WIXLIB

TITLE: INFORMATION GOVERNANCE CERTIFICATE REQUIREMENTSMASON - NSF VIRGINIA CITY AND COUNTY CYBERSECURITYPARTNERING, LEADERSHIP AND GOVERNANCEDocument Reference Number: VA Series-02Last Updated 2/28/2018NSF PROJECT NO. 1623653Document Title:Information Governance Certification Requirements for Vendor ITProposals and Internal Government Application Development1 2Document Type:Vendor ChecklistDocument Purpose:This document is used in identifying vendors or proposals that meetrequirements necessary for Government to sustain and ensure anadequate foundation for the development and implementation ofsecure information technology practices. Elements are included forissues relative to HIPAA Privacy, Security, and Records Managementcompliance in general.Scope of Application: This Certification is required for information technology responses toRequest for Proposals (RFPs) or for internal Government applicationdevelopment proposals. It applies to all application data in transit, atrest, used and stored in support of government business. Thiscertification also is required for any outsourced SaaS, CLOUD, or otheroff-site data services in support of government business. On-sitevendors with access to Government information resources are inaddition required to abide by all policies and procedures ofGovernment, Virginia.The template is comprised of four sections:1.StandardThis section includes the requirements to be addressed. Those requirements can take the formof a question or a statement.2.Does Your System Comply?The responder shall provide a high-level response to the Standard. The answers can be YES,NO, or Alternative (ALT). The responder MUST check one of the three boxes to indicate their1This policy template is based on policies provided by Arlington County as a response to the call, by the Mason NSF project (No. 1623653), for cybersecurity partnership and information sharing among cities and counties.2As used in this document, (i) “Government” means XXX County/City Government, (ii) “CIO” means ChiefInformation Officer or his/her designee, (iii) “Department of Technology and Information Services” or “DTS” refersto the department that manages the Information Communication Technology, (iv) “CISO” means the ChiefInformation Security Officer or his/her designee, (v) “Communications Office” refers to the department or designeethat manages communications and public relations, (vi) “Chief Records Management Officer” or CRO means theofficer that manages Government records policies and enforcement.1

TITLE: INFORMATION GOVERNANCE CERTIFICATE REQUIREMENTSMASON - NSF VIRGINIA CITY AND COUNTY CYBERSECURITYPARTNERING, LEADERSHIP AND GOVERNANCENSF PROJECT NO. 1623653Document Reference Number: VA Series-02Last Updated 2/28/2018position or solution capability. If the ALT box is checked the responder must provide a highlevel explanation of the alternative in the “Comments/Plans for the Meeting Compliance”section. If there is supplemental information requested within the System Compliance column,an answer MUST be provided.3.Where in Your Proposal is The Solution Described?In this section the responder shall insert the technical proposal reference to the details of thesolution. It should be specific (e.g., volume, chapter/section, page and paragraph heading) asto where the answer can be found. Failure to provide the reference or an incorrect referenceshall be considered a NO answer. The procurement office or other Government departmentswill not search for the correct reference location.4.Comments/Plans for Meeting ComplianceIn this section the responder may provide any high-level comments that may clarify a responsein the “Does System Comply” section. It is especially important for responders to use thissection to explain alternative checked responses. An alternative response can include astatement of future development or a solution that addresses the requirement, however maynot be a direct answer/solution to the requirement. This section MUST NOT be used fordetailed descriptions of the response.2

TITLE: INFORMATION GOVERNANCE CERTIFICATE REQUIREMENTSMASON - NSF VIRGINIA CITY AND COUNTY CYBERSECURITYPARTNERING, LEADERSHIP AND GOVERNANCEDocument Reference Number: VA Series-02Last Updated 2/28/2018NSF PROJECT NO. 1623653StandardsDoes System Comply?A.A.1.DescriptionSystem Name/Title:A.2.Vendor/Developer:A.3.RFP Reference Number:A.4.Application Type:A.5.Provide a copy or statement aboutyour software development life cyclestandards and approach.Database Requirements:Yes:No:ALT:A.6.Where in Your Proposal is theSolution Described?Comments/Plans for Rexplain:If Yes or ALT,please specify3

TITLE: INFORMATION GOVERNANCE CERTIFICATE REQUIREMENTSMASON - NSF VIRGINIA CITY AND COUNTY CYBERSECURITYPARTNERING, LEADERSHIP AND GOVERNANCEDocument Reference Number: VA Series-02Last Updated 2/28/2018NSF PROJECT NO. 1623653A.7.StandardsDoes System Comply?User access controls are:Built into the systemStandard operatingsystem such ast:Active DirectoryLDAPRACFWhere in Your Proposal is theSolution Described?Comments/Plans for MeetingComplianceDatabase controlsuch as:OracleDB2SQLOtherPlease specif.yA.8B.B.1.List all additional system componentsrequired to make the proposedsolution work, including any appletsand/or plug-ins.Password controlsSystem enforced: specified strong Yes:No:ALT:password to include minimum length Current Minimum:and combination of alpha and Current Maximum:numeric characters4

TITLE: INFORMATION GOVERNANCE CERTIFICATE REQUIREMENTSMASON - NSF VIRGINIA CITY AND COUNTY CYBERSECURITYPARTNERING, LEADERSHIP AND GOVERNANCEDocument Reference Number: VA Series-02Last Updated 2/28/2018NSF PROJECT NO. 1623653B.2.B.3.B.4.B.5.B.6.B.7.B.8.StandardsDoes System Comply?System enforced: user passwordsautomatically changed or revokedafter a user defined period haspassedSystem enforced: users required tochange their passwords following theinitial set up or resetting of thepasswordSystemenforced:systemadministrators may not disablepassword controlsSystem prevents auto logon,application remembering, embeddedscripts, and hard-coded passwords insoftwareHistory of previously used passwordsis maintained by the system toprevent reuseUsers are provided the capability tochange their own passwords at theirdiscretionUser IDs are disabled after a specifiednumber of consecutive invalid loginattemptsYes:No:ALT:Current Change Interval:Yes:No:ALT:Yes:No:ALT:Yes:No:ALT:Where in Your Proposal is theSolution Described?Comments/Plans for MeetingComplianceYes:No:ALT:Current Value:Yes:No:ALT:Yes:No:ALT:Current # Attempts:5

TITLE: INFORMATION GOVERNANCE CERTIFICATE REQUIREMENTSMASON - NSF VIRGINIA CITY AND COUNTY CYBERSECURITYPARTNERING, LEADERSHIP AND GOVERNANCEDocument Reference Number: VA Series-02Last Updated 2/28/2018NSF PROJECT NO. C.3.C.4.Does System Comply?System automatically activates a Yes:No:password protected screensaverwhen units remain idle fordetermined period of timeSystem automatically logs users off Yes:No:after a specified period of inactivityCurrent AutoTime:Passwords entered in a non-display Yes:No:fieldPasswords encrypted when routed Yes:No:over a networkPasswords are encrypted in storageYes:No:Security AdministrationSystem logs unauthorized access Yes:No:attempts by date, time, user id,device and locationSystem maintains an audit trail of all Yes:No:security maintenance performed bydate, time, user id, device andlocation and information is easilyaccessibleSystem provides security reports of Yes:No:users and access levelsSystem provides a field(s) for Yes:No:personal information to be used forWhere in Your Proposal is theSolution Described?Comments/Plans for :ALT:ALT:6

TITLE: INFORMATION GOVERNANCE CERTIFICATE REQUIREMENTSMASON - NSF VIRGINIA CITY AND COUNTY CYBERSECURITYPARTNERING, LEADERSHIP AND GOVERNANCEDocument Reference Number: VA Series-02Last Updated 2/28/2018NSF PROJECT NO. ion of users’ identities forpasswordresetsandothermaintenance (i.e., Mother’s MaidenName, DOB, etc.). Fields used wouldnot be a requirementSystem provides varying levels ofaccess within the security application(i.e. access to only password resetfunctions or access to password resetfunction Access to add & updateusers)System permits the assignment ofdesignatedAccessControlAdministratorsSystem provides varying levels ofaccess within the applicationSystem uses groups and unique userids to define levels of accessSystem provides the capability toplace security controls on eachsystem module and on confidentialand critical levels within each moduleSystem provides capability to restrictaccess to particular records withinthe system, based on user idDoes System :Yes:No:ALT:Yes:No:ALT:Where in Your Proposal is theSolution Described?Comments/Plans for MeetingCompliance7

TITLE: INFORMATION GOVERNANCE CERTIFICATE REQUIREMENTSMASON - NSF VIRGINIA CITY AND COUNTY CYBERSECURITYPARTNERING, LEADERSHIP AND GOVERNANCEDocument Reference Number: VA Series-02Last Updated 2/28/2018NSF PROJECT NO. 1623653C.11.C.12.C.13.C.14.C.15C.16StandardsDoes System Comply?System provides capability ofencryption of confidential orsensitive information stored locallyon the deviceSystem provides capability ofencryption of confidential orsensitive information transmittedover the networkOn-site training and sufficientsupportingreferencematerialsrelated to security administration forsystem administrators are providedprior to migration of product toproduction environmentSystem provides centrally m will operate as described inconjunction with the Government’schosen Anti-virus, anti-malware, andanti-spam protection software.If this system stores PII, PPI or HIPAAdata has the Government PrivacyOfficer (HR Director) approved :No:ALT:Yes:No:ALT:Where in Your Proposal is theSolution Described?Comments/Plans for MeetingCompliance8

TITLE: INFORMATION GOVERNANCE CERTIFICATE REQUIREMENTSMASON - NSF VIRGINIA CITY AND COUNTY CYBERSECURITYPARTNERING, LEADERSHIP AND GOVERNANCEDocument Reference Number: VA Series-02Last Updated 2/28/2018NSF PROJECT NO. ssAssociateAgreement(BAA)?Activity LoggingSystem logs unauthorized accessattempts by date, time, user id,device and locationSystem maintains an audit trail of allsecurity maintenance performed bydate, time, user id, device andlocation and information is easilyaccessibleSystem logs all inquiry accesses todataSystem logs all modification accessesto dataSystem has auditing capabilities forboth online or batch reporting. Canalso be exported into Governmentstandard databasesCan logs be archived and recalled asneeded?Does System Comply?Yes:No:Where in Your Proposal is theSolution Described?Comments/Plans for MeetingComplianceALT:Yes:No:ALT:Number of days rchive methods:TapeDiskOtherNetworking and Compatibilities9

TITLE: INFORMATION GOVERNANCE CERTIFICATE REQUIREMENTSMASON - NSF VIRGINIA CITY AND COUNTY CYBERSECURITYPARTNERING, LEADERSHIP AND GOVERNANCEDocument Reference Number: VA Series-02Last Updated 2/28/2018NSF PROJECT NO. 1623653StandardsE.1.E.2.E.3.Does System Comply?Where in Your Proposal is theSolution Described?Comments/Plans for MeetingComplianceProvideadiagramoftherecommended network connectivity,interfaces, and data exchangesrequired for the proposed solution.Include a description and anyadditional explanation necessary toexplain the method of interaction(e.g., read/write, synchronous/asynchronous).System configuration/architecture Yes:No:ALT:(i.e., hardware, wiring, display,network,andinterface)isdocumented and included inproposal.Does your solution support external Yes:No:ALT:data transmission? Please indicate Methods:the method(s) supported.Secure FTPFaxEmailFile Copies(CD, Diskette,etc)BrowserapplicationsTape media10