Common use of Protection of Data Clause in Contracts

Protection of Data. The Contractor agrees to store Data on one or more of the following media and protect the Data as described: a. Hard disk drives. Data stored on local workstation hard disks. Access to the Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provides equal or greater security, such as biometrics or smart cards. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data will be secured on the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. Network server disks. Data stored on hard disks mounted on network servers and made available through shared folders. Access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. c. Removable Media, including Optical discs (CDs or DVDs) in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or better. When not in use for the contracted purpose, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the key, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE Data on optical discs must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers and which will not be transported out of a secure area. Data provided by the EXCHANGE on optical discs which will be attached to network servers shall be encrypted with 128- bit AES encryption or better. Access to Data on these discs will be restricted to authorized users through the use of access control lists which will grant access only after the authorized user has been authenticated to the network using a unique user ID and complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. Paper documents. All paper records must be protected by storing the records in a secure area which is only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the Special Terms and Conditions of the contract. If so authorized, the Data shall be given the following protections: (a) Encrypt the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.) (b) Control access to devices with a unique user ID and password or stronger authentication method such as a physical token or biometrics. (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use (e) Using check-in/check-out procedures when they are shared, and (f) Taking frequent inventories (2) When being transported outside of a secure area, portable devices and media with confidential EXCHANGE Data must be under the physical control of contractor staff with authorization to access the Data. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. The Contractor agrees to store Data on one or more of the following media and protect the Data as described:. a. Hard disk drives. i. Data stored on local workstation hard disks. Access to the at Rest: Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provides equal or greater security, such as biometrics or smart cardsencrypted with NIST 800-series approved algorithms. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data Encryption keys will be secured on stored and protected independently of the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. Network server disks. Data stored on hard disks mounted on network servers and made available through shared foldersdata. Access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using lists, a Unique User ID ID, and a Hardened Password Password, or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted Systems that contain or provide access to such servers Confidential Information must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. c. Removable Media, including Optical discs (CDs or DVDs) in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or better. When not in use for the contracted purpose, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the key, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE Data on optical discs must be located in an area which that is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers and which will not be transported out of a secure areaii. Data stored on Portable/Removable Media or Devices: • Confidential Information provided by the EXCHANGE HCA on optical discs which Removable Media will be attached to network servers shall be encrypted with 128- bit AES encryption or betterNIST 800-series approved algorithms. Access to Data on these discs Encryption keys will be restricted to stored and protected independently of the Data. • HCA’s Data must not be stored by the Contractor on Portable Devices or Media unless specifically authorized users through within the use Agreement. If so authorized, the Contractor must protect the Data by: o Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data; o Controlling access control lists which will grant access only after the authorized user has been authenticated to the network using devices with a unique user Unique User ID and complex password Hardened Password or other stronger authentication mechanisms which provide equal or greater security, method such as biometrics a physical token or smart cards. Data on discs attached to such servers must be located biometrics; o Keeping devices in locked storage when not in use; o Using check-in/check-out procedures when devices are shared; o Maintaining an area which is accessible only to authorized personnel, with access controlled through use inventory of devices; and o Ensuring that when being transported outside of a keySecured Area, card key, combination lock, or comparable mechanismall devices containing Data are under the physical control of an Authorized User. e. iii. Paper documents. All Documents: Any paper records containing Confidential Information must be protected by storing the records in a secure area which Secured Area that is accessible only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the Special Terms and Conditions of the contract. If so authorized, the Data shall be given the following protections: (a) Encrypt the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.) (b) Control access to devices with a unique user ID and password or stronger authentication method such as a physical token or biometrics. (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use (e) Using check-in/check-out procedures when they are shared, and (f) Taking frequent inventories (2) When being transported outside of a secure area, portable devices and media with confidential EXCHANGE Data must be under the physical control of contractor staff with authorization to access the Data. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. ‌ The Contractor agrees to store Data on one or more of the following media and protect the Data Confidential Information as described: a. Hard disk drives. A. Data stored on local workstation hard disks. Access to the at Rest: i. Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provides equal or greater security, such as biometrics or smart cardsencrypted with NIST 800-series approved algorithms. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data Encryption keys will be secured on stored and protected independently of the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. Network server disks. Data stored on hard disks mounted on network servers and made available through shared foldersdata. Access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using lists, a Unique User ID ID, and a Hardened Password Password, or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted Systems which contain or provide access to such servers Confidential Information must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. c. Removable Media, including Optical discs (CDs or DVDs) in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or better. When not in use for the contracted purpose, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the key, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE Data on optical discs must be located in an area which that is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs B. Data stored on Portable/Removable Media or DVDs) in drives or jukeboxes attached to servers and which will not be transported out of a secure area. Data Devices: i. Confidential Information provided by the EXCHANGE HCA on optical discs which Removable Media will be attached to network servers shall be encrypted with 128- bit AES encryption or betterNIST 800-series approved algorithms. Access to Data on these discs Encryption keys will be restricted to stored and protected independently of the Data. ii. HCA’s data must not be stored by the Contractor on Portable Devices or Media unless specifically authorized users through within the use Contract. If so authorized, the Contractor must protect the Data by: a) Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data; b) Control access control lists which will grant access only after the authorized user has been authenticated to the network using devices with a unique user Unique User ID and complex password Hardened Password or other stronger authentication mechanisms which provide equal or greater security, method such as biometrics a physical token or smart cards. Data on discs attached to such servers must be located biometrics; c) Keeping devices in locked storage when not in use; d) Using check-in/check-out procedures when devices are shared; e) Maintain an area which is accessible only to authorized personnel, with access controlled through use inventory of devices; and C. Ensure that when being transported outside of a keySecured Area, card key, combination lock, or comparable mechanismall devices with Data are under the physical control of an Authorized User. e. D. Paper documents. All Any paper records containing Confidential Information must be protected by storing the records in a secure area which Secured Area that is accessible only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the Special Terms and Conditions of the contract. If so authorized, the Data shall be given the following protections: (a) Encrypt the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.) (b) Control access to devices with a unique user ID and password or stronger authentication method such as a physical token or biometrics. (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use (e) Using check-in/check-out procedures when they are shared, and (f) Taking frequent inventories (2) When being transported outside of a secure area, portable devices and media with confidential EXCHANGE Data must be under the physical control of contractor staff with authorization to access the Data. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. The Contractor agrees to store Data on one or more of the following media and protect the Data as described: a. Hard disk drives. Data stored on local workstation hard disks. Access to the Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provides equal or greater security, such as biometrics or smart cards. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data will be secured on the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard Workstations hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. Network server disks. Data stored on hard disks mounted on network servers and made available through shared folders. Access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. c. Removable Media, including Optical discs (CDs or DVDs) in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or better. When not in use for the contracted purpose, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the key, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE Data on optical discs must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers and which will not be transported out of a secure area. Data provided by the EXCHANGE on optical discs which will be attached to network servers shall be encrypted with 128- 128-bit AES encryption or better. Access to Data on these discs will be restricted to authorized users through the use of access control lists which will grant access only after the authorized user has been authenticated to the network using a unique user ID and complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. Paper documents. All paper records must be protected by storing the records in a secure area which is only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment employ of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the Special Terms and Conditions of the contract. If so authorized, the Data shall be given the following protections: (a) Encrypt the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.) (b) Control access to devices with a unique user ID and password or stronger authentication method such as a physical token or biometrics. (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use (e) Using check-in/check-out procedures when they are shared, and (f) Taking frequent inventories (2) When being transported outside of a secure area, portable devices and media with confidential EXCHANGE Data must be under the physical control of contractor staff with authorization to access the Data. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. The Contractor agrees All electronic data provided by WADOC shall be stored on an encrypted hard drive in a secure environment with access limited to store Data on one or more the least number of staff needed to complete the purpose of the following media and protect the Data as described:Agreement. a. Hard 1. Workstation hard disk drives. Data stored on local workstation hard disksdisks will be encrypted with a FIPS approved cryptographic algorithm. Access to the Data will be restricted to Authorized User(s) authorized users by requiring logon to the local workstation using a Unique User unique user ID and Hardened Password complex password or other authentication mechanisms which provides provide equal or greater security, such as biometrics or smart cards. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data will be secured on the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. 2. Network server disks. Data stored on hard disks mounted on network servers and made available through shared foldersfolders will be encrypted with a FIPS approved cryptographic algorithm. Access to the Data data will be restricted to Authorized Users authorized users through the use of access control lists which will grant access only after the Authorized User authorized user has authenticated to the network using a Unique User unique user ID and Hardened Password complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may Backup copies must be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Areaencrypted if recorded to removable media. c. Removable Media, including 3. Optical discs (CDs or e.g. CDs, DVDs, Blu-Rays) in local workstation optical disc drives. Data provided by WADOC on optical discs which will be used in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which This data will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or bettera FIPS approved cryptographic algorithm. When not in use for the contracted purposeuse, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the keykey combination, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE WADOC Data on optical discs disks must be located in an area which is accessible only to authorized personnelindividuals, with access controlled through though use of a key, card key, combination lock, or comparable mechanism. d. 4. Optical discs (CDs or e.g. CDs, DVDs, Blu-Rays) in drives or jukeboxes other devices attached to servers and which a network. This data will not be transported out of a secure area. Data provided by the EXCHANGE on optical discs which will be attached to network servers shall be encrypted with 128- bit AES encryption or bettera FIPS approved cryptographic algorithm. Access to Data data on these discs will be restricted to authorized users through the use of access control lists which will grant access only after the authorized user has been authenticated to the network using a unique user ID and complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on The optical discs attached to such servers must be located in an area which is accessible only to authorized personnelindividuals, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. 5. Paper documents. All Any paper records must be protected by storing the records in a secure area which is only accessible to authorized personnelindividuals. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal6. Within these Data Sharing Terms, portable devices include, but are not limited to handhelds/workstation over the State Governmental Network PDAs, Ultramobile PCs, flash memory devices (SGNe.g. USB flash drives, personal media players), portable hard disks, and laptop/notebook computers. Portable media includes, but is not limited to optical media (e.g., CD’s, DVD’s, Blu- Rays), magnetic media (e.g., floppy disks, Zip or Jaz disks or drives,) or WA Health Benefit Exchange network flash media (EXCHANGE Networke.g., Compact Flash, SD Card, MMC). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE WADOC Data shall not be stored by the Contractor Recipient on portable devices or media unless specifically authorized within the Special Terms and Conditions of the contractthese Data Sharing Terms. If so authorized, the Data data shall be given the following protections: (a) i. Encrypt the Data data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etcFIPS approved cryptographic algorithm.) (b) ii. Control access to devices with a unique user ID and password or stronger authentication method such as a physical token or biometrics. (c) iii. Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. iv. Physically protect the portable device(s) and/or media by (d) Keeping by keeping them in locked storage when not in use (e) Using unused; using check-in/check-out procedures when they are device or other media is being shared; taking frequent inventories of media, andand access to media by users. (f) Taking frequent inventories (2) v. When being transported outside of a secure area, portable devices and media with confidential EXCHANGE WADOC Data must be under the physical control of contractor Recipient’s staff with authorization to access the Datadata. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. ‌ The Contractor agrees to store Data on one or more of the following media and protect the Data Confidential Information as described: a. Hard disk drives. Data stored on local workstation hard disks. Access to the at Rest: i. Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provides equal or greater security, such as biometrics or smart cardsencrypted with NIST 800-series approved algorithms. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data Encryption keys will be secured on stored and protected independently of the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. Network server disks. Data stored on hard disks mounted on network servers and made available through shared foldersdata. Access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using lists, a Unique User ID ID, and a Hardened Password Password, or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted Systems which contain or provide access to such servers Confidential Information must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. c. Removable Media, including Optical discs (CDs or DVDs) in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or better. When not in use for the contracted purpose, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the key, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE Data on optical discs must be located in an area which that is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers and which will not be transported out of a secure areaii. Data stored on Portable/Removable Media or Devices: (A) Confidential Information provided by the EXCHANGE HCA on optical discs which Removable Media will be attached to network servers shall be encrypted with 128- bit AES encryption or betterNIST 800-series approved algorithms. Access to Data on these discs Encryption keys will be restricted to authorized users through the use of access control lists which will grant access only after the authorized user has been authenticated to the network using a unique user ID stored and complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. Paper documents. All paper records must be protected by storing the records in a secure area which is only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment independently of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or mediaData. (1B) EXCHANGE Data shall HCA’s data must not be stored by the Contractor on portable devices Portable Devices or media Media unless specifically authorized within the Special Terms and Conditions of the contractDSA. If so authorized, the Contractor must protect the Data shall be given the following protectionsby: (a1) Encrypt Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.)data; (b2) Control access to the devices with a unique user Unique User ID and password Hardened Password or stronger authentication method such as a physical token or biometrics.; (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d3) Keeping them devices in locked storage when not in use; (e4) Using check-in/check-out procedures when they devices are shared, ; (5) Maintain an inventory of devices; and (f6) Taking frequent inventories (2) When Ensure that when being transported outside of a secure areaSecured Area, portable all devices and media with confidential EXCHANGE Data must be are under the physical control of contractor staff with authorization to access the Dataan Authorized User. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. The Contractor agrees to store Data on one or more of the following media and protect the Data as described:. a. Hard disk drives. 5.2.3.1 Data stored on local workstation hard disks. Access to the at Rest: Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provides equal or greater security, such as biometrics or smart cardsencrypted with NIST 800-series approved algorithms. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data Encryption keys will be secured on stored and protected independently of the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. Network server disks. Data stored on hard disks mounted on network servers and made available through shared foldersdata. Access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using lists, a Unique User ID ID, and a Hardened Password Password, or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted Systems that contain or provide access to such servers Confidential Information must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. c. Removable Media, including Optical discs (CDs or DVDs) in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or better. When not in use for the contracted purpose, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the key, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE Data on optical discs must be located in an area which that is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs 5.2.3.2 Data stored on Portable/Removable Media or DVDs) in drives or jukeboxes attached to servers and which will not be transported out of a secure area. Data Devices Confidential Information provided by the EXCHANGE HCA on optical discs which Removable Media will be attached to network servers shall be encrypted with 128- bit AES encryption or betterNIST 800-series approved algorithms. Access to Data on these discs Encryption keys will be restricted to authorized users through stored and protected independently of the use of access control lists which will grant access only after the authorized user has been authenticated to the network using a unique user ID and complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. Paper documents. All paper records must be protected by storing the records in a secure area which is only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment of the contractor, and whenever a userHCA’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall must not be stored by the Contractor on portable devices ContracKtCo-r41o7n-1P9-Aortable Devices or media Media unless specifically authorized within the Special Terms and Conditions of the contractContract. If so authorized, the Contractor must protect the Data shall be given the following protectionsby: (a) Encrypt a. Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.)data; (b) Control b. Controlling access to the devices with a unique user Unique User ID and password Hardened Password or stronger authentication method such as a physical token or biometrics.; (c) Manually lock c. Keeping devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use; (e) d. Using check-in/check-out procedures when they devices are shared, ; e. Maintaining an inventory of devices; and (f) Taking frequent inventories (2) When f. Ensuring that when being transported outside of a secure areaSecured Area, portable all devices and media with confidential EXCHANGE containing Data must be are under the physical control of contractor staff with authorization to access the Dataan Authorized User. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. The Contractor Subcontractor agrees to store Data on one or more of the following media and protect the Data as described: a. Hard disk drives. For Data stored on local workstation hard disks. Access , access to the Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provides provide equal or greater security, such as biometrics or smart cards. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data will be secured on the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. Network server disks. For Data stored on hard disks mounted on network servers and made available through shared folders. Access , access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. c. Removable Media, including Optical discs (CDs or DVDs) in local workstation optical disc drives drives. Data provided on optical discs which will be used in local workstation optical disc drives, and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or betterSecure Area. When not in use for the contracted purpose, such discs must be locked Stored in a drawer, cabinet or other container to which only authorized users have the key, combination or mechanism required to access the contents of the containerSecure Area. Workstations which access EXCHANGE Data on optical discs must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Data provided on optical discs which will be attached to network servers and which will not be transported out of a secure area. Data provided by the EXCHANGE on optical discs which will be attached to network servers shall be encrypted with 128- bit AES encryption or betterSecure Area. Access to Data on these discs will be restricted to authorized users Authorized Users through the use of access control lists which will grant access only after the authorized user Authorized User has been authenticated to the network using a unique user Unique User ID and complex password Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. Paper documents. All paper records must be protected by storing the records in a secure area which is only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the Special Terms and Conditions of the contract. If so authorized, the Data shall be given the following protections: (a) Encrypt the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.) (b) Control access to devices with a unique user ID and password or stronger authentication method such as a physical token or biometrics. (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use (e) Using check-in/check-out procedures when they are shared, and (f) Taking frequent inventories (2) When being transported outside of a secure area, portable devices and media with confidential EXCHANGE Data must be under the physical control of contractor staff with authorization to access the Data. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. The Contractor agrees All electronic data provided by WADOC shall be stored on an encrypted hard drive in a secure environment with access limited to store Data on one or more the least number of staff needed to complete the following media and protect the Data as described:purpose of this Agreement. a. Hard Workstation hard disk drives. Data stored on local workstation hard disksdisks will be encrypted with a FIPS approved cryptographic algorithm. Access to the Data will be restricted to Authorized User(s) authorized users by requiring logon to the local workstation using a Unique User unique user ID and Hardened Password complex password or other authentication mechanisms which provides provide equal or greater security, such as biometrics or smart cards. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data will be secured on the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. Network server disks. Data stored on hard disks mounted on network servers and made available through shared foldersfolders will be encrypted with a FIPS approved cryptographic algorithm. Access to the Data data will be restricted to Authorized Users authorized users through the use of access control lists which will grant access only after the Authorized User authorized user has authenticated to the network using a Unique User unique user ID and Hardened Password complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may Backup copies must be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Areaencrypted if recorded to removable media. c. Removable Media, including Optical disc drives. OCO will use and store data provided by WADOC on optical discs (CDs or e.g. CDs, DVDs, Blu-Rays) in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which The method of this data transmission will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or bettera FIPS approved cryptographic algorithm. When not in use for the contracted purposeuse, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the keykey combination, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE WADOC Data on optical discs disks must be located in an area which is accessible only to authorized personnelindividuals, with access controlled through though use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers and which will not be transported out of a secure area. Data provided by the EXCHANGE on optical discs which will be attached to network servers shall be encrypted with 128- bit AES encryption or better. Access to Data on these discs will be restricted to authorized users through the use of access control lists which will grant access only after the authorized user has been authenticated to the network using a unique user ID and complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. Paper documents. All paper records must be protected by storing the records in a secure area which is only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the Special Terms and Conditions of the contract. If so authorized, the Data shall be given the following protections: (a) Encrypt the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.) (b) Control access to devices with a unique user ID and password or stronger authentication method such as a physical token or biometrics. (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use (e) Using check-in/check-out procedures when they are shared, and (f) Taking frequent inventories (2) When being transported outside of a secure area, portable devices and media with confidential EXCHANGE Data must be under the physical control of contractor staff with authorization to access the Data. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. The Contractor Regents agrees to store Data data on one or more of the following media and protect the Data data as described: a. 1) Workstation Hard disk drives. Data Access to data stored on local workstation hard disks. Access to the Data disks will be restricted to Authorized User(s) authorized users by requiring logon to the local workstation using a Unique User unique user ID and Hardened Password or other authentication mechanisms which provides equal or greater security, such as biometrics or smart cardscomplex password. The data on If the workstation is located in an unsecured physical location the hard drive will only be accessible encrypted to authenticated individuals that need to access it. That is, protect Probation data in the data will be secured on event the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data device is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievablestolen. b. 2) Network server disks. Data Access to data stored on hard disks mounted on network servers and made available through shared folders. Access to the Data folders will be restricted to Authorized Users authorized users through the use of access control lists which will grant access only after the Authorized User authorized user has authenticated to the network using a Unique User unique user ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cardscomplex password. Data on disks mounted Backup copies for disaster recovery purposes will be encrypted if recorded to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Arearemovable media. c. Removable Media, including 3) Optical discs (CDs or e.g., CDs, DVDs, Blu-Rays) in local workstation optical disc drives. Data provided by Probation on optical discs will be used in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or better. When not in use for the contracted purposepurposes authorized by the DSA, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the key, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE Data Probation data on optical discs must will be located in an area which is accessible only to authorized personnelindividuals, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. 4) Optical discs (CDs or e.g., CDs, DVDs, Blu-Rays) in drives or jukeboxes attached to servers servers. Access to data provided by Probation on optical discs which will be attached to network servers, and which will not be transported out of a secure area. Data provided by the EXCHANGE on optical discs which will be attached to network servers shall be encrypted with 128- bit AES encryption or better. Access to Data on these discs area will be restricted to authorized users through the use of access control lists which will grant access only after the authorized user has been authenticated to the network using a unique user ID and complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must will be located in an area which is accessible only to authorized personnel, individuals with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. Paper documents. All paper records must be protected by storing the records in a secure area which is only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the Special Terms and Conditions of the contract. If so authorized, the Data shall be given the following protections: (a) Encrypt the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.) (b) Control access to devices with a unique user ID and password or stronger authentication method such as a physical token or biometrics. (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use (e) Using check-in/check-out procedures when they are shared, and (f) Taking frequent inventories (2) When being transported outside of a secure area, portable devices and media with confidential EXCHANGE Data must be under the physical control of contractor staff with authorization to access the Data. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. The Contractor Receiving Party agrees to store Data on one or more of the following media and protect the Data Confidential Information as described: a. Hard disk drives. Data stored on local workstation hard disks. Access to the at Rest: i. Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provides equal or greater security, such as biometrics or smart cardsencrypted with NIST 800-series approved algorithms. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data Encryption keys will be secured on stored and protected independently of the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. Network server disks. Data stored on hard disks mounted on network servers and made available through shared foldersdata. Access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using lists, a Unique User ID ID, and a Hardened Password Password, or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted Systems which contain or provide access to such servers Confidential Information must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. c. Removable Media, including Optical discs (CDs or DVDs) in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or better. When not in use for the contracted purpose, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the key, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE Data on optical discs must be located in an area which that is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers and which will not be transported out of a secure areaii. Data stored on Portable/Removable Media or Devices: A. Confidential Information provided by the EXCHANGE HCA on optical discs which Removable Media will be attached to network servers shall be encrypted with 128- bit AES encryption or betterNIST 800-series approved algorithms. Access to Data on these discs Encryption keys will be restricted to authorized users through stored and protected independently of the use of access control lists which will grant access only after the authorized user has been authenticated to the network using a unique user ID and complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanismData. e. Paper documents. All paper records B. HCA’s data must be protected by storing the records in a secure area which is only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall not be stored by the Contractor Receiving Party on portable devices Portable Devices or media Media unless specifically authorized within the Special Terms and Conditions of the contractDSA. If so authorized, the Receiving Party must protect the Data shall be given the following protectionsby: (a) Encrypt 1. Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.)data; (b) 2. Control access to the devices with a unique user Unique User ID and password Hardened Password or stronger authentication method such as a physical token or biometrics.; (c) Manually lock 3. Keeping devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use; (e) 4. Using check-in/check-out procedures when they devices are shared, ; 5. Maintain an inventory of devices; and (f) Taking frequent inventories (2) When 6. Ensure that when being transported outside of a secure areaSecured Area, portable all devices and media with confidential EXCHANGE Data must be are under the physical control of contractor staff with authorization to access the Dataan Authorized User. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. a. The Contractor agrees to store Data on one or more of the following media medias and protect the Data as described: a. (1) Hard disk drives. drives Data stored on local workstation hard disks. Access , access to the Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provides provide equal or greater security, such as biometrics or smart cards. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data will be secured on the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. (2) Network server disks. (a) Data stored on hard disks mounted on network servers and made available through shared folders. Access , access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. . (b) Data on disks mounted to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. c. Removable Media, including (3) Optical discs (CDs or DVDs) in local workstation optical disc drives (a) Data provided by DCYF on optical discs which will be used in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable mediaSecure Area, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or better. When when not in use for the contracted purpose, such discs must be locked Stored in a drawer, cabinet or other container to which only authorized users have the key, combination or mechanism required to access the contents Secure Area. (b) Workstations that are capable of the container. Workstations which access EXCHANGE accessing Data on from optical discs must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. (4) Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers (a) Data provided by DCYF on optical discs that will be attached to network servers and which will not be transported out of a secure area. Data provided by the EXCHANGE on optical discs which will be attached to network servers shall be encrypted with 128- bit AES encryption or better. Secure Area. (b) Access to Data on these discs will be restricted to authorized users Authorized Users through the use of access control lists which will grant access only after the authorized user Authorized User has been authenticated to the network using a unique user Unique User ID and complex password Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. . (c) Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. (5) Paper documents. (a) All paper records documents must be protected by storing the records in a secure area Secure Area, with access controlled through the use of a key, card key, combination lock, or comparable mechanism, and which is only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the Special Terms and Conditions of the contract. If so authorized, the Data shall be given the following protections: (a) Encrypt the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.) (b) Control access to devices with a unique user ID and password or stronger authentication method such as a physical token or biometrics. (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use (e) Using check-in/check-out procedures when they are shared, and (f) Taking frequent inventories (2) When being transported outside of a secure areaSecure Area, portable devices and media with confidential EXCHANGE Data paper documents must be under the physical control of contractor Contractor staff with authorization to access the Data. (3c) Portable devices include Paper documents will not be secured or stored in a motor vehicle any small computing device that can be transportedtime a staff member is away from the motor vehicle. They includeNOTE: The use of a lock box, but are other lockable storage container or a non-lockable storage container stored in a vehicle does not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computersoverride this requirement. (4d) Portable media includes any Paper documents will be retained in a Secure Area, per the State of Washington records retention requirements. (6) Data storage that can be detached on portable devices or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).media

Protection of Data. The Contractor agrees to store Data on one or more of the following media and protect the Data as described:. a. Hard disk drives. 5.2.3.1 Data stored on local workstation hard disks. Access to the at Rest: Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provides equal or greater security, such as biometrics or smart cardsencrypted with NIST 800-series approved algorithms. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data Encryption keys will be secured on stored and protected independently of the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. Network server disks. Data stored on hard disks mounted on network servers and made available through shared foldersdata. Access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using lists, a Unique User ID ID, and a Hardened Password Password, or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted Systems that contain or provide access to such servers Confidential Information must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. c. Removable Media, including Optical discs (CDs or DVDs) in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or better. When not in use for the contracted purpose, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the key, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE Data on optical discs must be located in an area which that is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs 5.2.3.2 Data stored on Portable/Removable Media or DVDs) in drives or jukeboxes attached to servers and which will not be transported out of a secure area. Data Devices Confidential Information provided by the EXCHANGE SBHASO or HCA on optical discs which Removable Media will be attached to network servers shall be encrypted with 128- bit AES encryption or betterNIST 800-series approved algorithms. Access to Data on these discs Encryption keys will be restricted to authorized users through stored and protected independently of the use of access control lists which will grant access only after the authorized user has been authenticated to the network using a unique user ID and complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. Paper documents. All paper records must be protected by storing the records in a secure area which is only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment of the contractor, and whenever a userHCA’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall must not be stored by the Contractor on portable devices Portable Devices or media Media unless specifically authorized within the Special Terms and Conditions of the contractContract. If so authorized, the Contractor must protect the Data shall be given the following protectionsby: (a) Encrypt a. Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.)data; (b) Control b. Controlling access to the devices with a unique user Unique User ID and password Hardened Password or stronger authentication method such as a physical token or biometrics.; (c) Manually lock c. Keeping devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use; (e) d. Using check-in/check-out procedures when they devices are shared, ; e. Maintaining an inventory of devices; and (f) Taking frequent inventories (2) When f. Ensuring that when being transported outside of a secure areaSecured Area, portable all devices and media with confidential EXCHANGE containing Data must be are under the physical control of contractor staff with authorization to access the Dataan Authorized User. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. The Contractor Indian Nation agrees to store Data on one or more of the following media and protect the Data as described: a. Hard disk drives. Data stored on local workstation hard disks. Access to the Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provides provide equal or greater security, such as biometrics or smart cards. The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data will be secured on the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Hard drives that have contained sensitive data will be wiped with a method that will render the deleted information irretrievable. b. Network server disks. Data stored on hard disks mounted on network servers and made available through shared folders. Access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. c. Removable Media, including Optical discs (CDs or DVDs) in local workstation optical disc drives. Data provided by DSHS on optical discs which will be used in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or betterSecured Area. When not in use for the contracted agreed purpose, such discs must be locked in a drawer, cabinet or other container to which only authorized users Authorized Users have the key, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE DSHS Data on optical discs must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Data provided by DSHS on optical discs which will be attached to network servers and which will not be transported out of a secure area. Data provided by the EXCHANGE on optical discs which will be attached to network servers shall be encrypted with 128- bit AES encryption or betterSecured Area. Access to Data on these discs will be restricted to authorized users Authorized Users through the use of access control lists which will grant access only after the authorized user Authorized User has been authenticated to the network using a unique user Unique User ID and complex password Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. Paper documents. All Any paper records must be protected by storing the records in a secure area Secured Area which is only accessible to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employment of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the Special Terms and Conditions of the contract. If so authorized, the Data shall be given the following protections: (a) Encrypt the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.) (b) Control access to devices with a unique user ID and password or stronger authentication method such as a physical token or biometrics. (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use (e) Using check-in/check-out procedures when they are shared, and (f) Taking frequent inventories (2) When being transported outside of a secure area, portable devices and media with confidential EXCHANGE Data must be under the physical control of contractor staff with authorization to access the Data. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).