Infrastructure Vulnerability Scanning Supplier will scan its internal environments (e.g., servers, network devices, etc.) related to Deliverables monthly and external environments related to Deliverables weekly. Supplier will have a defined process to address any findings but will ensure that any high-risk vulnerabilities are addressed within 30 days.
Configuration Management The Contractor shall maintain a configuration management program, which shall provide for the administrative and functional systems necessary for configuration identification, control, status accounting and reporting, to ensure configuration identity with the UCEU and associated cables produced by the Contractor. The Contractor shall maintain a Contractor approved Configuration Management Plan that complies with ANSI/EIA-649 2011. Notwithstanding ANSI/EIA-649 2011, the Contractor’s configuration management program shall comply with the VLS Configuration Management Plans, TL130-AD-PLN-010-VLS, and shall comply with the following:
PROCUREMENT CARD The State has entered into an agreement for purchasing card services. The Purchasing Card enables Authorized Users to make authorized purchases directly from a Contractor without processing Purchase Orders or Purchase Authorizations. Purchasing Cards are issued to selected employees authorized to purchase for the Authorized User and having direct contact with Contractors. Cardholders can make purchases directly from any Contractor that accepts the Purchasing Card. The Contractor shall not process a transaction for payment through the credit card clearinghouse until the purchased Products have been shipped or services performed. Unless the cardholder requests correction or replacement of a defective or faulty Product in accordance with other Contract requirements, the Contractor shall immediately credit a cardholder’s account for Products returned as defective or faulty.
Data Storage Where required by applicable law, Student Data shall be stored within the United States. Upon request of the LEA, Provider will provide a list of the locations where Student Data is stored.
Cloud storage DSHS Confidential Information requires protections equal to or greater than those specified elsewhere within this exhibit. Cloud storage of Data is problematic as neither DSHS nor the Contractor has control of the environment in which the Data is stored. For this reason: (1) DSHS Data will not be stored in any consumer grade Cloud solution, unless all of the following conditions are met: (a) Contractor has written procedures in place governing use of the Cloud storage and Contractor attests in writing that all such procedures will be uniformly followed. (b) The Data will be Encrypted while within the Contractor network. (c) The Data will remain Encrypted during transmission to the Cloud. (d) The Data will remain Encrypted at all times while residing within the Cloud storage solution. (e) The Contractor will possess a decryption key for the Data, and the decryption key will be possessed only by the Contractor and/or DSHS. (f) The Data will not be downloaded to non-authorized systems, meaning systems that are not on either the DSHS or Contractor networks. (g) The Data will not be decrypted until downloaded onto a computer within the control of an Authorized User and within either the DSHS or Contractor’s network. (2) Data will not be stored on an Enterprise Cloud storage solution unless either: (a) The Cloud storage provider is treated as any other Sub-Contractor, and agrees in writing to all of the requirements within this exhibit; or, (b) The Cloud storage solution used is FedRAMP certified. (3) If the Data includes protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA), the Cloud provider must sign a Business Associate Agreement prior to Data being stored in their Cloud solution.