Access Controls a. Authorized Access - DST shall have controls that are designed to maintain the logical separation such that access to systems hosting Fund Data and/or being used to provide services to Fund will uniquely identify each individual requiring access, grant access only to authorized personnel based on the principle of least privileges, and prevent unauthorized access to Fund Data. b. User Access - DST shall have a process to promptly disable access to Fund Data by any DST personnel who no longer requires such access. DST will also promptly remove access of Fund personnel upon receipt of notification from Fund.
System Access Control Data processing systems used to provide the Cloud Service must be prevented from being used without authorization.
User IDs and Password Controls All users must be issued a unique user name for accessing DHCS PHI or PI. Username must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password, at maximum within 24 hours. Passwords are not to be shared. Passwords must be at least eight characters and must be a non-dictionary word. Passwords must not be stored in readable format on the computer. Passwords must be changed every 90 days, preferably every 60 days. Passwords must be changed if revealed or compromised. Passwords must be composed of characters from at least three of the following four groups from the standard keyboard: • Upper case letters (A-Z) • Lower case letters (a-z) • Arabic numerals (0-9) • Non-alphanumeric characters (punctuation symbols)
Physical Access Control Unauthorized persons are prevented from gaining physical access to premises, buildings or rooms where data processing systems that process and/or use Personal Data are located.
Information Access Each Party (“Disclosing Party”) shall make available to another Party (“Requesting Party”) information that is in the possession of the Disclosing Party and is necessary in order for the Requesting Party to: (i) verify the costs incurred by the Disclosing Party for which the Requesting Party is responsible under this Agreement; and (ii) carry out its obligations and responsibilities under this Agreement. The Parties shall not use such information for purposes other than those set forth in this Article 25.1 of this Agreement and to enforce their rights under this Agreement.