a. Access - The system shall provide Single Sign On (SSO) capability for County users using the County’s Enterprise Identity & Access Management Directory (based upon Microsoft Azure Active Directory). - The System shall provide the ability to define role-based access with different security groups. - The System shall return generic errors messages to the client, to avoid disclosure of sensitive information (e.g., login failure, database error, application error). - Access to County data shall be limited only to the bidder or Service Provider's personnel to perform work necessary as defined in the scope of services. The Public Health Contract Manager shall be notified in writing of any third-party which the bidder is required to share County data. The notification shall address what type of information/data is being shared and how the program participants can “opt-out”. b. Data, Backup, and Recovery - The bidder shall provide all raw data to the County when requested or at the end of the project/contract in a format mutually agreed upon. - The System shall provide the ability to automatically export all system data. - All system data center(s) and backup/replication locations shall reside in the Continental United States. - The System shall perform backups with no adverse effect on performance. - At minimum, System data shall be backed up daily. - The bidder shall have a clear way to address how data and system security are protected from disruption and loss in the event of disaster, emergency, and security breaches. System shall be monitored to ensure the effectiveness of security controls. The bidder shall promptly notify the County Project Manager and Departmental Security Officer within twenty-four (24) hours of when there is a suspected system breach. - The bidder shall have the ability to restore data or portions of data within 8 hours after request is made. - The System shall ensure that all data from the past 6 months is backed up and accessible for retrieval purposes. c. Infrastructure and Hosting Environment - The System shall keep all components updated with current antivirus, operating system, and security patches. (e.g., endpoint, host, network, application). - The hosted environments shall implement security best practices and monitoring including: Host Intrusion Prevention (HIPS) and Detection (HIDS) system, Network Intrusion Prevention (NIPS) and Detection (NIDS) system, Web Application Firewall (WAF), Security Event and Information Management (SIEM), etc. - The hosted environment shall be comprised of software that has been fully tested, integrated and is accessible to County users. - The System shall be contained by a perimeter firewall to protect the network from external attacks. - The System shall have physical access controls in place to ensure appropriate access to IT resources in the hosted environment. - The System shall have measures to prevent the upload of unauthorized files (e.g., executable files). - The System shall undergo periodic web application vulnerability testing/scanning (e.g., source code, run time). - The System shall have separate physical and logical environments (e.g., development, quality assurance, user acceptance testing, staging, production, training environments). - Management access to Infrastructure and Hosting shall be secured by multi-factor authentication (MFA) and use Transport Layer Security (TLS) protocol (1.2 or higher) to ensure secure access.
