System Security Controls. In order to comply with the following system security controls, the Contractor agrees to:
System Security Controls. In order to comply with the following system security controls, the Contractor agrees to:
J. Ensure that all Contractor systems containing Medi-Cal PII provide an automatic timeout after no more than 20 minutes of inactivity.
K. Ensure that all Contractor systems containing Medi-Cal PII display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only. User shall be directed to log off the system if they do not agree with these requirements.
L. Ensure that all Contractor systems containing Medi-Cal PII log successes and failures of user authentication and authorizations granted. The system shall log all data changes and system accesses conducted by all users (including all levels of users, system administrators, developers, and auditors). The system shall have the capability to record data access for specified users when requested by authorized management personnel. A log of all system changes shall be maintained and be available for review by authorized management personnel.
M. Ensure that all Contractor systems containing Medi-Cal PII use role based access controls for all user authentication, enforcing the principle of least privilege.
N. Ensure that all Contractor data transmissions over networks outside of the Contractor’s control are encrypted end-to-end using a vendor product that is recognized as an industry leader in meeting the needs for the intended solution, such as products specified on the CSSI, when transmitting Medi-Cal PII. The Contractor shall encrypt Medi-Cal PII at the minimum of 128 bit AES or 3DES (Triple DES) if AES is unavailable.
O. Ensure that all Contractor systems that are accessible via the Internet or store Medi-Cal PII actively use either a comprehensive third-party real-time host based intrusion detection and prevention program or be protected at the perimeter by a network based IDS/IPS solution.
System Security Controls. A. System The system must provide an automatic after no more than 20 minutes of inactivity.
System Security Controls. In order to comply with the following system security controls, the Contractor agrees to:
A. Ensure that all Contractor systems containing Medi-Cal PII provide an automatic timeout after no more than 20 minutes of inactivity.
B. Ensure that all Contractor systems containing Medi-Cal PII display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only. User shall be directed to log off the system if they do not agree with these requirements. Addendum A – page 5
C. Ensure that all Contractor systems containing Medi-Cal PII log successes and failures of user authentication and authorizations granted. The system shall log all data changes and system accesses conducted by all users (including all levels of users, system administrators, developers, and auditors). The system shall have the capability to record data access for specified users when requested by authorized management personnel. A log of all system changes shall be maintained and be available for review by authorized management personnel.
D. Ensure that all Contractor systems containing Medi-Cal PII use role based access controls for all user authentication, enforcing the principle of least privilege.
E. Ensure that all Contractor data transmissions over networks outside of the Contractor’s control are encrypted end-to-end using a vendor product that is recognized as an industry leader in meeting the needs for the intended solution, such as products specified on the CSSI, when transmitting Medi-Cal PII. The Contractor shall encrypt Medi-Cal PII at the minimum of 128 bit AES or 3DES (Triple DES) if AES is unavailable.
System Security Controls
