Common use of System Security Controls Clause in Contracts

System Security Controls. In order to comply with the following system security controls, the Contractor agrees to: J. Ensure that all Contractor systems containing Medi-Cal PII provide an automatic timeout after no more than 20 minutes of inactivity. K. Ensure that all Contractor systems containing Medi-Cal PII display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only. User shall be directed to log off the system if they do not agree with these requirements. L. Ensure that all Contractor systems containing Medi-Cal PII log successes and failures of user authentication and authorizations granted. The system shall log all data changes and system accesses conducted by all users (including all levels of users, system administrators, developers, and auditors). The system shall have the capability to record data access for specified users when requested by authorized management personnel. A log of all system changes shall be maintained and be available for review by authorized management personnel. M. Ensure that all Contractor systems containing Medi-Cal PII use role based access controls for all user authentication, enforcing the principle of least privilege. N. Ensure that all Contractor data transmissions over networks outside of the Contractor’s control are encrypted end-to-end using a vendor product that is recognized as an industry leader in meeting the needs for the intended solution, such as products specified on the CSSI, when transmitting Medi-Cal PII. The Contractor shall encrypt Medi-Cal PII at the minimum of 128 bit AES or 3DES (Triple DES) if AES is unavailable. O. Ensure that all Contractor systems that are accessible via the Internet or store Medi-Cal PII actively use either a comprehensive third-party real-time host based intrusion detection and prevention program or be protected at the perimeter by a network based IDS/IPS solution.

System Security Controls. In order to comply with the following system security controls, the Contractor agrees to: J. A. Ensure that all Contractor systems containing Medi-Cal PII provide an automatic timeout after no more than 20 minutes of inactivity. K. B. Ensure that all Contractor systems containing Medi-Cal PII display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only. User shall be directed to log off the system if they do not agree with these requirements. L. C. Ensure that all Contractor systems containing Medi-Cal PII log successes and failures of user authentication and authorizations granted. The system shall log all data changes and system accesses conducted by all users (including all levels of users, system administrators, developers, and auditors). The system shall have the capability to record data access for specified users when requested by authorized management personnel. A log of all system changes shall be maintained and be available for review by authorized management personnel. M. D. Ensure that all Contractor systems containing Medi-Cal PII use role based access controls for all user authentication, enforcing the principle of least privilege. N. E. Ensure that all Contractor data transmissions over networks outside of the Contractor’s control are encrypted end-to-end using a vendor product that is recognized as an industry leader in meeting the needs for the intended solution, such as products specified on the CSSI, when transmitting Medi-Cal PII. The Contractor shall encrypt Medi-Cal PII at the minimum of 128 bit AES or 3DES (Triple DES) if AES is unavailable. O. F. Ensure that all Contractor systems that are accessible via the Internet or store Medi-Cal PII actively use either a comprehensive third-party real-time host based intrusion detection and prevention program or be protected at the perimeter by a network based IDS/IPS solution.

System Security Controls. In order to comply with the following system security controls, the Contractor agrees to: J. I. Ensure that all Contractor systems containing Medi-Cal PII provide an automatic timeout after no more than 20 minutes of inactivity. K. J. Ensure that all Contractor systems containing Medi-Cal PII display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only. User shall be directed to log off the system if they do not agree with these requirements. L. K. Ensure that all Contractor systems containing Medi-Cal PII log successes and failures of user authentication and authorizations granted. The system shall log all data changes and system accesses conducted by all users (including all levels of users, system administrators, developers, and auditors). The system shall have the capability to record data access for specified users when requested by authorized management personnel. A log of all system changes shall be maintained and be available for review by authorized management personnel. M. L. Ensure that all Contractor systems containing Medi-Cal PII use role based access controls for all user authentication, enforcing the principle of least privilege. N. M. Ensure that all Contractor data transmissions over networks outside of the Contractor’s control are encrypted end-to-end using a vendor product that is recognized as an industry leader in meeting the needs for the intended solution, such as products specified on the CSSI, when transmitting Medi-Cal PII. The Contractor shall encrypt Medi-Cal PII at the minimum of 128 bit AES or 3DES (Triple DES) if AES is unavailable. O. Ensure that all Contractor systems that are accessible via the Internet or store Medi-Cal PII actively use either a comprehensive third-party real-time host based intrusion detection and prevention program or be protected at the perimeter by a network based IDS/IPS solution.

System Security Controls. In order to comply with the following system security controls, the Contractor Requesting Program agrees to: J. 1. Ensure that all Contractor Requesting Program systems containing Medi-Cal PII NJDOH data provide an automatic timeout after no more than 20 15 minutes of inactivity. K. 2. Ensure that all Contractor Requesting Program systems containing Medi-Cal PII NJDOH data display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only. User Users shall be directed to log off the system if they do not agree with these requirements. L. 3. Ensure that all Contractor Requesting Program systems containing Medi-Cal PII NJDOH data log successes successes, and failures of user authentication and authorizations granted. The system shall log all data changes and system accesses conducted by all users (including all levels of users, system administrators, developers, and auditors). The system shall have the capability to record data access for specified users when requested by authorized management personnelworkforce. A log of all system changes shall be maintained and be available for review by authorized management personnelworkforce. M. 4. Ensure that all Contractor Requesting Program systems containing MediNJDOH data provide user role-Cal PII use role based access controls for all user authenticationauthentications, enforcing the principle of least privilegeprivileges. N. 5. Ensure that all Contractor Requesting Program data transmissions over networks outside of the Contractor’s Requesting Program’ control are encrypted end-to-end using a vendor Requesting Program product that is recognized as an industry leader in meeting the needs for the intended solution, such as products specified on the CSSI, solution when transmitting Medi-Cal PIINJDOH data. The Contractor Requesting Program shall encrypt Medi-Cal PII NJDOH DATA at the minimum of 128 256-bit AES or 3DES (Triple DES) if AES is unavailable. O. 6. Ensure that all Contractor Requesting Program systems that are accessible via the Internet or store Medi-Cal PII NJDOH data actively use either a comprehensive third-party real-time host host- based intrusion detection and prevention program or be are protected at the perimeter by a network network-based IDS/IPS solution.

System Security Controls. In order to comply with the following system security controls, the Contractor agrees to: J. A. Ensure that all Contractor systems containing Medi-Cal PII provide an automatic timeout after no more than 20 minutes of inactivity. K. B. Ensure that all Contractor systems containing Medi-Cal PII display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only. User shall be directed to log off the system if they do not agree with these requirements. L. C. Ensure that all Contractor systems containing Medi-Cal PII log successes and failures of user authentication and authorizations granted. The system shall log all data changes and system accesses conducted by all users (including all levels of users, system administrators, developers, and auditors). The system shall have the capability to record data access for specified users when requested by authorized management personnel. A log of all system changes shall be maintained and be available for review by authorized management personnel. M. D. Ensure that all Contractor systems containing Medi-Cal PII use role based access controls for all user authentication, enforcing the principle of least privilege. N. E. Ensure that all Contractor data transmissions over networks outside of the Contractor’s control are encrypted end-to-end using a vendor product that is recognized as an industry leader in meeting the needs for the intended solution, such as products specified on the CSSI, when transmitting Medi-Cal PII. The Contractor shall encrypt Medi-Cal PII at the minimum of 128 bit AES or 3DES (Triple DES) if AES is unavailable. O. F. Ensure that all Contractor systems that are accessible via the Internet or store Medi-Medi- Cal PII actively use either a comprehensive third-party real-time host based intrusion detection and prevention program or be protected at the perimeter by a network based IDS/IPS solution.