|
<br />
<br />
<br />
<br />EXHIBIT E
<br />INFORMATION SECURITY REQUIREMENTS
<br />Security Standards and Requirements
<br />City is committed to protecting its employees, customers, and partners from cyber threats and ensuring compliance with all
<br />applicable laws and regulations, including HIPAA, PCI, CJIS, and PII regulations. City enforces security standards in
<br />accordance with NIST 800-53 Rev. 4 and follows best practices to secure its computer systems and data.
<br />In conducting business with Govstream, City requires Govstream to maintain a minimum level of compliance to reduce the
<br />risk of data loss or data breaches.
<br />Software-as-a-Service/Cloud (SaaS)
<br />A solution is subject to SaaS/Cloud standards if any or part of the solution is hosted at a non -City facility and its day-to-day
<br />operations are not dictated and performed by City staff.
<br />Audit
<br />To the extent the applicable Service offering is available and purchased from Govstream for the handling of such information,
<br />a Govstream, whose solution stores, sends, receives or transacts CJIS, PII, PCI or HIPAA data, must adhere to Federal
<br />regulation regarding its treatment. City shall be entitled to audit reports, as available, such as ISO 27001 certification, as well
<br />as SSAE 16 SOC-I and SOC-II audits where applicable.
<br />A Govstream responsible for providing managed hosting services (such as hosting a website on behalf of the City) shall ensure
<br />that website, access control systems, and supporting Software is secure. At a minimum, this includes an annual review of all
<br />users with access to the systems, applications, and code provided by Govstream, an annual independent security audit which
<br />includes vulnerability scans, network and application layer penetration tests, and code reviews. Independent shall mean that
<br />the persons conducting the security assessment will be independent of the design, installation, or maintenance of the systems .
<br />Govstream shall have a centralized logging, monitoring, and alerting systems in place.
<br />These requirements are not a substitute for Govstream’s obligations under applicable regulatory requirements including, but
<br />not limited to, the Payment Card Industry (PCI), Criminal Justice Information System (CJIS), the Health Insurance Portability
<br />and Accountability Act (HIPAA), General Data Protection Regulation (GDPR- where applicable), or State laws.
<br />Backups
<br />Data, transaction logs and any other information necessar y to restore a system to operation, must be backed up at a minimum
<br />of once per day and stored offsite from the central processing location.
<br />Data subject to CJIS, PII, PCI or HIPAA must be backed up in an encrypted format, or an alternative format, provide d such
<br />format provides an equivalent level of protection.
<br />Breach of the security of the system
<br />This shall mean unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal
<br />information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of
<br />the person or business for the purposes of the person or business is not a breach of the security of the system when the pers onal
<br />information is not used or subject to further unauthorized disclosure.
<br />Govstream plays a key role in protecting the data of the City employees, customers, citizens, etc. As such Govstream must
<br />participate in the City’s compliance needs around data breach notification, including timely notification to the City not less
<br />than 24 hours of discovery of an actual or suspected data breach; and an on -going participation with the City to determine the
<br />extent of the data loss and the other impacts.
|