Add to collection(s) Add to saved
  1. Business
  2. Management

APPENDIX FOUR INFORMATION SERVICES CONTRACTOR

advertisement 
APPENDIX FOUR
INFORMATION SERVICES CONTRACTOR CHECKLIST
1.
If an unauthorized disclosure occurs, contractor will notify University within 4 hours of
discovery.
2.
Safeguards employed by the contractor will include implementing the following:
Individual accountability to information systems, including University information
(e.g. HIPAA records), by assigning unique accounts for access.
Password Policy which requires strong passwords and prohibits sharing of
individual accounts and passwords.
Access Control Policy in which access to University information will be granted
on a need-to-know basis and access is immediately removed or modified when
personnel terminate, transfer, or change job functions.
Physical Security Policy in which access to secure areas is controlled/monitored,
such as by door locks (electronic, keys, cipher, etc.), guard with access log, etc.
Incident Response Policy which includes notification, escalation and response
procedures.
Change control process.
Deployment of detection and prevention technologies such as firewalls, IDS/IPS
and antivirus.
Separation of web applications facing the Internet from internal servers that store
University information.
Enterprise patch management process.
Encrypted remote access communications (i.e. VPN)
Encrypted wireless networks which require user authentication, and have
secured/controlled access points.
Secure disposal methods (i.e. shredded, secure wiped, incinerated, etc.) for
University information in any format.
Encryption of University information whenever it is on portable storage or mobile
devices, otherwise storage of University information is prohibited.
Business Continuity or Disaster Recovery Plan which includes regular backups
and annual testing.
Vulnerability scanning and subsequent remediation of found vulnerabilities
performed on web applications and servers yearly or when there are significant
changes to the system.
3.
Monitoring performed by the contractor will include:
Event logging implemented on all systems and recording at a minimum who,
what, when and where.
Reviewing of system logs at least monthly and actively managing and monitoring
IDS/IPS and firewalls for unauthorized access or possible attacks.
4.
Contractor will provide a SAS 70 type I or type II, OR will, upon written request of
University:
-
-
Provide University with documented policies and procedures of the safeguards
specified in #2 above. Contractor may also provide a written summary of the
pertinent processes related to the safeguards.
Provide documented evidence of safeguards in place and monitoring performed,
which are indicated in the policies, procedures or written summary.
Related documents
Contractor vs. Employee Certification
Contractor vs. Employee Certification
Contractor Performance Eval
Contractor Performance Eval
CONTRACTOR PERFORMANCE DATA SHEET
CONTRACTOR PERFORMANCE DATA SHEET
Power of Attorney - OrangeCountyFl.net
Power of Attorney - OrangeCountyFl.net
52.246-1 - New Era Contract Sales Inc
52.246-1 - New Era Contract Sales Inc
Construction - Discover Halstead
Construction - Discover Halstead
DATA SECURITY AGREEMENT
DATA SECURITY AGREEMENT
Data Security Agreement (DSA)
Data Security Agreement (DSA)
GAO
GAO
GAO DEFENSE CONTRACTING Additional Personal
GAO DEFENSE CONTRACTING Additional Personal
Download
advertisement