Access Controls The system providing access to PHI COUNTY discloses to 20 CONTRACTOR or CONTRACTOR creates, receives, maintains, or transmits on behalf of COUNTY 21 must use role based access controls for all user authentications, enforcing the principle of least privilege.
Agreement Controls In the event that any term of any of the Loan Documents other than this Agreement conflicts with any express term of this Agreement, the terms and provisions of this Agreement shall control to the extent of such conflict.
Technical Security Controls 35 a. Workstation/Laptop encryption. All workstations and laptops that store PHI COUNTY 36 discloses to CONTRACTOR or CONTRACTOR creates, receives, maintains, or transmits on behalf of 37 COUNTY either directly or temporarily must be encrypted using a FIPS 140-2 certified algorithm which 1 is 128bit or higher, such as AES. The encryption solution must be full disk unless approved by the 2 COUNTY.
Audit Controls a. System Security Review. CONTRACTOR must ensure audit control mechanisms that record and examine system activity are in place. All systems processing and/or storing PHI COUNTY discloses to CONTRACTOR or CONTRACTOR creates, receives, maintains, or transmits on behalf of COUNTY must have at least an annual system risk assessment/security review which provides assurance that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection. Reviews should include vulnerability scanning tools.
Paper Document Controls In order to comply with the following paper document controls, the Contractor agrees to:
A. Dispose of Medi-Cal PII in paper form through confidential means, such as cross cut shredding and pulverizing.
B. Not remove Medi-Cal PII from the premises of the Contractor except for identified routine business purposes or with express written permission of DHCS.
C. Not leave faxes containing Medi-Cal PII unattended and keep fax machines in secure areas. The Contractor shall ensure that faxes contain a confidentiality statement notifying persons receiving faxes in error to destroy them. Contractor personnel shall verify fax numbers with the intended recipient before sending.
D. Use a secure, bonded courier with signature of receipt when sending large volumes of Medi-Cal PII. The Contractor shall ensure that disks and other transportable media sent through the mail are encrypted using a vendor product that is recognized as an industry leader in meeting the needs for the intended solution, such as products specified on the CSSI.
TIA Controls If any provision of this Indenture limits, qualifies, or conflicts with another provision which is required to be included in this Indenture by the TIA, the required provision shall control.
Project Monitoring Reporting and Evaluation The Recipient shall furnish to the Association each Project Report not later than forty-five (45) days after the end of each calendar semester, covering the calendar semester.
Security Controls Annually, upon Fund’s reasonable request, DST shall provide Fund’s Chief Information Security Officer or his or her designee with a summary of its corporate information security policy and an opportunity to discuss DST’s information security measures, and a high level and non-confidential summary of any penetration testing related to the provision of in-scope services . DST shall review its Security Policy annually.
Data Encryption Contractor must encrypt all State data at rest and in transit, in compliance with FIPS Publication 140-2 or applicable law, regulation or rule, whichever is a higher standard. All encryption keys must be unique to State data. Contractor will secure and protect all encryption keys to State data. Encryption keys to State data will only be accessed by Contractor as necessary for performance of this Contract.
Personal Controls a. Employee Training. All workforce members who assist in the performance of functions or activities on behalf of COUNTY in connection with Agreement, or access or disclose PHI COUNTY discloses to CONTRACTOR or CONTRACTOR creates, receives, maintains, or transmits on behalf of COUNTY, must complete information privacy and security training, at least annually, at CONTRACTOR’s expense. Each workforce member who receives information privacy and security training must sign a certification, indicating the member’s name and the date on which the training was completed. These certifications must be retained for a period of six (6) years following the termination of Agreement.
