6.1 INFORMATION SECURITY PROGRAM MANAGEMENT The Contractor shall establish and maintain a framework to provide assurance that information security strategies are aligned with and support the State’s business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, in an effort to manage risk. Information security program management shall include, at a minimum, the following: A. Establishment of a management structure with clear reporting paths and explicit responsibility for information security; B. Creation, maintenance, and communication of information security policies, standards, procedures, and guidelines to include the control areas listed in sections below; C. Development and maintenance of relationships with external organizations to stay abreast of current and emerging security issues and for assistance, when applicable; and D. Independent review of the effectiveness of the Contractor’s information security program. 6.2 COMPLIANCE The Contractorshall develop and implement processes to ensure its compliance with all statutory, regulatory, contractual, and internal policy obligations applicable to this Contract. Examples include but are not limited to General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), IRS1075. Contractor shall timely update its processes as applicable standards evolve. A. Within ten (10) calendar days after award, the Contractor shall provide the State with contact information for the individual or individuals responsible for maintaining a control framework that captures statutory, regulatory, contractual, and policy requirements relevant to the organization’s programs of work and information systems; B. Throughout the solution development process, Contractor shall implement processes to ensure security assessments of information systems are conducted for all significant development and/or acquisitions, prior to information systems being placed into production; and C. The Contractor shall also conduct periodic reviews of its information systems on a defined frequency for compliance with statutory, regulatory, and contractual requirements. The Contractor shall document the results of any such reviews. 6.3 PERSONNEL SECURITY The Contractor shall implement processes to ensure all personnel having access to relevant State information have the appropriate background, skills, and training to perform their job responsibilities in a competent, professional, and secure manner. Workforce security controls shall include, at a minimum: A. Position descriptions that include appropriate language regarding each role’s security requirements; B. To the extent permitted by law, employment screening checks are conducted and successfully passed for all personnel prior to beginning work or being granted access to information assets; C. Rules of behavior are established and procedures are implemented to ensure personnel are aware of and understand usage policies applicable to information and information systems; D. Access reviews are conducted upon personnel transfers and promotions to ensure access levels are appropriate; E. Contractor disables system access for terminated personnel and collects all organization owned assets prior to the individual’s departure; and F. Procedures are implemented that ensure all personnel are aware of their duty to protect information assets and their responsibility to immediately report any suspected information security incidents.
