form shall not be left unattended at any time, unless <br />it is locked space such as a file cabinet, file room, desk or office. Unattended means that <br />information may be observed by an individual not authorized to access the information. Locked <br />spaces are defined as locked file cabinets, locked file rooms, locked desks, or locked offices in <br />t control mechanisms are in place. t control mechanisms are in place. <br />processing and/or storing Personally Identifiable Information must have a least an annual processing and/or storing Personally Identifiable Information must have a least an annual <br />system risk assessment/security review that system risk assessment/security review that ensure administrativeensure administrative, physical, and technical , physical, and technical <br />ATTY/AGR/2025.134/ CORE SERVICE AGENCY CONTRACT (SMC AND RWC) <br />REV: 06-04-25 VR Page 13 of 48 <br />6.L. - Page 16 of 51 <br />113