Laserfiche WebLink
JL 4 <br /> a) The Open Web Application Security Project Top Ten (OWASP Top 10), or <br /> b) The CWEJSANS TOP 25 Most Dangerous Software Errors <br /> 6. COMPUTER SECURITY <br /> Licensee shall maintain computers that access Data by ensuring the operating system and <br /> software are updated and patched monthly, such that they remain secure from known <br /> vulnerabilities. Licensee computer device(s) must also be installed with an Anti-Maiware <br /> solution and signatures updated no less than monthly. <br /> 7. DATA STORAGE <br /> Licensee shall designate and be able to identify all computing equipment, on which Licensee <br /> stores, processes, and maintains Data. No Data at any time may be processed on or <br /> transferred to any portable storage medium. Laptop/tablet computing devices are not <br /> considered portable storage medium in this context provided it is installed with end-point <br /> encryption. <br /> 8. ELECTRONIC DATA TRANSMISSION <br /> Licensee shall maintain secure means (e.g., HTTPS or SFTP) for the electronic transmission <br /> or exchange of system and application data with DOL or any other authorized Licensee. <br /> 9. DATA ENCRYPTION <br /> Licensee shall encrypt all Data, whether in transit or at rest, by using only NIST or ISO <br /> approved encryption algorithms; this includes all back-up copies of Data. Licensee further <br /> must install any laptop/notebook computing device, processing Data, with end-point <br /> encryption (i.e., full disk encryption). <br /> 10. DISTRIBUTION OF DATA <br /> Licensee may only use and exchange Confidential Information for the purposes as expressly <br /> described and allowed in this Agreement. In addition to any other restrictions on Permissible <br /> Use, Confidential Information may not be distributed, repurposed or shared across other <br /> applications, environments, or business units of Licensee. Licensee must assure that no <br /> Confidential Information of any kind is transmitted, exchanged or otherwise passed to other <br /> contractors/vendors or interested parties except Licensee and/or Subrecipients who have an <br /> authorized legal Permissible Use according to this Agreement, and who are under contract <br /> with Licensee. <br /> 11. DATA DISPOSAL <br /> Unless a more immediate disposal requirement is set forth in this Agreement, Licensee, upon <br /> termination of this Agreement, shall erase, destroy, and render unrecoverable all DOL <br /> Confidential Data and certify in writing that these actions have been completed within thirty <br /> (30) days of the termination of this Agreement. At a minimum, media sanitization is to be <br /> performed according to the standards enumerated by NIST SP 800-88r1 Guidelines for <br /> Media Sanitization. <br /> 12. OFFSHORING - ELECTRONIC <br /> Licensee must maintain the primary, backup, disaster recovery and other sites for storage of <br /> Confidential Data only from locations in the United States. <br /> Licensee may not commit the following unless it has advance written approval from DOL: <br /> a) Directly or indirectly (including through Subrecipients) transmit any Confidential Data <br /> outside the United States; or <br /> b) Allow any Confidential Data to be accessed by Subrecipients from locations outside of <br /> Page 10 of 12 <br /> 19 <br />