Authorization, Authentication, and Access. In order to ensure that access to the Data is limited to authorized staff, the Contractor must:
a. Have documented policies and procedures governing access to systems with the shared Data.
b. Restrict access through administrative, physical, and technical controls to authorized staff.
c. Ensure that user accounts are unique and that any given user account logon ID and password combination is known only to the one employee to whom that account is assigned. For purposes of non-repudiation, it must always be possible to determine which employee performed a given action on a system housing the Data based solely on the logon ID used to perform the action.
d. Ensure that only authorized users are capable of accessing the Data.
e. Ensure that an employee’s access to the Data is removed immediately:
(1) Upon suspected compromise of the user credentials.
(2) When their employment, or the contract under which the Data is made available to them, is terminated.
(3) When they no longer need access to the Data to fulfill the requirements of the contract.
f. Have a process to periodically review and verify that only authorized users have access to systems containing DSHS Confidential Information.
g. When accessing the Data from within the Contractor’s network (the Data stays within the Contractor’s network at all times), enforce password and logon requirements for users within the Contractor’s network, including:
(1) A minimum length of 8 characters, and containing at least three of the following character classes: uppercase letters, lowercase letters, numerals, and special characters such as an asterisk, ampersand, or exclamation point.
(2) That a password does not contain a user’s name, logon ID, or any form of their full name.
(3) That a password does not consist of a single dictionary word. A password may be formed as a passphrase which consists of multiple dictionary words.
(4) That passwords are significantly different from the previous four passwords. Passwords that increment by simply adding a number are not considered significantly different.
h. When accessing Confidential Information from an external location (the Data will traverse the Internet or otherwise travel outside the Contractor’s network), mitigate risk and enforce password and logon requirements for users by employing measures including:
(1) Ensuring mitigations applied to the system don’t allow end-user modification.
(2) Not allowing the use of dial-up connections.
(3) Using industry standard protoc...
Authorization, Authentication, and Access. In order to ensure that access to the Data is limited to authorized staff, the Contractor must:
Authorization, Authentication, and Access. In order to ensure that access to the Data is limited to authorized staff, the Contractor must:
a. Comply with IRS Publication 1075 for technology services, when Contractor is in receipt of Tax Returns or Federal Tax Information (FTI). FTI cannot be accessed by agency employees, agents, representatives, or contractors located offshore—outside of the United States territories, embassies or military installations. Further, FTI may not be received, processed, stored, transmitted, or disposed of by information technology (IT) systems located offshore.
b. Have documented policies and procedures governing access to systems with the shared Data.
c. Restrict access through administrative, physical, and technical controls to authorized staff.
d. Ensure that user accounts are unique and that any given user account logon ID and password combination is known only to the one employee to whom that account is assigned. For purposes of non-repudiation, it must always be possible to determine which employee performed a given action on a system housing the Data based solely on the logon ID used to perform the action.
e. Ensure that only authorized users are capable of accessing the Data.
f. Ensure that an employee’s access to the Data is removed immediately:
(1) Upon suspected compromise of the user credentials.
(2) When their employment, or the contract under which the Data is made available to them, is terminated.
(3) When they no longer need access to the Data to fulfill the requirements of the contract.
g. Have a process to periodically review and verify that only authorized users have access to systems containing DSHS Confidential Information.
h. When accessing the Data from within the Contractor’s network (the Data stays within the Contractor’s network at all times), enforce password and logon requirements for users within the Contractor’s network, including:
(1) A minimum length of 8 characters, and containing at least three of the following character classes: uppercase letters, lowercase letters, numerals, and special characters such as an asterisk, ampersand, or exclamation point.
(2) That a password does not contain a user’s name, logon ID, or any form of their full name. Exhibit
(3) That a password does not consist of a single dictionary word. A password may be formed as a passphrase which consists of multiple dictionary words.
(4) That passwords are significantly different from the previous four passwords. Passwords that increment by simply adding a number are n...
Authorization, Authentication, and Access. In order to ensure that access to the Data is limited to authorized staff, the Contractor must:
a. Comply with IRS Publication 1075 for technology services. FTI cannot be accessed by agency employees, agents, representatives, or contractors located offshore—outside of the United States territories, embassies or military installations. Further, FTI may not be received, processed, stored, transmitted, or disposed of by information technology (IT) systems located offshore.
b. Have documented policies and procedures governing access to systems with the shared Data.
Authorization, Authentication, and Access. In order to ensure that access to the Data is limited to authorized staff, the Contractor must:
a. Have documented policies and procedures governing access to systems with the shared Data.
b. Restrict access through administrative, physical, and technical controls to authorized staff.
c. Ensure that user accounts are unique and that any given user account logon ID and password combination is known only to the one employee to whom that account is assigned. For purposes of non-repudiation, it must always be possible to determine which employee performed a given action on a system housing the Data based solely on the logon ID used to perform the action.
d. Ensure that only authorized users are capable of accessing the Data. e.
(1) Upon suspected compromise of the user credentials.
(2) When their employment, or the contract under which the Data is made available to them, is terminated.
(3) When they no longer need access to the Data to fulfill the requirements of the contract.
