Access Controls The system providing access to PHI COUNTY discloses to 20 CONTRACTOR or CONTRACTOR creates, receives, maintains, or transmits on behalf of COUNTY 21 must use role based access controls for all user authentications, enforcing the principle of least privilege.
User IDs and Password Controls All users must be issued a unique user name for accessing DHCS PHI or PI. Username must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password, at maximum within 24 hours. Passwords are not to be shared. Passwords must be at least eight characters and must be a non-dictionary word. Passwords must not be stored in readable format on the computer. Passwords must be changed every 90 days, preferably every 60 days. Passwords must be changed if revealed or compromised. Passwords must be composed of characters from at least three of the following four groups from the standard keyboard: • Upper case letters (A-Z) • Lower case letters (a-z) • Arabic numerals (0-9) • Non-alphanumeric characters (punctuation symbols)
Audit Controls a. System Security Review. CONTRACTOR must ensure audit control mechanisms that record and examine system activity are in place. All systems processing and/or storing PHI COUNTY discloses to CONTRACTOR or CONTRACTOR creates, receives, maintains, or transmits on behalf of COUNTY must have at least an annual system risk assessment/security review which provides assurance that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection. Reviews should include vulnerability scanning tools.
Personal Controls a. Employee Training. All workforce members who assist in the performance of functions or activities on behalf of COUNTY in connection with Agreement, or access or disclose PHI COUNTY discloses to CONTRACTOR or CONTRACTOR creates, receives, maintains, or transmits on behalf of COUNTY, must complete information privacy and security training, at least annually, at CONTRACTOR’s expense. Each workforce member who receives information privacy and security training must sign a certification, indicating the member’s name and the date on which the training was completed. These certifications must be retained for a period of six (6) years following the termination of Agreement.
Personnel Controls The County Department/Agency agrees to advise County Workers who have access to Pll, of the confidentiality of the information, the safeguards required to protect the information, and the civil and criminal sanctions for non- compliance contained in applicable federal and state laws. For that purpose, the County Department/Agency shall implement the following personnel controls:
Internal Controls The Company shall maintain a system of internal accounting controls sufficient to provide reasonable assurances that: (i) transactions are executed in accordance with management’s general or specific authorization; (ii) transactions are recorded as necessary in order to permit preparation of financial statements in accordance with GAAP and to maintain accountability for assets; (iii) access to assets is permitted only in accordance with management’s general or specific authorization; and (iv) the recorded accountability for assets is compared with existing assets at reasonable intervals and appropriate action is taken with respect to any differences.
Export Controls Both Parties will adhere to all applicable laws, regulations and rules relating to the export of technical data and will not export or re-export any technical data, any products received from the other Party or the direct product of such technical data to any proscribed country listed in such applicable laws, regulations and rules unless properly authorized.
