Safeguarding PII. If Grantee or any of its Subcontractors will or may receive PII under this Agreement, Grantee shall provide for the security of such PII, in a manner and form acceptable to the State, including, without limitation, State non-disclosure requirements, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, and audits. Grantee shall be a “Third-Party Service Provider” as defined in §24-73-103(1)(i), C.R.S. and shall maintain security procedures and practices consistent with §§00-00-000 et seq., C.R.S.
Safeguarding PII. If Contractor or any of its Subcontractors will or may receive PII under this Contract, Contractor shall provide for the security of such PII, in a manner and form acceptable to the State, including, without limitation, State non-disclosure requirements, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, and audits. Contractor shall be a “Third-Party Service Provider” as defined in §24-73-103(1)(i), C.R.S. and shall maintain security procedures and practices consistent with §§00-00-000 et seq., C.R.S.
Safeguarding PII. (a) CDO and CAC must ensure that PII is protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. Specifically, CDO is required to establish and CDO/CAC are required to implement operational, technical, administrative and physical safeguards that are consistent with any applicable laws and ensure that:
i. PII is only used by or disclosed to those authorized to receive or view it;
ii. PII is protected against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of such information;
iii. PII is protected against any reasonably anticipated uses or disclosures of such information that are not permitted or required by law; and
iv. PII is securely destroyed or disposed of in an appropriate and reasonable manner and in accordance with record retention requirements under the CDO-CMS Agreement and the agreement between CDO and CAC.
(b) CDO must monitor, periodically assess, and update the security controls and related system risks to ensure the continued effectiveness of those controls.
(c) CDO must develop and CDO/CAC must utilize secure electronic interfaces when transmitting PII electronically.
Safeguarding PII. In keeping with the standards and implementation specifications used by the FFEs, a Non-Exchange Entity must ensure that PII is protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
Safeguarding PII. If Grantee or any of its Subcontractors will or may receive PII under this Agreement, Grantee shall provide for the security of such PII, in a manner and form acceptable to the State, including, without limitation, all State requirements relating to non-disclosure, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, and audits. Grantee shall take full responsibility for the security of all PII in its possession or in the possession of its Subcontractors, and shall hold the State harmless for any damages or liabilities resulting from the unauthorized disclosure or loss thereof. Grantee shall be a “Third-Party Service Provider” as defined in CRS §24-73-103(1)(i) and shall maintain security procedures and practices consistent with CRS §§00-00-000 et seq.
Safeguarding PII. If Grantee or any of its Subcontractors will or may receive PII under this Agreement, Grantee shall provide for the security of such PII, in a manner and form acceptable to the State, including, without limitation, all State requirements relating to non-disclosure, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, and audits. Grantee shall take full responsibility for the security of all PII in its possession or in the possession of its Subcontractors, and shall hold the State harmless for any damages or liabilities resulting from the unauthorized disclosure or loss thereof. Grantee shall be a “Third-Party Service Provider” as defined in CRS §24-73-103(1)(i) and shall maintain security procedures and practices consistent with CRS §§00-00-000 et seq. In addition, as set forth in § 00-00-000, et. seq., C.R.S., Vendor, including, but not limited to, Vendor’s employees, agents and Subcontractors, agrees not to share any PII with any third parties for the purpose of investigating for, participating in, cooperating with, or assisting with Federal immigration enforcement. If Vendor is given direct access to any State databases containing PII, Vendor shall execute, on behalf of itself and its employees, the certification PII Individual Certification Form or PII Entity Certification Form [Download form from Hyperlink] on an annual basis and Vendor’s duty shall continue as long as Vendor has direct access to any State databases containing PII. If Vendor uses any Subcontractors to perform services requiring direct access to State databases containing PII, the Vendor shall require such Subcontractors to execute and deliver the certification to the State on an annual basis, so long as the Subcontractor has access to State databases containing PII.
Safeguarding PII. If Grantee or any of its Subcontractors will or may receive PII under this Agreement, Grantee shall provide for the security of such PII, in a manner and form acceptable to the State, including, without limitation, State non-disclosure requirements, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, and audits. Grantee shall be a “Third-Party Service Provider” as defined in §24-73-103(1)(i), C.R.S. and shall maintain security procedures and practices consistent with §§00-00-000 et seq., C.R.S. In addition, as set forth in § 00-00-000, et. seq., C.R.S., Contractor, including, but not limited to, Contractor’s employees, agents and Subcontractors, agrees not to share any PII with any third parties for the purpose of investigating for, participating in, cooperating with, or assisting with Federal immigration enforcement. If Contractor is given direct access to any State databases containing PII, Contractor shall execute, on behalf of itself and its employees, the certification attached hereto as Exhibit D on an annual basis Contractor’s duty and obligation to certify as set forth in Exhibit D shall continue as long as Contractor has direct access to any State databases containing PII. If Contractor uses any Subcontractors to perform services requiring direct access to State databases containing PII, the Contractor shall require such Subcontractors to execute and deliver the certification to the State on an annual basis, so long as the Subcontractor has access to State databases containing PII.
Safeguarding PII. In keeping with the standards and implementation specifications used by PHIEA, Enrollment Assister must ensure that PII is protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. The Enrollment Assister is required to establish and implement operational, technical, administrative, and physical safeguards that are consistent with any applicable laws that ensure:
a. PII is only used by or disclosed to those authorized to receive or view it;
b. PII is protected against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of such information;
c. PII is protected against any reasonably anticipated uses or disclosures of such information that are not permitted or required by Federal and State Law; and
d. PII is securely destroyed or disposed of in an appropriate and reasonable manner and in accordance with applicable retention schedules.
Safeguarding PII. In keeping with the standards and implementation specifications used by Georgia Access, Application Assister shall ensure that PII is protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. The Application Assister is required to establish and implement operational, technical, administrative, and physical safeguards that are consistent with any applicable laws that ensure:
a. PII is only used by or disclosed to those authorized to receive or view it;
b. PII is protected against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of such information;
c. PII is protected against any reasonably anticipated uses or disclosures of such information that are not permitted or required by Federal and State Law; and
d. PII is securely destroyed or disposed of in an appropriate and reasonable manner and in accordance with applicable retention schedules.
Safeguarding PII. (a) CDO and CAC must ensure that PII is protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. Specifically, a CDO is required to establish, and CDO and CAC are required to implement operational, technical, administrative and physical safeguards that are consistent with any applicable laws, to ensure that PII is protected against any physical safeguards that are consistent with any applicable laws, to ensure that PII is protected against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of such information. Such safeguards must include:
i. Email/Web Browser Protections – Including, but not limited, to assuring that transfer protocols are secure and limit the threat of communications being intercepted.
ii. Endpoint Protection and Network Management – Including, but not limited, to protecting against known threat vectors within the system’s environment to mitigate damage and security breaches.
iii. Access Management – Including, but not limited, to managing access to the system’s environment and data, and maintaining access controls to the system.
iv. Asset Management – Including, but not limited, to maintaining an inventory of hardware and software within the environment to help identify vulnerable aspects left open to threat vectors without performing vulnerability scans and maintaining specific knowledge of physical and digital assets within the system’s environment.
v. Configuration Management – Including, but not limited, to managing baseline configurations of system servers and endpoints to mitigate threat factors that can be utilized to gain access to the system and data.
vi. Vulnerability Management – Including, but not limited, to identifying, classifying, remediating, and mitigating vulnerabilities on a continual basis by conducting periodic vulnerability scans to identify weaknesses within an environment.
vii. Patch Management – Including, but not limited, to ensuring every client and server is up to date with the latest security patches throughout the environment.
viii. Incident Response – Including, but not limited, to detecting security events, investigating, and mitigating or limiting the effects of those events.
