Common use of Administrative Controls Clause in Contracts

Administrative Controls. The Contractor must have the following controls in place: a. A documented security policy governing the secure use of its computer network and systems, and which defines sanctions that may be applied to Contractor staff for violating that policy. b. Security awareness training for all employees, presented at least annually, which informs Contractor staff of their responsibilities under the Contractor’s security policy. If the Contractor does not have an appropriate security awareness course, any of their staff who will work with the Data or systems housing the Data, must successfully complete the DSHS Information Security Awareness Training, which can be taken on this web page: xxxxx://xxx.xxxx.xx.xxx/fsa/central- contract-services/it-security-awareness-training. c. If the Data shared under this agreement is classified as Category 4, the Contractor must be aware of and compliant with the applicable legal or regulatory requirements for that Category 4 Data. d. If Confidential Information shared under this agreement is classified as Category 4, the Contractor must have a documented risk assessment for the system(s) housing the Category 4 Data.

Administrative Controls. The Contractor must have the following controls in place: a. A documented security policy governing the secure use of its computer network and systems, and which defines sanctions that may be applied to Contractor staff for violating that policy. b. Security awareness training for all employees, presented at least annually, which informs Contractor staff of their responsibilities under the Contractor’s security policy. If the Contractor does not have an appropriate security awareness course, any of their staff who will work with the Data or systems housing the Data, must successfully complete the DSHS Information Security Awareness Training, which can be taken on this web page: xxxxx://xxx.xxxx.xx.xxx/fsa/central- contract-services/it-security-awareness-trainingxxxxx://xxx.xxxx.xx.xxx/fsa/central-contract-services/it-security-awareness-training. c. If the Data shared under this agreement is classified as Category 4, the Contractor must be aware of and compliant with the applicable legal or regulatory requirements for that Category 4 Data. d. If Confidential Information shared under this agreement is classified as Category 4, the Contractor must have a documented risk assessment for the system(s) housing the Category 4 Data.

Administrative Controls. The Contractor must have the following controls in place: a. A documented security policy governing the secure use of its computer network and systems, and which defines sanctions that may be applied to Contractor staff for violating that policy. b. Security awareness training for all employees, presented at least annually, which informs Contractor staff of their responsibilities under the Contractor’s security policy. If the Contractor does not have an appropriate security awareness course, any of their staff who will work with the Data or systems housing the Data, must successfully complete the DSHS Information Security Awareness Training, which can be taken on this web page: xxxxx://xxx.xxxx.xx.xxx/fsa/central- contract-xxxxx://xxx.xxxx.xx.xxx/fsa/central-contract- services/it-security-awareness-training. c. If the Data shared under this agreement is classified as Category 4, the Contractor must be aware of and compliant with the applicable legal or regulatory requirements for that Category 4 Data. d. If Confidential Information shared under this agreement is classified as Category 4, the Contractor must have a documented risk assessment for the system(s) housing the Category 4 Data.