Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Attachment G: Security Requirements Detail
Respondents will address each of the security requirements appearing in the table below in their technical approach. In addition, the
attached table will be completed and returned as part of the response document. If customization is expected for a requirement, an
explanation of the proposed customization will be provided in the applicable column provided for that requirement.
Req ID
Customization
Customization
(Y/N)
Description
Detailed Description
Reference
Section B - Security Requirements
Vendor will provided EDW/BI solution will comply with all relevant and mandated Federal, State,
Enterprise and Agency mandated security policies. - Compliance to all federal and state laws and
industry standards regarding information and data security including but not limited to:



SR 1









Title 1 Texas Administrative Code Chapter 202: Information Security Standards
http://info.sos.state.tx.us/pls/pub/readtac$ext.ViewTAC?tac_view=4&ti=1&pt=10&ch=202
&rl=Y
HHS Enterprise Information Security Standards and Guidelines
(http://hhscx.hhsc.state.tx.us/eit/Security/ESM-Policies/espsg.doc).
Internal Revenue Service Publication 1075, Tax Information Security Guidelines for
Federal, State and Local Agencies and Entities, February 2007.
(http://www.irs.gov/pub/irs-pdf/p1075.pdf )
Centers for Medicare and Medicaid Services (CMS) Policy for the Information Security
Program (http://www.cms.hhs.gov/InformationSecurity/Downloads/PISP.pdf )
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule
(http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf )
National Institute of Standards and Technology (NIST) Special Publication 800 series.
NIST SP 800-53, Recommended Security Controls for Federal Information Systems,
Revision 1, December 2006. (http://csrc.nist.gov/publications/nistpubs/800-53/SP80053.pdf )
Automatic Data Processing Physical Security and Risk Management (FIPS PUB 31);
Computer Security Guidelines for Implementing the Privacy Act of 1974 (FIPS PUB 41);
Guidelines for Security of Computer Applications (FIPS PUB 73); and
Federal Regulations at 45 CFR 95.621.
Federal Regulations at 42 CFR Part 431.300
Federal Regulations at 45 CFR Part 164
EDW/BI DD&I
Proposal
Page G-1
Confidential – Sensitive Procurement Information
#
NO
Unable
to
Provide
Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Customization
Req ID
Detailed Description
SR 3
The EDW/BI system will support Single Sign-On security.
Vendor will implement appropriate security controls to ensure the integrity and confidentiality of
data flowing across the EDW/BI network.
Vendor will not connect to the State’s internal computer network without the prior, written consent
SR 4
of the State, which the State will reasonably provide if necessary or appropriate for the vendor to
provide support.
Vendor will provide internet security functionality to include the use of firewalls, intrusion detection,
SR 5
and https, encrypted network/secure socket layer, and security provisioning protocols such as
secure sockets layer, and Internet protocol security (IPSEC).
SR 6
Vendor will implement mechanisms to safeguard data integrity and confidentiality of data passing
over public networks.
Vendor will provide an EDW/BI network infrastructure solution that will be self-contained and in its
SR 7
own security perimeter. In securing the perimeter of the Vendor's network, the use of International
Computer Security Association (ICSA) compliant firewall is required.
SR 8
SR 9
SR 10
SR 11
Vendor will put in place a firewall between its private network and the connection to the State's
network.
Vendor will keep any information passing through its network confidential.
Vendor will ensure that measures are in place to mitigate any new network security risks created
by connecting the EDW/BI network to a third-party network.
Vendor network architecture and all proposed network hardware and software will be compliant
with all required state security policies and procedures.
EDW/BI DD&I
Proposal
Reference
(Y/N)
SR 2
Customization
Page G-2
Confidential – Sensitive Procurement Information
Description
#
NO
Unable
to
Provide
Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Customization
Req ID
Detailed Description
ETL tool will have security manager abilities with high-granularity to query, read and update data
and user/group/roles access control across data sources.
EDW/BI solution will allow for the following:
SR 13
SR 14
SR 15
SR 16
SR 17



Apply a consistent security policy across all applications
Ensure that applications are protected
Provide an easy and consistent mechanism for configuring operational rules and security
policies.
EDW/BI system will provide security and permission for database-level security, group-level
security, user authentication and individual IDs, position level access control.
EDW/BI system will provide role-based multi level security control and allow users access to the
information that they are authorized to view and/or edit.
EDW/BI system will have the ability for security administrators to add or remove individuals from
established roles.
EDW/BI system will support role based security system that has the flexibility to easily add or
delete roles.
SR 18
EDW/BI system will be able to establish different roles for the metadata database.
SR 19
EDW/BI system will keep a record of activities performed by the users.
EDW/BI system will prevent unauthorized access and safeguard the confidentiality of
SR 20
person/consumer data in compliance with State and Federal law, including the Health Insurance
Portability and Accountability Act (HIPAA).
SR 21
EDW/BI will masks critical and sensitive data fields including but not limited to PHI and PII data in
development and test environments but will provide view access to this data in Production.
EDW/BI DD&I
Proposal
Reference
(Y/N)
SR 12
Customization
Page G-3
Confidential – Sensitive Procurement Information
Description
#
NO
Unable
to
Provide
Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Customization
Req ID
Detailed Description
SR 23
SR 24
SR 25
SR 26
SR 27
SR 28
The passwords of the users accessing EDW/BI system will be masked.
EDW/BI system will provide encrypted communication over the State's Wide Area Network (WAN)
and agency Local Area Network (LAN) infrastructure.
EDW/BI system will ensure secure and encrypted communications for all data, in motion, and at
rest.
EDW/BI system will have the ability to encrypt highly restricted data at the database level, data at
rest and data in transit.
EDW/BI system will provide data encryption and decryption capabilities based on data access
roles.
EDW/BI system will support data masking and obfuscation for sensitive datasets and data fields.
If the EDW/BI system is hosted in a data center managed under an existing Data Center
Management agreement the physical security requirements will be determined by that agreement.
If the EDW/BI system is hosted in a new data center managed by the Vendor the following
minimum requirements for physical security will apply:
SR 29


The Vendor will designate one or more persons responsible for the security of each facility
The Vendor will house the facilities in a secure area, protected by a defined security
perimeter, with appropriate security barriers and entry controls to include, but not be limited to:
o Physical access
o Access by visitors will be recorded and supervised
o Access rights regularly reviewed and updated.
Vendor will ensure that communication switches and network components outside the central
SR 30
computer room will receive the level of physical protection necessary to prevent unauthorized
access.
EDW/BI DD&I
Proposal
Reference
(Y/N)
SR 22
Customization
Page G-4
Confidential – Sensitive Procurement Information
Description
#
NO
Unable
to
Provide
Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Customization
Req ID
Detailed Description
Vendor will obtain prior HHS approval for the use of any equipment by the Vendor, its sub
Vendors, agents or others working with it to access the EDW/BI system from outside the Vendor’s
premises. The security provided will be equivalent to that for on-site equipment used for the same
purpose, taking into account the risks of working outside the Vendor’s premises. This equipment
may include, but not be limited to, all forms of personal computers, personal digital assistants or
similar devices that are used for home working or are being transported away from the normal
work location
SR 32
SR 33
Any Vendor devices that will be connected to HHS network will be screened and approved by HHS
prior to connection.
Regardless of ownership, the use of any equipment outside the Vendor's premises for information
processing of State business will require approval by HHS.
Vendor will provide adequate security and safeguards to protect HHS and contract employees
from harm and to protect all equipment from unauthorized access and harm. These measures will
include, but are not limited to:
SR 34






Sufficient lighting;
Night-time and weekend security patrols;
Security Access Reader Card System with magnetic locks monitored by security
personnel, Request to Exit Devices, Sounders, etc., to make system complete
Outside surveillance cameras with recordings archived for seven (7) calendar days
Recorded and supervised visitor access
Regular review and updating of access rights to the project site
Vendor will develop and submit a plan to the State for the physical security of the primary Vendor
facility and each off-site facility, including storage facilities and security guards, within 20 business
SR 35
days after Contract signing. Vendor will review and revise the Physical Security Plan and submit
updates to the State for approval at the beginning of each State Fiscal Year, throughout the term of
the Contract. The Physical Security Plan must be approved by the State and contain the security
procedures to be implemented at each facility, including access limitations. The State reserves the
EDW/BI DD&I
Proposal
Reference
(Y/N)
SR 31
Customization
Page G-5
Confidential – Sensitive Procurement Information
Description
#
NO
Unable
to
Provide
Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Customization
Req ID
Detailed Description
right to perform physical security checks of the Vendor’s facilities at its discretion.
EDW/BI system will provide an automated audit trail and the ability to selectively report on
changes, additions, deletions, de-activation for all transactions/business events/records, profiles
and source tables.
SR 37
SR 38
SR 39
SR 40
SR 41
EDW/BI system will provide an automated audit trail for user access and unauthorized attempts to
access system.
EDW/BI system will support all the requirements mandated by Information Security auditing
standards to support audits for HIPAA etc.
EDW/BI system will include a mechanism for recording any changes to software modules,
subsystems, and data.
EDW/BI system will include access to all audit trails and logs for tracking data and application
usages.
Vendor security plan will address the HIPAA Security Rule, Version 5010.
Vendor will establish responsibilities and procedures for remote use, as defined in the HHS
SR 42
Enterprise Information Security Standards and Guidelines
(http://hhscx.hhsc.state.tx.us/eit/Security/ESM-Policies/espsg.doc) and other relevant policies and
procedures.
EDW/BI system will have tools available to monitor and manage end to end processes for the
SR 43
EDW/BI, provide performance monitoring services monitoring throughput, cycle times, and real
time performance and manage complex monitoring support.
EDW/BI DD&I
Proposal
Reference
(Y/N)
SR 36
Customization
Page G-6
Confidential – Sensitive Procurement Information
Description
#
NO
Unable
to
Provide
Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Customization
Req ID
Detailed Description
EDW/BI system will provide sufficient information to establish what events occurred, the sources of
the events, and the outcomes of the events. Audit records will be regularly reviewed and analyzed
for indications of inappropriate and suspicious activity or suspected violations and appropriate
actions taken.
EDW/BI system will track user logon and logoffs into the data warehouse system by user identifiers
SR 45
so that a history of valid and non-valid logon requests by user can be available for investigative
purposes.
EDW/BI system will track user account activation and user activity for monitoring use and security
SR 46
purposes. User activity will include specific record access, additions, changes, etc., made by each
individual.
SR 47
Vendor will deploy monitoring and auditing tools for EDW/BI system.
Vendor will establish, support and facilitate a State-approved secure FTP process to exchange
SR 48
(send and receive) all file extracts with every State-approved business partner, within the
timeframes specified by the State.
SR 49
Password configuration will be in compliance with all State and Federal laws, rules, regulations
and guidelines.
All software provided by the Vendor will be tested by the Vendor and certified to be free of any
software virus. Vendor will propose a virus protection system for Vendor-owned software and
hardware that has at a minimum the following virus protection characteristics and qualities:

SR 50





NCSA Certification -- Anti-Virus software will be certified to detect 100% of current viruses
in the wild
Detects and Cures Viruses -- in real time
Incorporates routine virus protection updates for all application software and hardware
Prevents unprotected workstations from copying viruses onto servers
Quarantines infected workstations
Allows the rest of system to continue running after a virus is detected and isolated
EDW/BI DD&I
Proposal
Reference
(Y/N)
SR 44
Customization
Page G-7
Confidential – Sensitive Procurement Information
Description
#
NO
Unable
to
Provide
Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Customization
Req ID
Detailed Description

SR 52
Automatically updates virus signatures and patterns
All data considered to be Protected Health Information (PHI) will be secured during transport and
at rest using data encryption or an industry standard method of secure file transport.
Vendor will adhere to State and Federal law, rules, regulations, and guidelines regarding Protected
Health Information (PHI).
Vendor will maintain security and privacy features for all Vendor-supported automation systems to
SR 53
ensure the system is protected against unauthorized use, disclosure, or access, according to State
and Federal laws, rules, regulations and guidelines.
SR 54
Vendor will stay current on all Stage and Federal laws, rules, regulations, and guidelines for
security, privacy, and auditing.
Vendor will secure the confidentiality of all clients and provider information obtained during the
routine course of business, in accordance with HIPAA and all other applicable laws, rules,
regulations, guidelines and standards. In the event that the State or Vendor reasonably believe
that confidential client or provider information may have been disclosed, the Vendor must:

SR 55



Notify HHSC of the unauthorized disclosure immediately or no more than 24 hours after
the unauthorized disclosure event;
Identify affected individuals and specific information wrongfully disclosed;
Take any further action related to the unauthorized disclosure, as directed by the State;
and
Provide the State with an incident report with root cause analysis and a Corrective Action
Plan (CAP) within five (5) business days of the discovery, ensuring that further
unauthorized disclosure's) will not reoccur. The Vendor is liable for any damages to an
individual or provider due to the unauthorized disclosure, or possible unauthorized
disclosure, of confidential information.
Vendor will work with the State and State-approved business partners to identify and define:
SR 56

The applications that must be accessed by each Vendor to support the requirements
presented in this RFP; and
EDW/BI DD&I
Proposal
Reference
(Y/N)
SR 51
Customization
Page G-8
Confidential – Sensitive Procurement Information
Description
#
NO
Unable
to
Provide
Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Customization
Req ID
Detailed Description

The appropriate mode (inquiry, update, add) allowed for the application's) accessed.
Vendor will protect all data and voice connectivity between the EDW interfaces, transmission lines,
communications bridges, and linkages within Vendor’s premises from unauthorized access.
Vendor will report all privacy and/or security breaches to the State immediately upon discovery.
Vendor will submit a root cause analysis and CAP to the State within five (5) business days of the
incident and thereafter meet and confer with the State as requested by the State.
SR 58
EDW/BI system will support single sign-on when it is deployed and supported by the enterprise.
EDW/BI system will support authentication with a Directory Service with Multiple Backend
SR 59
Processes that may include but not limited to Lightweight Direct Access Protocol (LDAP), Active
Directory (AD), and Novell Directory Services (NDS).
SR 60
SR 61
EDW/BI system will support unique HIPAA compliant log-on for each user.
EDW/BI system will support passwords that will expire at least every ninety (90) calendar days and
that can be changed at any time by authorized HHS staff or Vendor management personnel.
EDW/BI system will have the ability to query directory services that include but are not limited to
SR 62
Lightweight Direct Access Protocol (LDAP), Active Directory (AD), and Novell Directory Services
(NDS).
SR 63
SR 64
EDW/BI system will have the ability to restrict applications and/or functions within application to
specific workstations, workstation port, or application server.
EDW/BI system will have the ability to restrict applications and/or functions within application to
specific log on accounts.
EDW/BI DD&I
Proposal
Reference
(Y/N)
SR 57
Customization
Page G-9
Confidential – Sensitive Procurement Information
Description
#
NO
Unable
to
Provide
Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Customization
Req ID
Detailed Description
EDW/BI system will employ a security system that restricts access to varying hierarchical levels of
data and function; the security system will restrict access to data on a “need to know” basis and
restrict functions based on an individual user profile, including inquiry only capabilities; global
access to all functions must be restricted to specified staff.
SR 66
SR 67
SR 68
EDW/BI system will provide the ability to define and restrict access to the application database's
from the outside application programs and processes.
EDW/BI system will have the ability to define and restrict access to functions and data for a user
based on their role and user group.
EDW/BI system will support fine-grained access control within the database for data fields (rows
and columns) for users and roles.
EDW/BI system will limit the display of fields/menus to the applications module, function and
SR 69
screen options to those which the user has access and will "Gray out" or not display those options
for features not permitted by security rules for the user or group.
SR 70
SR 71
SR 72
SR 73
SR 74
EDW/BI system will have features to provide system, application and data access to valid users
through both Intranet/Extranet.
EDW/BI system will allow the administrator to establish standard "user profiles" from which
individual user ids may inherit privileges.
EDW/BI system will allow the user to logon once to access all applications available to the user in
system.
EDW/BI system will provide the ability within system security to establish a time-out limit after
which active sessions are terminated.
Vendor will develop and document procedures for email communications and establish and
implement technical controls that protect the confidentiality, integrity, authenticity, and availability
EDW/BI DD&I
Proposal
Reference
(Y/N)
SR 65
Customization
Page G-10
Confidential – Sensitive Procurement Information
Description
#
NO
Unable
to
Provide
Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Customization
Req ID
Detailed Description
of State information (including PHI) while in transit. Confidential information transmitted by email
over an external network connection must be encrypted using FIPS 140-2 validated cryptography.
SR 76
SR 77
SR 78
SR 79
EDW/BI system will maintain an audit log of all the user log-on access to system.
EDW/BI system will be configured to restrict access to system, database and application
management functions to approved management and support roles.
EDW/BI system will ensure that by role based authentication that the user has been authorized to
view, add, change and/or delete any data of any record, file, database dataset.
EDW/BI system database will provide data obfuscation for sensitive datasets including but not
limited to PHI and PII, as required.
EDW/BI solution will provide the archive and purge capabilities. The process will maintain file
synchronization and referential integrity of the data.
Vendor will develop a notification process to include:

SR 80



Notify HHSC of the disclosure immediately or no more than (24) twenty-four hours after
the disclosure event;
Identify affected individuals and specific information disclosed;
Develop a notification plan for individuals affected if the disclosure included social security
numbers, financial data, or other personally identifiable data that can contribute to identity
theft; and
Take any further action related to the disclosure as directed by HHSC. Vendor will submit
the process and procedures for the notification process to the State for approval.
Vendor will prepare and submit for State approval, a comprehensive EDW Security Plan at a
minimum, on an annual basis. The EDW Security Plan will adhere to Federal, State and Agency
SR 81
laws, rules, regulations, and guidelines and will include encryption of protected health information
(PHI) and a plan for State notification of security violations.
See Security Requirements section of the RFP for further details on the security approach, the
EDW/BI DD&I
Proposal
Reference
(Y/N)
SR 75
Customization
Page G-11
Confidential – Sensitive Procurement Information
Description
#
NO
Unable
to
Provide
Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Customization
Req ID
Detailed Description
HHS Security Plan template and components that will be addressed by the Vendor to include in
the EDW Security Plan.
Vendor will review and update the EDW Security Plan and submit to the State for approval 60
calendar days prior to the beginning of each state fiscal year (SFY) and/or prior to the deployment
of a release in Production (if more than one release is planned for the year and the release
requires update to the security plan due to additional source systems, user groups and access).
SR 83
Data on all storage devices including but not limited to hard drives, tapes, flash drives, memory,
and mobile devices will be secure.
SR 84
Encryption key management will be provided as part of the EDW/BI solution.
SR 85
All data at rest will be password protected and/or encrypted.
SR 86
Data will be physically secured to allow only authorized access.
SR 87
EDW/BI environment will be configured to reject connections from clients that do not encrypt data
on the network or optionally allow unencrypted connections from approved trusted sources.
All data stored and retrieved from the EDW/BI database repositories will be secured using multiple
SR 88
security layers. The EDW will provide a highly granular access control model, authentication,
including support for roles and row level data security.
Database security implemented will ensure that only authenticated users perform authorized
SR 89
activities at authorized times. The security will encompass privileged user control and real time
access controls.
EDW/BI DD&I
Proposal
Reference
(Y/N)
SR 82
Customization
Page G-12
Confidential – Sensitive Procurement Information
Description
#
NO
Unable
to
Provide
Texas Health and Human Services Commission
RFP No. 529-13-0018
[Date]
Customization
Req ID
Detailed Description
SR 91
SR 92
SR 93
SR 94
Database security will be implemented for all applications and programs that access data in
databases.
Database user accounts will be password protected with the capability to change passwords on a
periodic basis.
EDW/BI database activity will be tracked and audited per the established security procedures.
Data backups and archives must be securely stored and access will be granted only to the
authorized individuals.
All metadata in the metadata repositories and access methods including tools will be made secure.
Vendor will communicate to HHSC all occurrences of virus threats, attacks, hacks, and all other
SR 95
forms of unauthorized and unintended access to the EDW infrastructure and environment,
including third party tools and applications, files and databases hosted and/or stored in the EDW
environment, and the Vendor will then follow the appropriate remediation policies and procedures.
EDW/BI DD&I
Proposal
Reference
(Y/N)
SR 90
Customization
Page G-13
Confidential – Sensitive Procurement Information
Description
#
NO
Unable
to
Provide