Access Controls a. Authorized Access - DST shall have controls that are designed to maintain the logical separation such that access to systems hosting Fund Data and/or being used to provide services to Fund will uniquely identify each individual requiring access, grant access only to authorized personnel based on the principle of least privileges, and prevent unauthorized access to Fund Data. b. User Access - DST shall have a process to promptly disable access to Fund Data by any DST personnel who no longer requires such access. DST will also promptly remove access of Fund personnel upon receipt of notification from Fund.
Administrative Controls The Contractor must have the following controls in place: a. A documented security policy governing the secure use of its computer network and systems, and which defines sanctions that may be applied to Contractor staff for violating that policy. b. If the Data shared under this agreement is classified as Category 4, the Contractor must be aware of and compliant with the applicable legal or regulatory requirements for that Category 4 Data. c. If Confidential Information shared under this agreement is classified as Category 4, the Contractor must have a documented risk assessment for the system(s) housing the Category 4 Data.
Audit Controls a. System Security Review. CONTRACTOR must ensure audit control mechanisms that record and examine system activity are in place. All systems processing and/or storing PHI COUNTY discloses to CONTRACTOR or CONTRACTOR creates, receives, maintains, or transmits on behalf of COUNTY must have at least an annual system risk assessment/security review which provides assurance that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection. Reviews should include vulnerability scanning tools.
Personal Controls a. Employee Training. All workforce members who assist in the performance of functions or activities on behalf of COUNTY in connection with Agreement, or access or disclose PHI COUNTY discloses to CONTRACTOR or CONTRACTOR creates, receives, maintains, or transmits on behalf of COUNTY, must complete information privacy and security training, at least annually, at CONTRACTOR’s expense. Each workforce member who receives information privacy and security training must sign a certification, indicating the member’s name and the date on which the training was completed. These certifications must be retained for a period of six (6) years following the termination of Agreement.