Laserfiche WebLink
4.6. Security Requirements <br />4.6.1. Network and Data Security <br />a) Devices maybe configured to include a variety of data security features. The set-up of such <br />features shall be at the discretion of the Purchasing Entity, and all costs associated with their <br />implementation must be conveyed by Contractor prior to Order placement. <br />b) Contractor will not be permitted to download, transfer, or access print data stored on the <br />Device in either hard drive or chip memory. Only system management accessibility will be <br />allowed. <br />c) Contractor shall ensure that delivery and performance of all Services shall adhere to the <br />requirements and standards as outlined in each Participating State or Entity's Participating <br />Addendum. <br />4.6.2. Sensitive Information. Sensitive information that is contained in any Legacy Equipment or <br />applications shall be encrypted if practical. In addition, sensitive data will be encrypted in all newly <br />developed applications. Since sensitive information is subjective, it shall be defined by each <br />Participating State or Entity in their Participating Addendum. <br />4.6.3. Data Breach. Contractor shall have an incident response process that follows National Institute of <br />Standards and Technology (MIST) standards as referenced in Special Publication 800-61, Revision <br />2 (available at http://dx.doi.org/10.6028/NIST.SP.800-6lr2) and includes, at a minimum, breach <br />detection, breach notification, and breach response. <br />4.6.4. Authentication and Access <br />a) Any network connected Device must offer authentication for all features via LDAP and/or <br />Windows AD, as well as the ability to disable authentication for any or all features. <br />b) Any network connected Device must have the ability to connect via Dynamic Host <br />Configuration Protocol (DHCP) or Static IP address. <br />c) The credential information for any remote authentication method may not be maintained within <br />the Device's memory. <br />d) Access to the Device's administrative functions must be password protected per the <br />Participating State or Entity requirements, and the default settings must be changed at the time <br />of Equipment installation. <br />4.6.5. Hard Drive Removal and Surrender <br />a) Contractor shall ensure that all hard drive data is cleansed and purged (if capable) from the <br />Device at the end of its Useful Life, or when any hard drive leaves the Purchasing Entity's <br />possession; or <br />b) At the Participating State or Entity's discretion, Contractor shall remove the hard drive from <br />the applicable Device and provide the Purchasing Entity with custody of the hard drive before <br />the Device is removed from the Purchasing Entity's location, moved to another location, or any <br />other disposition of the Device. The Purchasing Entity shall then be responsible for securely <br />erasing or destroying the hard drive. <br />c) If Contractor takes possession of any Device at the Purchasing Entity's location, then they shall <br />also remove any ink, toner, and associated Supplies (drum, fuser, etc.) and dispose of them in <br />Page 38 <br />Coplen and Managed Pdnl Services - RFP-NP-18-001, N2P6be-yy plaster Agreement Tenns and Condl0ons, CMS k 140603 <br />