08-85170 Page 1 of 6 Attachment 7 Information Confidentiality and Security Requirements 1. Definitions. or !ur!

oses of t"is #$"i%it& t"e follo'ing definitions s"all a!!ly(

). Public Information: Information t"at is not e$em!t from disclosure under t"e !ro*isions of t"e California Pu%lic Records )ct +,o*ernment Code sections 6-50-6-65. or ot"er a!!lica%le state or federal la's. /. Confidential Information: Information t"at is e$em!t from disclosure under t"e !ro*isions of t"e California Pu%lic Records )ct +,o*ernment Code sections 6-50-6-65. or ot"er a!!lica%le state or federal la's. C. Sensitive Information: Information t"at requires s!ecial !recautions to !rotect from unaut"ori0ed use& access& disclosure& modification& loss& or deletion. Sensiti*e Information may %e eit"er Pu%lic Information or Confidential Information. It is information t"at requires a "ig"er t"an normal assurance of accuracy and com!leteness. 1"us& t"e 2ey factor for Sensiti*e Information is t"at of integrity. 1y!ically& Sensiti*e Information includes records of agency financial transactions and regulatory actions. 3. Personal Information: Information t"at identifies or descri%es an indi*idual& including& %ut not limited to& t"eir name& social security num%er& !"ysical descri!tion& "ome address& "ome tele!"one num%er& education& financial matters& and medical or em!loyment "istory. It is DHCS policy to consider all information about individuals private unless such information is determined to be a public record. 1"is information must %e !rotected from ina!!ro!riate access& use& or disclosure and must %e made accessi%le to data su%4ects u!on request. Personal Information includes t"e follo'ing( 5otice-triggering Personal Information( S!ecific items of !ersonal information +name !lus Social Security num%er& dri*er license6California identification card num%er& or financial account num%er. t"at may trigger a requirement to notify indi*iduals if it is acquired %y an unaut"ori0ed !erson. or !ur!oses of t"is !ro*ision& identity s"all include& %ut not %e limited to name& identifying num%er& sym%ol& or ot"er identifying !articular assigned to t"e indi*idual& suc" as finger or *oice !rint or a !"otogra!". See Ci*il Code sections 1778.-7 and 1778.8-. -. ondisclosure. 1"e Contractor and its em!loyees& agents& or su%contractors s"all !rotect from unaut"ori0ed disclosure any Personal Information& Sensiti*e Information& or Confidential Information +"ereinafter identified as PSCI..

8. 1"e Contractor and its em!loyees& agents& or su%contractors s"all not use any PSCI for any !ur!ose ot"er t"an carrying out t"e Contractor9s o%ligations under t"is )greement. :. 1"e Contractor and its em!loyees& agents& or su%contractors s"all !rom!tly transmit to t"e 3;CS Program Contract <anager all requests for disclosure of any PSCI not emanating from t"e !erson '"o is t"e su%4ect of PSCI. 5. 1"e Contractor s"all not disclose& e$ce!t as ot"er'ise s!ecifically !ermitted %y t"is )greement or aut"ori0ed %y t"e !erson '"o is t"e su%4ect of PSCI& any PSCI to anyone ot"er t"an 3;CS 'it"out !rior 'ritten aut"ori0ation from t"e 3;CS Program Contract <anager& e$ce!t if disclosure is required %y State or ederal la'.

3;CS ICSR +1-607.

08-85170 Page - of 6 Attachment 7 Information Confidentiality and Security Requirements 6. 1"e Contractor s"all o%ser*e t"e follo'ing requirements( ). Safe!uards. 1"e Contractor s"all im!lement administrati*e& !"ysical& and tec"nical safeguards t"at reasona%ly and a!!ro!riately !rotect t"e confidentiality& integrity& and a*aila%ility of t"e PSCI& including electronic PSCI t"at it creates& recei*es& maintains& uses& or transmits on %e"alf of 3;CS. Contractor s"all de*elo! and maintain a 'ritten information !ri*acy and security !rogram t"at includes administrati*e& tec"nical and !"ysical safeguards a!!ro!riate to t"e si0e and com!le$ity of t"e Contractor=s o!erations and t"e nature and sco!e of its acti*ities& Including at a minimum t"e follo'ing safeguards( 1. "eneral Security Controls a. Confidentiality Statement. )ll !ersons t"at 'ill %e 'or2ing 'it" 3;CS PSCI must sign a confidentiality statement. 1"e statement must include at a minimum& ,eneral >se& Security and Pri*acy safeguards& >nacce!ta%le >se& and #nforcement Policies. 1"e statement must %e signed %y t"e 'or2force mem%er !rior to access to 3;CS PSCI. 1"e statement must %e rene'ed annually. 1"e Contractor s"all retain eac" !erson=s 'ritten confidentiality statement for 3;CS ins!ection for a !eriod of t"ree +8. years follo'ing contract termination. %. Background check. /efore a mem%er of t"e Contractor=s 'or2force may access 3;CS PSCI& Contractor must conduct a t"oroug" %ac2ground c"ec2 of t"at 'or2er and e*aluate t"e results to assure t"at t"ere is no indication t"at t"e 'or2er may !resent a ris2 for t"eft of confidential data. 1"e Contractor s"all retain eac" 'or2force mem%er=s %ac2ground c"ec2 documentation for a !eriod of t"ree +8. years follo'ing contract termination. c. Workstation/Laptop encryption. )ll 'or2stations and la!to!s t"at !rocess and6or store 3;CS PSCI must %e encry!ted 'it" a 3;CS a!!ro*ed solution& suc" as a solution using a *endor !roduct s!ecified on t"e California Strategic Sourcing Initiati*e +CSSI. located at t"e follo'ing lin2( '''.!d.dgs.ca.go*6masters6#ncry!tionSoft'are."tml. 1"e encry!tion solution must %e full dis2. d. ?nly t"e minimum necessary amount of 3;CS PSCI may %e do'nloaded to a la!to! or "ard dri*e '"en a%solutely necessary for current %usiness !ur!oses. e. Removable media devices. )ll electronic files t"at contain PSCI data must %e encry!ted '"en stored on any remo*a%le media ty!e de*ice +i.e. >S/ t"um% dri*es& flo!!ies& C363@3& etc.. 'it" a 3;CS a!!ro*ed solution& suc" as a solution using a *endor !roduct s!ecified on t"e CSSI. f. Email security. )ll emails t"at include 3;CS PSCI must %e sent in an encry!ted met"od using a 3;CS a!!ro*ed solution& suc" as a solution using a *endor !roduct s!ecified on t"e CSSI. ntivirus soft!are. )ll 'or2stations& la!to!s and ot"er systems t"at !rocess and6or store 3;CS PSCI must "a*e a commercial t"ird-!arty anti-*irus soft'are solution 'it" a minimum daily automatic u!date.

g.

". "atch #anagement. )ll 'or2stations& la!to!s and ot"er systems t"at !rocess and6or store 3;CS PSCI must "a*e security !atc"es a!!lied and u!-to-date.
3;CS ICSR +1-607.

08-85170 Page 8 of 6 Attachment 7 Information Confidentiality and Security Requirements i. $ser %&s and "ass!ord Controls. )ll users must %e issued a unique user name for accessing 3;CS PSCI. Pass'ords are not to %e s"ared. <ust %e at least eig"t c"aracters. <ust %e a non-dictionary 'ord. <ust not %e stored in reada%le format on t"e com!uter. <ust %e c"anged e*ery 60 days. <ust %e c"anged if re*ealed or com!romised. <ust %e com!osed of c"aracters from at least t"ree of t"e follo'ing four grou!s from t"e standard 2ey%oard(

>!!er case letters +)-A. Bo'er case letters +a-0. )ra%ic numerals +0-7. 5on-al!"anumeric c"aracters +!unctuation sym%ols.

4.

&ata &estruction. )ll 3;CS PSCI must %e 'i!ed from systems '"en t"e data is no longer necessary. 1"e 'i!e met"od must conform to 3e!artment of 3efense standards for data destruction. )ll 3;CS PSCI on remo*a%le media must %e returned to 3;CS '"en t"e data is no longer necessary. ?nce data "as %een destroyed& t"e 3;CS contract manager must %e notified.

2. Remote ccess. )ny remote access to 3;CS PSCI must %e e$ecuted o*er an encry!ted met"od a!!ro*ed %y 3;CS using a *endor !roduct s!ecified on t"e CSSI. )ll remote access must %e limited to minimum necessary and least !ri*ilege !rinci!les. -. System Security Controls a. System 'imeout. 1"e system must !ro*ide an automatic timeout after no more t"an -0 minutes of inacti*ity. %. Warning Banners. )ll systems containing 3;CS PSCI must dis!lay a 'arning %anner stating t"at data is confidential& systems are logged& and system use is for %usiness !ur!oses only. >ser must %e directed to log off t"e system if t"ey do not agree 'it" t"ese requirements. c. System Logging. 1"e system must log successes and failures of user aut"entication at all layers. 1"e system must log all system administrator6de*elo!er access and c"anges if t"e system is !rocessing and6or storing PSCI. 1"e system must log all user transactions at t"e data%ase layer if !rocessing and6or storing 3;CS PSCI. d. ccess Controls. 1"e system must use role %ased access controls for all user aut"entications& enforcing t"e !rinci!le of least !ri*ilege.

e. 'ransmission encryption. )ll data transmissions must %e encry!ted end-to-end using a 3;CS a!!ro*ed solution& suc" as a solution using a *endor !roduct s!ecified on t"e CSSI& '"en transmitting 3;CS PSCI. f. (ost Based %ntrusion &etection. )ll systems t"at are accessi%le *ia t"e Internet or store 3;CS PSCI must acti*ely use a com!re"ensi*e t"ird-!arty real-time "ost %ased intrusion detection and !re*ention solution

8. Audit Controls
3;CS ICSR +1-607.

08-85170 Page : of 6 Attachment 7 Information Confidentiality and Security Requirements a. System Security Revie!. )ll systems !rocessing and6or storing 3;CS PSCI must "a*e at least an annual system security re*ie'. Re*ie's must include administrati*e and tec"nical *ulnera%ility scanning tools. %. Log Revie!s. )ll systems !rocessing and6or storing 3;CS PSCI must "a*e a routine !rocedure in !lace to re*ie' system logs for unaut"ori0ed access. c. Change Control. )ll systems !rocessing and6or storing 3;CS PSCI must "a*e a documented c"ange control !rocedure t"at ensures se!aration of duties and !rotects t"e confidentiality& integrity and a*aila%ility of data. :. #usiness Continuity $ Disaster %ecovery Controls a. Emergency #ode )peration "lan. Contractor must esta%lis" a documented !lan to ena%le continuation of critical %usiness !rocesses and !rotection of t"e security of electronic 3;CS PSCI in t"e e*ent of an emergency. )n emergency is an interru!tion of %usiness o!erations for more t"an -: "ours. %. &ata Backup "lan. Contractor must "a*e esta%lis"ed documented !rocedures to %ac2u! 3;CS PSCI to maintain retrie*a%le e$act co!ies of 3;CS PSCI. 1"e !lan must include a regular sc"edule for ma2ing %ac2u!s& storing %ac2u!s offsite& an in*entory of %ac2u! media& and t"e amount of time to restore 3;CS PSCI s"ould it %e lost. )t a minimum& t"e sc"edule must %e a 'ee2ly full %ac2u! and mont"ly offsite storage of 3;CS data. 5. Paper Document Controls a. Supervision of &ata. 3;CS PSCI in !a!er form s"all not %e left unattended at any time& unless it is loc2ed in a file ca%inet& file room& des2 or office. >nattended means t"at information is not %eing o%ser*ed %y an em!loyee aut"ori0ed to access t"e information. 3;CS PSCI in !a!er form s"all not %e left unattended at any time in *e"icles or !lanes and s"all not %e c"ec2ed in %aggage on commercial air!lanes. %. Escorting *isitors. @isitors to areas '"ere 3;CS PSCI is contained s"all %e escorted and 3;CS PSCI s"all %e 2e!t out of sig"t '"ile *isitors are in t"e area. c. Confidential &estruction. 3;CS PSCI must %e dis!osed of t"roug" confidential means& suc" as cross cut s"redding and !ul*eri0ing. d. Removal of &ata. 3;CS PSCI must not %e remo*ed from t"e !remises of t"e Contractor e$ce!t 'it" e$!ress 'ritten !ermission of 3;CS. e. +a,ing. a$es containing 3;CS PSCI s"all not %e left unattended and fa$ mac"ines s"all %e in secure areas. a$es s"all contain a confidentiality statement notifying !ersons recei*ing fa$es in error to destroy t"em. a$ num%ers s"all %e *erified 'it" t"e intended reci!ient %efore sending. f. #ailing. 3;CS PSCI s"all only %e mailed using secure met"ods. Barge *olume mailings of 3;CS PSCI s"all %e %y a secure& %onded courier 'it" signature required on recei!t. 3is2s and ot"er trans!orta%le media sent t"roug" t"e mail must %e encry!ted 'it" a 3;CS a!!ro*ed solution& suc" as a solution using a *endor !roduct s!ecified on t"e CSSI.

3;CS ICSR +1-607.

08-85170 Page 5 of 6 Attachment 7 Information Confidentiality and Security Requirements /. Security )fficer. 1"e Contractor s"all designate a Security ?fficer to o*ersee its data security !rogram '"o 'ill %e res!onsi%le for carrying out its !ri*acy and security !rograms and for communicating on security matters 'it" 3;CS. C. 'raining. 1"e Contractor s"all !ro*ide training on its data !ri*acy and security !olicies& at least annually& at its o'n e$!ense& to all its em!loyees and *olunteers '"o assist in t"e !erformance of functions or acti*ities on %e"alf of 3;CS under t"is )greement and use or disclose PSCI. 1. 1"e Contractor s"all require eac" em!loyee and *olunteer '"o recei*es data !ri*acy and security training to sign a certification& indicating t"e em!loyee=s6*olunteer=s name and t"e date on '"ic" t"e training 'as com!leted. -. 1"e Contractor s"all retain eac" em!loyee=s6*olunteer=s 'ritten certifications for 3;CS ins!ection for a !eriod of t"ree years follo'ing contract termination. 3. &iscovery and -otification of Breach. 1"e Contractor s"all notify 3;CS immediately by telephone call plus email or fa& u!on t"e disco*ery of %reac" of security of PSCI in com!uteri0ed form if t"e PSCI 'as& or is reasona%ly %elie*ed to "a*e %een& acquired %y an unaut"ori0ed !erson& or 'ithin t'enty(four )*+, hours by email or fa& of t"e disco*ery of any sus!ected security incident& intrusion or unaut"ori0ed use or disclosure of PSCI in *iolation of t"is )greement& t"is !ro*ision& t"e la'& or !otential loss of confidential data affecting t"is )greement. 5otification s"all %e !ro*ided to t"e 3;CS Program Contract <anager& t"e 3;CS Pri*acy ?fficer and t"e 3;CS Information Security ?fficer. If t"e incident occurs after %usiness "ours or on a 'ee2end or "oliday and in*ol*es electronic PSCI& notification s"all %e !ro*ided %y calling t"e 3;CS Information 1ec"nology Ser*ices 3i*ision +I1S3. ;el! 3es2. Contractor s"all ta2e( 1. Prom!t correcti*e action to mitigate any ris2s or damages in*ol*ed 'it" t"e %reac" and to !rotect t"e o!erating en*ironment and -. )ny action !ertaining to suc" unaut"ori0ed disclosure required %y a!!lica%le State la's and regulations. ederal and

#. %nvestigation of Breach. 1"e Contractor s"all immediately in*estigate suc" security incident& %reac"& or unaut"ori0ed use or disclosure of PSCI and 'it"in se*enty-t'o +7-. "ours of t"e disco*ery& s"all notify t"e 3;CS Program Contract <anager& t"e 3;CS Pri*acy ?fficer& and t"e 3;CS Information Security ?fficer of( 1. C"at data elements 'ere in*ol*ed and t"e e$tent of t"e data in*ol*ed in t"e %reac"& -. ) descri!tion of t"e unaut"ori0ed !ersons 2no'n or reasona%ly %elie*ed to "a*e im!ro!erly used or disclosed PSCI& 8. ) descri!tion of '"ere t"e PSCI is %elie*ed to "a*e %een im!ro!erly transmitted& sent& or utili0ed& :. ) descri!tion of t"e !ro%a%le causes of t"e im!ro!er use or disclosureD and 5. C"et"er Ci*il Code sections 1778.-7 or 1778.8- or any ot"er federal or state la's requiring indi*idual notifications of %reac"es are triggered. . Written Report. 1"e Contractor s"all !ro*ide a 'ritten re!ort of t"e in*estigation to t"e 3;CS Program Contract <anager& t"e 3;CS Pri*acy ?fficer& and t"e 3;CS Information Security ?fficer 'it"in ten +10. 'or2ing days of t"e disco*ery of t"e %reac" or unaut"ori0ed use or disclosure. 1"e re!ort s"all include& %ut not %e limited to& t"e information s!ecified a%o*e& as 'ell as a full& detailed
3;CS ICSR +1-607.

08-85170 Page 6 of 6 Attachment 7 Information Confidentiality and Security Requirements correcti*e action !lan& including information on measures t"at 'ere ta2en to "alt and6or contain t"e im!ro!er use or disclosure. ,. -otification of %ndividuals. 1"e Contractor s"all notify indi*iduals of t"e %reac" or unaut"ori0ed use or disclosure '"en notification is required under state or federal la' and s"all !ay any costs of suc" notifications& as 'ell as any costs associated 'it" t"e %reac". 1"e 3;CS Program Contract <anager& t"e 3;CS Pri*acy ?fficer& and t"e 3;CS Information Security ?fficer s"all a!!ro*e t"e time& manner and content of any suc" notifications. ;. ffect on lo!er tier transactions. 1"e terms of t"is #$"i%it s"all a!!ly to all contracts& su%contracts& and su%a'ards& regardless of '"et"er t"ey are for t"e acquisition of ser*ices& goods& or commodities. 1"e Contractor s"all incor!orate t"e contents of t"is #$"i%it into eac" su%contract or su%a'ard to its agents& su%contractors& or inde!endent consultants.

7. Contact Information. 1o direct communications to t"e a%o*e referenced 3;CS staff& t"e Contractor s"all initiate contact as indicated "erein. 3;CS reser*es t"e rig"t to ma2e c"anges to t"e contact information %elo' %y gi*ing 'ritten notice to t"e Contractor. Said c"anges s"all not require an amendment to t"is #$"i%it or t"e )greement to '"ic" it is incor!orated.
DHCS Pro!ram Contract -ana!er See t"e Sco!e of Cor2 e$"i%it for Program Contract <anager information DHCS Privacy .fficer Pri*acy ?fficer c6o ?ffice of Begal Ser*ices 3e!artment of ;ealt" Care Ser*ices P.?. /o$ 777:18& <S 0011 Sacramento& C) 75877-7:18 #mail( !ri*acyofficerEd"cs.ca.go* 1ele!"one( +716. ::5-:6:6 1ele!"one( I1S3 ;el! 3es2 +716. ::0-7000 or +800. 577-087: DHCS Information Security .fficer Information Security ?fficer 3;CS Information Security ?ffice P.?. /o$ 777:18& <S 6:00 Sacramento& C) 75877-7:18 #mail( isoEd"cs.ca.go*

8. Audits and Inspections. rom time to time& 3;CS may ins!ect t"e facilities& systems& %oo2s and records of t"e Contractor to monitor com!liance 'it" t"e safeguards required in t"e Information Confidentiality and Security Requirements +ICSR. e$"i%it. Contractor s"all !rom!tly remedy any *iolation of any !ro*ision of t"is ICSR e$"i%it. 1"e fact t"at 3;CS ins!ects& or fails to ins!ect& or "as t"e rig"t to ins!ect& Contractor=s facilities& systems and !rocedures does not relie*e Contractor of its res!onsi%ility to com!ly 'it" t"is ICSR e$"i%it.

3;CS ICSR +1-607.