Laserfiche WebLink
<br /> <br /> <br /> <br />If Govstream is providing a solution to a stated “not critical” solution, then it must maintain a disaster recovery plan that <br />demonstrates how the recovery time objective will be met. In the event of an unscheduled outage where the outage is estimated <br />to be greater than allowed by the recovery time objective, execution of the DR plan is assu med. <br />The DR plan must be practiced regularly. <br />City must maintain and use a disaster recovery call-tree of key City staff that should be notified in the event of Govstream must <br />enact their DR plan. <br />Encryption <br />Data at rest must be stored in compliance with the prevailing standard (e.g. CJIS, PII, PCI, HIPAA), which may include data <br />encryption at various levels. <br />Data in transit must be protected in compliance with the prevailing standard (e.g. CJIS, PII, PCI, HIPAA) using TLS and AES <br />algorithms configured to be consistent to those standards. <br />Identity and Access Management <br />The City employs active directory for user authentication. When Possible, any component enabling user access should have <br />the ability to integrate with active directory, directly or through SAM L single sign-on, for user authentication. <br />Solutions that do not support Active Directory must support password strength capabilities consistent with industry standards <br />(e.g. NIST SP800-53), as applicable. <br />When possible, solutions should support multi-factor authentication for local and remote access. <br />Incident Management <br />Govstream must maintain and use a call-tree of key City staff to contact in the event that Govstream is experiencing an incident <br />that will impact the City service. <br />Govstream must supply a contact for support that can assist the City in incident management for any integration to the City’s <br />service. <br />Jurisdiction <br />Data stored as part of the Services must be stored in a location subject to United States Laws. <br />Recovery Time Objective <br />The solution should implement an appropriate architecture to support the availability requirements stated as a requirement in <br />this document and enable a Recovery Time Objective (RTO) within the stated RTO period, to include concepts such as <br />geographical load balancing, clustering, etc. <br />Security <br />If Govstream is providing a SaaS solution then it must regularly test their computing environment using proactive security <br />procedures such as perimeter defense and network intrusion detection monitoring of critical network segm ents, as well as traffic <br />between web servers and load balancers. <br />Govstream must utilize a system to alert on detection of suspicious activity. <br />Within sixty (60) days prior to the start date of City’s Term, and regularly throughout the Term thereafter, Govstream shall <br />perform external vulnerability and penetration testing, and upon reasonable request, shall provide reasonable evidence to the <br />City that such testing has been performed, for all internet facing firewalls, rout ers, web servers and other assets.