Laserfiche WebLink
<br /> <br /> <br /> <br />EXHIBIT E <br />INFORMATION SECURITY REQUIREMENTS <br />Security Standards and Requirements <br />City is committed to protecting its employees, customers, and partners from cyber threats and ensuring compliance with all <br />applicable laws and regulations, including HIPAA, PCI, CJIS, and PII regulations. City enforces security standards in <br />accordance with NIST 800-53 Rev. 4 and follows best practices to secure its computer systems and data. <br />In conducting business with Govstream, City requires Govstream to maintain a minimum level of compliance to reduce the <br />risk of data loss or data breaches. <br />Software-as-a-Service/Cloud (SaaS) <br />A solution is subject to SaaS/Cloud standards if any or part of the solution is hosted at a non -City facility and its day-to-day <br />operations are not dictated and performed by City staff. <br />Audit <br />To the extent the applicable Service offering is available and purchased from Govstream for the handling of such information, <br />a Govstream, whose solution stores, sends, receives or transacts CJIS, PII, PCI or HIPAA data, must adhere to Federal <br />regulation regarding its treatment. City shall be entitled to audit reports, as available, such as ISO 27001 certification, as well <br />as SSAE 16 SOC-I and SOC-II audits where applicable. <br />A Govstream responsible for providing managed hosting services (such as hosting a website on behalf of the City) shall ensure <br />that website, access control systems, and supporting Software is secure. At a minimum, this includes an annual review of all <br />users with access to the systems, applications, and code provided by Govstream, an annual independent security audit which <br />includes vulnerability scans, network and application layer penetration tests, and code reviews. Independent shall mean that <br />the persons conducting the security assessment will be independent of the design, installation, or maintenance of the systems . <br />Govstream shall have a centralized logging, monitoring, and alerting systems in place. <br />These requirements are not a substitute for Govstream’s obligations under applicable regulatory requirements including, but <br />not limited to, the Payment Card Industry (PCI), Criminal Justice Information System (CJIS), the Health Insurance Portability <br />and Accountability Act (HIPAA), General Data Protection Regulation (GDPR- where applicable), or State laws. <br />Backups <br />Data, transaction logs and any other information necessar y to restore a system to operation, must be backed up at a minimum <br />of once per day and stored offsite from the central processing location. <br />Data subject to CJIS, PII, PCI or HIPAA must be backed up in an encrypted format, or an alternative format, provide d such <br />format provides an equivalent level of protection. <br />Breach of the security of the system <br />This shall mean unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal <br />information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of <br />the person or business for the purposes of the person or business is not a breach of the security of the system when the pers onal <br />information is not used or subject to further unauthorized disclosure. <br />Govstream plays a key role in protecting the data of the City employees, customers, citizens, etc. As such Govstream must <br />participate in the City’s compliance needs around data breach notification, including timely notification to the City not less <br />than 24 hours of discovery of an actual or suspected data breach; and an on -going participation with the City to determine the <br />extent of the data loss and the other impacts.