Laserfiche WebLink
<br />Attachment B - Data Security Requirements <br />For all Confidential Information to be electronically stored, processed, or transmitted, Licensee shall <br />apply the following requirements: <br /> <br />1. Data Security <br />Licensee must protect the confidentiality, integrity and availability of Data with administrative, <br />technical and physical measures that meet generally recognized industry standards and best <br />practices or standards established by the Office of the Chief Information Officer (OCIO). <br />Examples of industry standards and best practices include any of the following: <br />a) ISO 27002 <br />b) PCI DSS <br />c) NIST 800 series <br />d) OCIO 141.10 (https://ocio.wa.gov/policies/141-securing-information-technology- <br />assets/14110-securing-information-technology-assets) <br /> <br />2. Network Security <br />Licensee’s network security must include the following: <br />a) Network firewall provisioning <br />b) Intrusion detection <br />c) Quarterly vulnerability assessments <br />d) Annual penetration tests (when Data is defined as Category 3 or higher). This requirement <br />only applies if the Licensee is hosting the DOL data. <br /> <br />3. Access Security <br />Licensee shall restrict Authorized User access to the Data by requiring a login using a unique user ID <br />and complex password or other authentication mechanism which provides equal or greater security. <br />Passwords must be changed on a periodic basis at least quarterly. The sharing of user ID and <br />passwords is strictly prohibited. Licensee is solely responsible for protection of all of its user IDs and <br />passwords, and is responsible for all Data Security Breaches caused through the use of its user IDs <br />and passwords. <br /> <br />4. Application Security <br />Licensee shall maintain and support its software and subsequent upgrades, updates, patches, and <br />bug fixes such that the software is, and remains secure from known vulnerabilities. Licensee must <br />secure web applications that minimally meet all the security controls as generally described in either: <br />a) The Open Web Application Security Project Top Ten (OWASP Top 10), or <br />b) The CWE/SANS TOP 25 Most Dangerous Software Errors. <br /> <br />5. Computer Security <br />Licensee shall maintain computers that access Data by ensuring the operating system and software <br />are updated and patched monthly, such that they remain secure from known vulnerabilities. Licensee <br />computer device(s) must also be installed with an Anti-Malware solution and signatures updated no <br />less than monthly. <br /> <br />6. Data Storage <br />Licensee shall designate and be able to identify all computing equipment, on which Licensee stores, <br />processes, and maintains Data. No Data at any time may be processed on or transferred to any <br />portable storage medium. Laptop/tablet computing devices are not considered portable storage <br />medium in this context provided that it is installed with end- point encryption. <br />