Current through Register Vol. 51, No. 19, September 20, 2024
A trusted partner shall establish and maintain
administrative procedures to protect BAR information integrity,
confidentiality, and availability, which include:
A. Entering and maintaining with the
Department a trusted partner agreement that certifies that the trusted partner
shall:
(1) Establish and implement the
policies and procedures to carry out the requirements of this chapter;
and
(2) Designate a BAR information
custodian;
B.
Establishing and implementing a contingency plan for protecting confidentiality
of and access to BAR information when responding to a disaster or computer
information system emergency, which includes:
(1) Preparing critical facilities that can be
used to facilitate continuing protection of BAR information in the event of an
emergency;
(2) Disaster recovery
procedures to follow in the event of:
(a)
Fire;
(b) Vandalism;
(c) Natural disaster; or
(d) Computer information system
failure;
(3) An
emergency mode operation plan that includes procedures for assuring continuing
protection of BAR information when the trusted partner continues to operate in
the event of:
(a) Fire;
(b) Vandalism;
(c) Natural disaster; or
(d) Computer information system failure;
and
(4) Testing and
revising procedures that document the process of periodically testing the
written contingency plan procedures to determine:
(a) Weaknesses; and
(b) The subsequent process of revising the
procedures, if necessary;
C. A mechanism for the receipt, viewing,
manipulation, storage, release, dissemination, and disposal of BAR
information;
D. Information-use
policies that ensure that BAR information is used only as specified in this
chapter;
E. Internal audit
procedures for:
(1) Maintaining records of
computer information system activity including:
(a) Logons;
(b) File accesses; and
(c) Security incidents; and
(2) Reviewing the records of
computer information system activity for:
(a)
Breaches in security; and
(b)
Unauthorized access;
F. Personnel security procedures that ensure
that only personnel who have the required authorizations and agency clearances
have access to BAR information by:
(1)
Providing oversight of unauthorized personnel when the personnel are performing
their duties near BAR information, which includes:
(a) Supervision of maintenance personnel by
an authorized and knowledgeable individual; and
(b) Assuring that unauthorized or
unsupervised operating and maintenance personnel do not have and cannot acquire
access to BAR information;
(2) Maintaining and reviewing a record of
access authorizations that documents the levels of access granted to an
individual accessing BAR information;
(3) Establishing personnel clearance
procedures as a protective measure applied to determine that an individual's
access to BAR information is permissible; and
(4) Ensuring that BAR information computer
information system users, including maintenance personnel, receive security
awareness training;
G.
Employee termination procedures for ending an employee's employment or a user's
access to BAR information, which includes:
(1) Changing locks, lock combinations, or
keypad codes when personnel knowledgeable of locks, lock combinations, or
keypad codes no longer need to:
(a) Know the
information; or
(b) Access BAR
information;
(2) Removal
from access lists, including physical eradication of an individual's access
privileges;
(3) Termination or
deletion of an individual's access privileges to BAR information for which the
individual currently has authorization and need-to-know access when the
authorization and need-to-know access no longer exists; and
(4) Returning to the trusted partner any
access devices, such as:
(a) Keys;
(b) Tokens;
(c) Badges; or
(d) Cards; and
H. Training for all personnel
concerning the vulnerabilities of the BAR information and ways to ensure the
protection of BAR information, which include:
(1) Awareness training including:
(a) Password maintenance;
(b) Security incident reporting;
and
(c) Viruses and other forms of
malicious software;
(2)
Periodic security reminders of security concerns; and
(3) User education in:
(a) What to do if a virus is
detected;
(b) Monitoring logon
success or failure;
(c) How to
report discrepancies; and
(d)
Password management, including the:
(i) Rules
to be followed in creating and changing passwords; and
(ii) Need to keep passwords
confidential.
