My WebLink
|
Help
|
About
|
Sign Out
Browse
Search
Agda Pkt 2025.06.09 Joint SA PFA
RedwoodCity
>
City Clerk
>
Agenda Packets
>
2020-2029
>
2025
>
Agda Pkt 2025.06.09 Joint SA PFA
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
6/10/2025 4:34:20 PM
Creation date
6/10/2025 4:28:06 PM
Metadata
Fields
Template:
CC Index
CC Index - Document Type
Agenda Packet
Meeting Type
Regular
Agency Type
City Council
Date
6/9/2025
Jump to thumbnail
< previous set
next set >
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
1129
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
Show annotations
View images
View plain text
Page 13 <br />database, database logging functionality shall be enabled. The audit trail data shall be archived <br />for at least three (3) years from the occurrence. <br />z. Contractor shall ensure that all of its systems providing access to PII shall use role-based <br />access controls for all user authentications, enforcing the principle of least privilege. <br />aa. Contractor shall ensure that all data transmissions of PII outside of its secure internal <br />networks must be encrypted using a Federal Information Processing Standard (FIPS) 140-2 <br />certified algorithm that is 128 bit or higher, such as Advanced Encryption Standard (AES) or <br />Transport Layer Security (TLS). It is encouraged, when available and when feasible, that 256-bit <br />encryption be used. Encryption can be ended to end at the network level, or the data files <br />containing PII can be encrypted. This requirement pertains to any type of PII in motion such as <br />website access, file transfer, and email. <br />bb. Contractor shall ensure that all of its systems involved in accessing, storing, transporting, <br />and protecting PII, which are accessible through the Internet, must be protected by an intrusion <br />detection and prevention solution. <br />cc. Contractor shall ensure that audit control mechanisms are in place. All Contractor systems <br />processing and/or storing Personally Identifiable Information must have a least an annual <br />system risk assessment/security review that ensure administrative, physical, and technical <br />controls are functioning effectively and provide an adequate level of protection. Review shall <br />include vulnerability scanning tools. <br />dd. Contractor shall ensure that all of its systems processing and/or storing PII must have a <br />process or automated procedure in place to review system logs for unauthorized access. <br />ee. Contractor shall ensure that all of its systems processing and/or storing PII must have a <br />documented change control process that ensures separation of duties and protects the <br />confidentiality, integrity and availability of data. <br />ff. Contractor shall establish a documented plan to enable continuation of critical business <br />processes and protection of the security of PII kept in an electronic format in the event of an <br />emergency. Emergency means any circumstance or situation that causes normal computer <br />operations to become unavailable for use in performing the work required under this Agreement <br />for more than twenty-four (24) hours. <br />gg. Contractor shall ensure its data centers with servers, data storage devices, and critical <br />network infrastructure involved in the use, storage and/or processing of PII, must include <br />environmental protection such as cooling, power, and fire prevention, detection, and <br />suppression. <br />hh. Contractor shall establish documented procedures to backup PII to maintain retrievable <br />exact copies of PIII. The documented backup procedures shall contain a schedule which <br />includes incremental and full backups, storing backups offsite, inventory of backup media, <br />recovery of PII data, an estimate of the amount of time needed to restore PII data. <br />ii. Contractor shall ensure that PII in paper form shall not be left unattended at any time, unless <br />it is locked space such as a file cabinet, file room, desk or office. Unattended means that <br />information may be observed by an individual not authorized to access the information. Locked <br />spaces are defined as locked file cabinets, locked file rooms, locked desks, or locked offices in <br />t control mechanisms are in place. t control mechanisms are in place. <br />processing and/or storing Personally Identifiable Information must have a least an annual processing and/or storing Personally Identifiable Information must have a least an annual <br />system risk assessment/security review that system risk assessment/security review that ensure administrativeensure administrative, physical, and technical , physical, and technical <br />ATTY/AGR/2025.134/ CORE SERVICE AGENCY CONTRACT (SMC AND RWC) <br />REV: 06-04-25 VR Page 13 of 48 <br />6.L. - Page 16 of 51 <br />113
The URL can be used to link to this page
Your browser does not support the video tag.