PROCEDURES FOR SECURITY. A. Contractor agrees to safeguard the DHHS Data received under this Contract, and any derivative data or files, as follows:
1. The Contractor will maintain proper security controls to protect Department confidential information collected, processed, managed, and/or stored in the delivery of contracted services.
2. The Contractor will maintain policies and procedures to protect Department confidential information throughout the information lifecycle, where applicable, (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.). V5. Last update 10/09/18 Exhibit K DHHS Information Security Requirements Page 5 of 9 Appendix A - Page 28 of 32
3. The Contractor will maintain appropriate authentication and access controls to contractor systems that collect, transmit, or store Department confidential information where applicable.
4. The Contractor will ensure proper security monitoring capabilities are in place to detect potential security events that can impact State of NH systems and/or Department confidential information for contractor provided systems.
5. The Contractor will provide regular security awareness and education for its End Users in support of protecting Department confidential information.
6. If the Contractor will be sub-contracting any core functions of the engagement supporting the services for State of New Hampshire, the Contractor will maintain a program of an internal process or processes that defines specific security expectations, and monitoring compliance to security requirements that at a minimum match those for the Contractor, including breach notification requirements.
7. The Contractor will work with the Department to sign and comply with all applicable State of New Hampshire and Department system access and authorization policies and procedures, systems access forms, and computer use agreements as part of obtaining and maintaining access to any Department system(s). Agreements will be completed and signed by the Contractor and any applicable sub-contractors prior to system access being authorized.
8. If the Department determines the Contractor is a Business Associate pursuant to 45 CFR 160.103, the Contractor will execute a HIPAA Business Associate Agreement (BAA) with the Department and is responsible for maintaining compliance with the agreement.
9. The Contractor will work with the Department at its request to complete a System Management Survey...
PROCEDURES FOR SECURITY. A. Contractor agrees to safeguard the DHHS Data received under this Contract, and any derivative data or files, as follows:
1. The Contractor will maintain proper security controls to protect Department confidential information collected, processed, managed, and/or stored in the delivery of contracted services.
2. The Contractor will maintain policies and procedures to protect Department confidential information throughout the information lifecycle, where applicable, (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.).
3. The Contractor will maintain appropriate authentication and access controls to contractor systems that collect, transmit, or store Department confidential information where applicable.
4. The Contractor will ensure proper security monitoring capabilities are in place to detect potential security events that can impact State of NH systems and/or Department confidential information for contractor provided systems.
5. The Contractor will provide regular security awareness and education for its End Users in support of protecting Department confidential information.
6. If the Contractor will be sub-contracting any core functions of the engagement supporting the services for State of New Hampshire, the Contractor will maintain a program of an internal process or processes that defines specific security expectations, and monitoring compliance to security requirements that at a minimum match those for the Contractor, including breach notification requirements.
7. The Contractor will work with the Department to sign and comply with all applicable State of New Hampshire and Department system access and authorization policies and procedures, systems access forms, and computer use agreements as part of obtaining and maintaining access to any Department system(s). Agreements will be completed and signed by the Contractor and any applicable sub-contractors prior to system access being authorized.
8. If the Department determines the Contractor is a Business Associate pursuant to 45 CFR 160.103, the Contractor will execute a HIPAA Business Associate Agreement (BAA) with the Department and is responsible for maintaining compliance with the agreement.
9. The Contractor will work with the Department at its request to complete a System Management Survey. The purpose of the survey is to enable the Department and Contractor to monitor for any changes in risks, threa...
PROCEDURES FOR SECURITY. USCIS and DOL will comply with the following procedures for ensuring the administrative, technical, and physical security of the information exchanged and the results of such programs:
PROCEDURES FOR SECURITY. In order to safeguard the Confidential Data shared under this Agreement, and any derivative data or files, ENTITY agrees: To maintain proper security controls to protect the Confidential Data collected, processed, managed, and/or stored during completion of the proposed purpose of the Agreement; To maintain written policies and procedures including breach notification and incident response, which protect the Confidential Information throughout the information lifecycle, from creation, transformation, use, storage, and secure destruction regardless of the media used to store the data (i.e., tape, disk, paper, etc.); To maintain appropriate authentication and role based access controls to DHHS systems that collect, transmit, or store the Confidential Data or to ENTITY’s systems that collect, transmit, or store the Confidential Data. ENTITY shall not subcontract the collection, transmission, or maintenance of the data without prior approval from the DHHS Information Security Office consistent with this Agreement; To ensure proper security monitoring capabilities are in place to detect potential security events that can affect State of NH systems and/or Department Confidential Information for ENTITY provided systems; In the event of any security breach by ENTITY, that all efforts shall be made to contain and investigate the causes of the breach, promptly take measures to prevent future breach, and minimize any damage or loss resulting from the breach. ENTITY is responsible for all costs of response and recovery from the breach, including but not limited to, credit monitoring services, mailing costs, and costs associated with website and telephone call center services necessary due to the breach; To comply with all applicable statutes and regulations regarding the privacy and security of Confidential Information, and maintain the privacy and security of PI and PHI at a level and scope that is not less than the level and scope of requirements applicable to federal agencies, including, but not limited to, provisions of the Privacy Act of 1974 (5 U.S.C. § 000x), XXXX Privacy Act Regulations (45 C.F.R. §5b), HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164) and all other laws that govern protections for individually identifiable health information as applicable under State law; To establish and maintain appropriate administrative, technical, and physical safeguards to protect the confidentiality of the Confidential Data and to prevent unauthorized use ...
PROCEDURES FOR SECURITY. SSA and DHS will comply with the requirements of the Federal Information Security Management Act (FISMA), 44 U.S.C. §§ 3541-3549; related OMB circulars and memoranda, such as Circular A-130, Management of Federal Information Resources (Nov. 28, 2000), and Memorandum M-06-16, Protection of Sensitive Agency Information (June 23, 2006); National Institute of Standards and Technology (NIST) directives; and the Federal Acquisition Regulations, including any applicable amendments published after the effective date of this agreement. These laws, directives, and regulations include requirements for safeguarding Federal information systems and personally identifiable information (PII) used in Federal agency business processes, as well as related reporting requirements. Both agencies recognize and will implement the laws, regulations, NIST standards, and OMB directives including those published subsequent to the effective date of this agreement. FISMA requirements apply to all Federal contractors, organizations, or entities that possess or use Federal information, or that operate, use, or have access to Federal information systems on behalf of an agency. Both agencies are responsible for oversight and compliance of their contractors and agents.
PROCEDURES FOR SECURITY. A. Participating State Agency agrees to safeguard the CMS Data received under this Agreement, and any derivative data or files, as follows:
1. Participating State Agency shall, in accordance with the requirements of the DUA, comply with all applicable statutes and regulations regarding the privacy and security of PII and PHI, and shall in all other respects maintain the privacy and security of PII and PHI at a level and scope that is not less than the level and scope of requirements applicable to federal agencies, including, but not limited to, provisions of the Privacy Act of 1974 (5 U.S.C. § 000x), XXXX Privacy Act Regulations (45 C.F.R. §5b), HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164) that govern protections for individually identifiable health information, the Federal Information Security Management Act (FISMA) of 2002, OMB Circular A-130 and the CMS Minimum Security Requirements.
2. Participating State Agency must maintain a level of security in any automated information system in accordance with the requirements of the DUA.
3. Participating State Agency shall restrict access to the CMS Data obtained under this Agreement to only those authorized Participating State Agency employees, contractors, and agents who need such CMS Data to perform their official duties in connection with purposes identified in this Agreement.
4. The Participating State Agency shall ensure that its employees, contractors, and agents:
a. comply with such safeguards as referenced in Section 7 of the DUA implemented to protect PII and PHI that is furnished by CMS under this Agreement from loss, theft or inadvertent disclosure.
b. safeguard this information at all times.
c. ensure that laptops and other electronic devices/media containing PII are encrypted and password-protected.
d. send emails containing PII or PHI only if encrypted and being sent to and being received by email addresses of persons authorized to receive such information.
e. generally limit disclosure of the information and details relating to a PII or PHI loss to the extent permitted by law.
f. individually identifiable information received under this Agreement, or individually identifiable data derived from CMS Data, shall be stored in an area that is physically and technologically secure from access by unauthorized persons during duty hours as well as non-duty hours (e.g., door locks, card keys, biometric identifiers, etc.).
g. only authorized Participating State Agency personnel shall trans...
PROCEDURES FOR SECURITY. RRB and OPM will comply with the Federal Information Security Management Act (FISMA), 44 U.S.C. Chapter 35, Subchapter II, as amended by the Federal Information Security Modernization Act of 2014 (Pub. L. 113-283); related Office of Management and Budget (OMB) circulars and memoranda, such as OMB Circular A-130, Managing Information as a Strategic Resource (July 28, 2016) and OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017); National Institute of Standards and Technology (NIST) directives; and the Federal Acquisition Regulations, including any applicable amendments published after the effective date of this agreement. These laws, directives, and regulations include requirements for safeguarding Federal information systems and personally identifiable information (PII) used in Federal agency business processes, as well as related reporting requirements. Both agencies recognize, and implement, the laws, regulations, NIST standards, and OMB directives, including those published after the effective date of this agreement. FISMA requirements apply to all Federal contractors, organizations, or entities that possess or use Federal information, operate, use, or have access to Federal information systems on behalf of an agency. Both agencies are responsible for the oversight and compliance of their contractors and agents.
PROCEDURES FOR SECURITY. The Privacy Act requires that each matching agreement specify procedures for ensuring the administrative, technical, and physical security of the records matched and the results of such programs. 5 U.S.C. §552a(o)(1)(G). SSA and OCSE will comply with the requirements of the Federal Information Security Management Act (FISMA), 44 U.S.C. Chapter 35, Subchapter II, as amended by the Federal Information Security Modernization Act of 2014 (Pub. L. 113-283); related Office of Management and Budget (OMB) circulars and memoranda, such as Circular A-130, Managing Federal Information as a Strategic Resource (July 28, 2016); National Institute of Standards and Technology (NIST) directives; and the Federal Acquisition Regulations, including any applicable amendments published after the effective date of this agreement. These laws, directives, and regulations include requirements for safeguarding federal information systems and personally identifiable information (PII) used in Federal agency business processes, as well as related reporting requirements. Both agencies recognize, and will implement, the laws, regulations, NIST standards, and OMB directives including those published subsequent to the effective date of this agreement. FISMA requirements apply to all federal contractors, organizations, or entities that possess or use Federal information, or that operate, use, or have access to federal information systems on behalf of an agency. Both agencies are responsible for oversight and compliance of their contractors and agents. The security addendum to this agreement specifies these security procedures, and shall be taken and considered as part of this agreement as if the provisions contained in the addendum were fully set out here.
PROCEDURES FOR SECURITY. In order to safeguard the Confidential Data shared under this Agreement, and any derivative data or files, ENTITY agrees:
1. To maintain proper security controls to protect the Confidential Data collected, processed, managed, and/or stored during completion of the proposed purpose of the Agreement;
2. To maintain written policies and procedures including breach notification and incident response, which protect the Confidential Information throughout the information lifecycle, from creation, transformation, use, storage, and secure destruction regardless of the media used to store the data (i.e., tape, disk, paper, etc.);
3. To maintain appropriate authentication and role based access controls to DHHS systems that collect, transmit, or store the Confidential Data or to ENTITY’s systems that collect, transmit, or store the Confidential Data. ENTITY shall not subcontract the collection, transmission, or maintenance of the data without prior approval from the DHHS Information Security Office consistent with this Agreement;
4. To ensure proper security monitoring capabilities are in place to detect potential security events that can affect State of NH systems and/or Department Confidential Information for ENTITY provided systems;
5. In the event of any security breach by ENTITY, that all efforts shall be made to contain and investigate the causes of the breach, promptly take measures to prevent future breach, and minimize any damage or loss resulting from the breach. ENTITY is responsible for all costs of response and recovery from the breach, including but not limited to, credit monitoring services, mailing costs, and costs associated with website and telephone call center services necessary due to the breach;
6. To comply with all applicable statutes and regulations regarding the privacy and security of Confidential Information, and maintain the privacy and security of PI and PHI at a level and scope that is not less than the level and scope of requirements applicable to federal agencies, including, but not limited to, provisions of the Privacy Act of 1974 (5 U.S.C. § 000x), XXXX Privacy Act Regulations (45 C.F.R. §5b), HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164) and all other laws that govern protections for individually identifiable health information as applicable under State law;
7. To establish and maintain appropriate administrative, technical, and physical safeguards to protect the confidentiality of the Confidential Data and to prev...
PROCEDURES FOR SECURITY. The Privacy Act requires that each matching agreement specify procedures for ensuring the administrative, technical, and physical security of the records matched and the results of such programs. 5 U.S.C. §552a(o)(1)(G). FISMA requirements apply to all federal contractors, organizations, or entities that possess or use federal information, or that operate, use, or have access to federal information systems on behalf of an agency. Both agencies are responsible for oversight and compliance of their contractors and agents. The security addendum to this agreement specifies these security procedures, and shall be taken and considered as part of this agreement as if the provisions contained in the addendum were fully set out here.
