Sec. 10.10.11.22. BAR Information Security — Technical Security Measures  

A trusted partner shall establish a system of technical security measures to protect BAR information integrity, confidentiality, and availability, which include:

A. A BAR information security assessment to determine the sensitivity, vulnerabilities, and security of the trusted partner's programs and operations related to the BAR information the trusted partner:

(1) Receives;

(2) Views;

(3) Manipulates;

(4) Stores; or

(5) Transmits;

B. An information system certification based on a technical evaluation as part of and in support of the security process, which establishes the extent to which the trusted partner's computer system used for BAR information meets the security requirements of this chapter;

C. Establishing and utilizing procedures and processes to guard against unauthorized access to BAR information by using:

(1) Access controls that include:

(a) Emergency role-based access of BAR information that documents the instructions for obtaining BAR information during a crisis;

(b) User-based access; and

(c) The use of encryption and decryption;

(2) An alarm that can sense an unauthorized access within the computer system and produce a signaled response such as a:

(a) System closure;

(b) Time-phased automatic shutdown and restart cycle; or

(c) Screen indicating a multiple password failure lockout;

(3) Audit controls that record and examine system activity;

(4) Audit trails of the use of and access to BAR information collected and used to facilitate a security audit; and

(5) Event reporting that shows a screen message indicating an unauthorized request for BAR information access.

D. Establishing procedures and processes for computer system authorization control for an individual to obtain access for the use and disclosure of BAR information, which include:

(1) Role-based access;

(2) User-based access;

(3) BAR information authentication that corroborates that BAR information has not been altered or destroyed in an unauthorized manner by using a:

(a) Message authentication code; or

(b) Digital signature;

(4) BAR information custodian authentication that includes:

(a) Automatic logoff that causes an electronic session to terminate after a predetermined time of inactivity; and

(b) A unique user identifier:

(i) Made up of a combination alpha and numeric characters; and

(ii) Maintained in security procedures for identifying and tracking individual user identity; and

(5) A logon mechanism using a:

(a) Password;

(b) Personal identification number (PIN);

(c) Token; or

(d) Any combination of §D(5)(a)-(c) of this regulation;

E. A security configuration management plan that includes:

(1) A written security plan documenting the rules, procedures, and instructions concerning all components related to BAR information security;

(2) Hardware and software installation and maintenance reviews;

(3) Security testing to ensure that the selected security features are:

(a) Implemented as designed; and

(b) Adequate for the operational environment; and

(4) Virus checking on a routine and regular basis;

F. Security incident procedures that describe how to:

(1) Report security incidents and breaches; and

(2) Respond to and take action as a result of the receipt of a security incident report; and

G. Sanction policies and procedures describing the disciplinary actions and notice of possible civil or criminal penalties an individual may be subject to for misuse or misappropriation of BAR information.