Specifications include, but are not limited to: 1.1.1. Support State IT security policies and standards, which includes the development, maintenance, updates, and implementation of security procedures with the State’s review and approval, including physical access strategies and standards, User ID approval procedures, and a security incident action plan. 1.1.2. Support the implementation and compliance monitoring as per State IT security policies and standards. 1.1.3. If the Contractor identifies a potential issue with maintaining an “as provided” State infrastructure element in accordance with a more stringent State level security policy, the Contractor shall identify and communicate the nature of the issue to the State, and, if possible, outline potential remedies for consideration by the State. 1.1.4. Support intrusion detection and prevention, including prompt State notification of such events and reporting, monitoring, and assessing security events. 1.1.5. Provide vulnerability management services for the Contractor’s internal secure network connection, including supporting remediation for identified vulnerabilities as agreed. At a minimum, the Contractor shall provide vulnerability scan results to the State monthly. 1.1.6. Develop, maintain, update, and implement security procedures, with State review and approval, including physical access strategies and standards, ID approval procedures and a security incident response plan. 1.1.7. Manage and administer access to the systems, networks, system software, systems files, State data, and end users if applicable. 1.1.8. Install and maintain current versions of system software security, assign and reset passwords per established procedures, provide the State access to create User IDs, suspend and delete inactive User IDs, research system security problems, maintain network access authority, assist in processing State security requests, perform security reviews to confirm that adequate security procedures are in place on an ongoing basis, provide incident investigation support (jointly with the State), and provide environment and server security support and technical advice. 1.1.9. Develop, implement, and maintain a set of automated and manual processes to ensure that data access rules are not compromised. 1.1.10. Perform physical security functions (e.g., identification badge controls and alarm responses) at the facilities under the Contractor’s control.
