10 Miss. Code. R. 501-4.1
The third-party contractor will establish a framework to initiate and control the implementation of security policies and standards for the SLDS Governing Board. The Governing Board will ensure that the State Data Clearinghouse's security posture is adequate and compliant with the Department of Information Technology Services' Enterprise Information Security Plan and that an organizational structure is in place that focuses on information security.
In addition, the third-party contractor shall establish processes and procedures for incident reporting objectives, goals and deliverables identified in the ITS Enterprise Security Policy and ITS Enterprise Information Security Plan.
All data transferred from individual governmental entities contributing data to LifeTracks to the third-party contractor shall be held in a secure file location that is accessible only by authorized third party contractor personnel. This access limitation shall be enforced by third party contractor and board approved industry standard file access locks and an independent security system. The permissions structure shall be designed to only allow authorized users to access files. The independent security system shall be implemented to guard access to sensitive file storage areas and provide robust augmentation of security provided through file access locks and credentialing.
The third-party contractor shall perform appropriate background checks and screening of all employees that have any access to the clearinghouse data.
The third-party contractor shall employ technical safeguards to ensure personal information transmitted over an electronic communications network is not accessed by unauthorized persons or groups. Encryption shall be used when PII are in transmit or at rest. Unencrypted PII shall not be transmitted over public networks to third parties.
The third-party contractor shall employ data integrity procedures that protect PII including mechanisms to authenticate records and corroborate that they have not been altered or destroyed in an unauthorized manner.
The third-party contractor shall implement a risk assessment strategy plan that is updated annually which includes access and control processes, security risks, threats and vulnerabilities assessments, and methods for managing risks and incidents.
The third-party contractor shall maintain and update the incident response plan that establishes procedures to follow in case a breach occurs and processes for notifying organizations in the event of unauthorized acquisition of files or documents. The third-party contractor shall be subject to an annual external data security audit conducted by the Mississippi Office of the State Auditor.
10 Miss. Code. R. 501-4.1