Security of Information Unless otherwise specifically authorized by the DOH IT Security Officer, Contractor receiving confidential information under this contract assures that: It is compliant with the applicable provisions of the Washington State Office of the Chief Information Officer’s policy, Securing Information Technology Assets, available at ▇▇▇▇://▇▇▇.▇▇.▇▇▇/ocio. It will provide DOH copies of its IT security policies, practices and procedures upon the request of the DOH IT Security Officer. DOH may at any time conduct an audit of the Contractor’s security practices and/or infrastructure to assure compliance with the security requirements of this contract. It has implemented physical, electronic and administrative safeguards that are consistent with ISB IT security standards and guidelines to prevent unauthorized access, use, modification or disclosure of DOH Confidential Information in any form. This includes, but is not limited to, restricting access to specifically authorized individuals and services through the use of: Documented access authorization and change control procedures; Card key systems that restrict, monitor and log access; Locked racks for the storage of servers that contain Confidential Information or AES encryption (128bit or stronger) to protect confidential data at rest; Documented patch management practices that assure all network systems are running critical security updates within 6 days of release when the exploit is in the wild, and within 30 days of release for all others; Documented anti-virus strategies that assure all systems are running the most current anti-virus signatures within 1 day of release; Complex passwords that are systematically enforced and expire at least every 180 days; Strong (Two Factor) authentication mechanisms that assure the identity of individuals who access Confidential Information; Account lock-out after 5 failed authentication attempts for a minimum of 20 minutes, or for Confidential Information, until administrator reset; AES encrypted (128bit or stronger) sessions for all data transmissions. Firewall rules and network address translation that isolate database servers from web servers and public networks; Regular review of firewall rules and configurations to assure compliance with authorization and change control procedures; Log management and intrusion detection/prevention systems; A documented and tested incident response plan Any breach of this clause may result in termination of the contract and the demand for return of all personal information.
Availability of Information To make DHCS PI and PII available to the DHCS and/or 15 COUNTY for purposes of oversight, inspection, amendment, and response to requests for records, 16 injunctions, judgments, and orders for production of DHCS PI and PII. If CONTRACTOR receives 17 DHCS PII, upon request by COUNTY and/or DHCS, CONTRACTOR shall provide COUNTY and/or 18 DHCS with a list of all employees, contractors and agents who have access to DHCS PII, including 19 employees, contractors and agents of its subcontractors and agents.
Use and Protection of Information Recipient agrees to protect such Information of the Discloser provided to Recipient from whatever source from distribution, disclosure or dissemination to anyone except employees of Recipient with a need to know such Information solely in conjunction with Recipient’s analysis of the Information and for no other purpose except as authorized herein or as otherwise authorized in writing by the Discloser. Recipient will not make any copies of the Information inspected by it.