3.7.1

3.7.1.1 All Contractor Personnel not in possession of a State badge shall display his or her company identification badge at all times while on State premises. Upon request of State personnel, each such employee or agent shall provide additional photo

identification.

3.7.1.2 At all times at any State facility, the Contractor Personnel shall cooperate with State site requirements that include but are not limited to being prepared to be escorted at all times, providing information for badge issuance, and wearing the badge in a visual location at all times.

Information Technology 3.7.2

3.7.2.1 The Contractor and Contractor Personnel shall comply with and adhere to the State IT Security Policy and Standards. These policies may be revised from time to time and the Contractor shall comply with all such revisions. Updated and revised versions of the State IT Policy and Standards are available

at: www.doit.maryland.gov - search: Security Policy. 3.7.2.2 The Contractor shall:

1) Ensure that State information is protected with reasonable Security Measures.

2) Promote and maintain among the Contractor’s employees and agents an awareness of the security needs of the State's information,

3) Safeguard the confidentiality of information and the integrity and

availability of data while it is created, entered, processed, communicated, transported, disseminated, stored, or disposed of by means of

information technology,

4) Ensure that appropriate Security Measures are put in place to protect the Contractor’s internal systems from intrusions and other attacks, whether internal or external, e.g., message interception, tampering, redirection, or repudiation.

3.7.2.3 The Contractor and Contractor Personnel shall not connect any of its own equipment to a State LAN/WAN without prior written approval by the State. The Contractor shall complete any necessary paperwork for security access to sign on at the State's site if access is granted to the State's LAN/WAN, as directed and coordinated with the Contract Manager as deemed appropriate by the State.

3.7.2.4 The Contractor shall provide diagrams that detail its schema for network, server, and transaction security.

3.7.2.5 The State requires data confidentiality, as through the use of a standardized and widely distributed tool such as SSL.

3.7.2.6 The State requires data confidentiality, integrity and non-repudiation of transactions. 3.7.2.7 Full audit trails must be maintained for transactions.

3.7.2.8 Access control must also be strictly enforced and audited.

3.7.2.9 Any and all remote administration of the hardware, operating system, or application software will require the use of strong, dual-factor authentication techniques such as token-based or challenge-response methods.

Ownership of Information and Privacy 3.7.3

Protection of the State’s data and all Sensitive Data must be an integral part of the business activities of the Contractor. To this end, the Contractor shall comply with the following conditions:

a) The Contractor shall notify the Contract Manager of any Web Applications, new requirements, data elements, or cloud solution components that may result in Contractor and/or a Subcontractor handling Sensitive Data.

b) Data, databases and derived data products created, collected, manipulated, or directly purchased as part of the Contract shall become the property of the State. The Agency or Requesting Agency, as appropriate, is considered the custodian of the data and shall determine the use, access, distribution and other conditions based on appropriate State statutes and regulations.

c) Licensed and/or copyrighted data shall be governed by the terms and conditions identified in the Contract or the license.

d) At no time will any information belonging to or intended for the State be copied, disclosed, or retained by the Contractor or any party related to the Contractor for subsequent use in any transaction that does not include the State.

e) Information obtained by the Contractor in the performance of this Contract will become and remain property of the State. The Contractor does not have any ownership over data at any time.

f) The Contractor may not use any information collected in the performance of this Contract for any purpose other than fulfilling the Contract.

g) The Contractor must comply with all privacy policies established by governmental agencies or State or federal law.

h) Privacy policy statements as may be developed and amended from time to time by the State will be appropriately displayed on agency web pages.

Security Clearance / Criminal Background Check 3.7.4

Security clearances may be required by some State agencies and will be identified as such in a Work Order.

a) The Contractor shall obtain a Criminal Justice Information System (CJIS) State and Federal criminal background check, including fingerprinting, for

Contractor Personnel under a Work Order. This check may be performed by a public or private entity. A successful CJIS State criminal background check shall be completed prior to any Contractor Personnel providing services on-site at any location covered by the Work Order.

b) The Contractor shall provide certification to the Requesting Agency that the Contractor has completed the required CJIS criminal background checks and that the Contractor’s Personnel have successfully passed this check. The State reserves the right to refuse any individual employee to work on State premises, based upon certain specified criminal convictions, as specified by the State.

c) The CJIS criminal record check of each employee who will work on State premises shall be reviewed by the Contractor for convictions of any of the following crimes described in the Annotated Code of Maryland, Criminal Law Article:

i. §§ 6-101 through 6-104, 6-201 through 6-205, 6-409 (various crimes against property);

ii. any crime within Title 7, Subtitle 1 (various crimes involving theft); iii. §§ 7-301 through 7-303, 7-313 through 7-317 (various crimes

involving telecommunications and electronics);

iv. §§ 8-201 through 8-302, 8-501 through 8-523 (various crimes involving fraud);

v. §§9-101 through 9-417, 9-601 through 9-604, 9-701 through 9-706.1 (various crimes against public administration); or

vi. a crime of violence as defined in CL § 14-101(a).

d) Contractor Personnel who have been convicted of a felony or of a crime involving telecommunications and electronics from the above list of crimes shall not be permitted to work on State premises under this Contract; an employee of the Contractor who has been convicted within the past five (5)

years of a misdemeanor from the above list of crimes shall not be permitted to work on State premises.

e) A Work Order may impose more restrictive conditions regarding the nature of prior criminal convictions that would result in Contractor Personnel not being permitted to work on a Requesting Agency’s premises. Upon receipt of more restrictive conditions regarding criminal convictions, the Contractor shall provide an updated certification to Requesting Agency regarding the Contractor Personnel working at or assigned to that Requesting Agency’s premises.

On-site Security Requirement(s) 3.7.5

On-site security requirement(s) may be required by some State agencies and will be identified as such in a Work Order. For all conditions noted below, Contractor

Personnel may be barred from entrance or leaving any site until such time that the State conditions and queries are satisfied.

a) Any Contractor Personnel who enters the premises of a facility under the jurisdiction of the agency may be searched, fingerprinted (for the purpose of a criminal history background check), photographed and required to wear an identification card issued by the agency.

b) Further, the Contractor Personnel shall not violate Md. Code Ann., Criminal Law Art. Section 9-410 through 9-417 and such other security policies of the agency that controls the facility to which access by the Contractor will be necessary. The failure of any of the Contractor’s or subcontractor’s employees or agents to comply with any provision of the Contract that results from award of this solicitation is sufficient grounds for the State to immediately terminate the Contract for default.

c) Some State sites, especially those premises of the Department of Public Safety and Correctional Services, require each person entering the premises to

document an inventory items (such as tools and equipment) being brought onto the site, and to submit to a physical search of his or her person. Therefore, the Contractor’s Personnel shall always have available an inventory list of tools being brought onto a site and be prepared to present the inventory list to the State staff or an officer upon arrival for review, as well as present the tools or equipment for inspection. Before leaving the site, the Contractor’s Personnel will again present the inventory list and the tools or equipment for

inspection. Upon both entering the site and leaving the site, State staff or a correctional or police officer may search Contractor Personnel.

Data Protection and Controls 3.7.6

3.7.6.1 Data Protection

A. Contractor and/or Subcontractor shall implement Security Measures to protect State data that are no less rigorous than accepted industry practices, such as the current Control Objectives for Information and Related Technology (COBIT) framework

(http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx) or similar applicable industry standards for information security, and shall ensure that all such safeguards, including the manner in which State data is collected, accessed, used, stored, processed, disposed of and disclosed comply with applicable data protection and privacy laws as well as the terms and conditions of this Contract.

B. To ensure appropriate data protection safeguards are in place, the Contractor and/or Subcontractor shall at minimum implement and maintain the following at all times for all Web Services provided:

1. Apply hardware and software hardening procedures as recommended by the manufacturer to reduce the surface of vulnerability. These procedures may include but are not limited to removal of unnecessary software, disabling or removing of unnecessary services, the removal of unnecessary usernames or logins, and the deactivation of unneeded features in configuration files.

2. Ensure that State data is not comingled with the Contractor’s and/or Subcontractor’s other clients’ data through the proper application of compartmentalization security measures.

3. Apply data encryption to protect State data, especially Sensitive Data, from

improper disclosure or alteration. Data encryption shall be applied to State data in transit over networks, to State data when archived for backup purposes, and, where possible, State data at rest. Encryption algorithms which are utilized for this purpose must comply with current National Institute of Standards and Technology recommendations contained in NIST Special Publication 800-131a

(csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf).

4. Enable appropriate logging parameters on systems supporting the State to monitor user access activities, authorized and failed access attempts, system exceptions, and critical information security events as recommended by the operating system and application manufacturers and information security standards, including State of Maryland Department of Information Security Policy, as amended from time to time.

5. Retain the aforementioned logs and review them at least daily to identify suspicious or questionable activity for investigation and documentation as to their cause and remediation, if required.

6. Ensure Web Application and network environments are separated by properly configured and updated firewalls to preserve the protection and isolation of State data from unauthorized access as well as the separation of production and non- production environments.

7. Restrict network connections between trusted and untrusted networks by physically and/or logically isolating components from unsolicited and unauthenticated network traffic.

8. Review at regular intervals the aforementioned network connections, documenting and confirming the business justification for the use of all service, protocols, and ports allowed, including the rationale or compensating controls implemented for those protocols considered insecure but necessary.

9. Establish policies and procedures to implement and maintain mechanisms for regular vulnerability testing of operating system, application, and network devices. Such testing is intended to identify outdated software versions; missing software patches; device or software misconfigurations; and to validate compliance with or deviations from the Contractor’s and/or Subcontractor’s security

policy. Contractor shall evaluate all identified vulnerabilities for potential adverse effect on the System’s security and integrity and remediate the vulnerability

promptly or document why remediation action is unnecessary or unsuitable. 10. Enforce strong user authentication and password control measures to minimize the

opportunity for unauthorized access to Sensitive Data through compromise of the user access controls. Such measures are outlined in the State of Maryland

Department of Information Technology’s Information Security Policy, including specific requirements for password length, complexity, history, and account lockout. The State IT Security Policy and Standards may be revised from time to time and the Contractor shall comply with all such revisions. Updated and revised versions of the State IT Policy and Standards are available online at:

www.doit.maryland.gov – keyword: Security Policy.

11. Ensure Sensitive Data is not processed, transferred, or stored outside of the United States.

3.7.6.2 Access to Security Logs and Reports

The Contractor shall provide reports to the State in a mutually agreeable format. Reports shall include latency statistics, user access, user access IP address, user access history and security logs for all State files related to this Contract, separated by Operational Baseline Support and Work Orders not related to Operational Baseline Support.

In document Department of Information Technology (DoIT) REQUEST FOR PROPOSALS (RFP) DoIT Cloud Hosting and Web Shared Services. SOLICITATION No. (Page 57-62)