Sec. 10.10.11.20. BAR Information Security Standards — Administrative Procedures  

A trusted partner shall establish and maintain administrative procedures to protect BAR information integrity, confidentiality, and availability, which include:

A. Entering and maintaining with the Department a trusted partner agreement that certifies that the trusted partner shall:

(1) Establish and implement the policies and procedures to carry out the requirements of this chapter; and

(2) Designate a BAR information custodian;

B. Establishing and implementing a contingency plan for protecting confidentiality of and access to BAR information when responding to a disaster or computer information system emergency, which includes:

(1) Preparing critical facilities that can be used to facilitate continuing protection of BAR information in the event of an emergency;

(2) Disaster recovery procedures to follow in the event of:

(a) Fire;

(b) Vandalism;

(c) Natural disaster; or

(d) Computer information system failure;

(3) An emergency mode operation plan that includes procedures for assuring continuing protection of BAR information when the trusted partner continues to operate in the event of:

(a) Fire;

(b) Vandalism;

(c) Natural disaster; or

(d) Computer information system failure; and

(4) Testing and revising procedures that document the process of periodically testing the written contingency plan procedures to determine:

(a) Weaknesses; and

(b) The subsequent process of revising the procedures, if necessary;

C. A mechanism for the receipt, viewing, manipulation, storage, release, dissemination, and disposal of BAR information;

D. Information-use policies that ensure that BAR information is used only as specified in this chapter;

E. Internal audit procedures for:

(1) Maintaining records of computer information system activity including:

(a) Logons;

(b) File accesses; and

(c) Security incidents; and

(2) Reviewing the records of computer information system activity for:

(a) Breaches in security; and

(b) Unauthorized access;

F. Personnel security procedures that ensure that only personnel who have the required authorizations and agency clearances have access to BAR information by:

(1) Providing oversight of unauthorized personnel when the personnel are performing their duties near BAR information, which includes:

(a) Supervision of maintenance personnel by an authorized and knowledgeable individual; and

(b) Assuring that unauthorized or unsupervised operating and maintenance personnel do not have and cannot acquire access to BAR information;

(2) Maintaining and reviewing a record of access authorizations that documents the levels of access granted to an individual accessing BAR information;

(3) Establishing personnel clearance procedures as a protective measure applied to determine that an individual's access to BAR information is permissible; and

(4) Ensuring that BAR information computer information system users, including maintenance personnel, receive security awareness training;

G. Employee termination procedures for ending an employee's employment or a user's access to BAR information, which includes:

(1) Changing locks, lock combinations, or keypad codes when personnel knowledgeable of locks, lock combinations, or keypad codes no longer need to:

(a) Know the information; or

(b) Access BAR information;

(2) Removal from access lists, including physical eradication of an individual's access privileges;

(3) Termination or deletion of an individual's access privileges to BAR information for which the individual currently has authorization and need-to-know access when the authorization and need-to-know access no longer exists; and

(4) Returning to the trusted partner any access devices, such as:

(a) Keys;

(b) Tokens;

(c) Badges; or

(d) Cards; and

H. Training for all personnel concerning the vulnerabilities of the BAR information and ways to ensure the protection of BAR information, which include:

(1) Awareness training including:

(a) Password maintenance;

(b) Security incident reporting; and

(c) Viruses and other forms of malicious software;

(2) Periodic security reminders of security concerns; and

(3) User education in:

(a) What to do if a virus is detected;

(b) Monitoring logon success or failure;

(c) How to report discrepancies; and

(d) Password management, including the:

(i) Rules to be followed in creating and changing passwords; and

(ii) Need to keep passwords confidential.