(1) The data vendor must submit an annual report to the lead organization, the authority, and the office of the state chief information security office that includes the following information:
(a) Summary results of its independent security assessment; and
(b) Summary of its penetration testing and vulnerability assessment results.
(2) The data vendor, upon reasonable notice, must allow access and inspections by staff of the office of the state chief information security officer to ensure compliance with state standards.
(3) The data vendor, upon reasonable notice, must allow on-site inspections by the authority to ensure compliance with laws, rules and contract terms and conditions.
(4) The data vendor must have data retention and destruction policies that are no less stringent than that required by federal standards, including the most current version of NIST Special Publication 800-88, Guidelines for Media Sanitization.
[Statutory Authority: RCW
41.05.021,
41.05.160 and
43.371.020. WSR 20-08-059, § 182-70-440, filed 3/25/20, effective 4/25/20. WSR 19-24-090, recodified as § 182-70-440, filed 12/3/19, effective 1/1/20. Statutory Authority: Chapter
43.371 RCW. WSR 17-08-079, § 82-75-440, filed 4/4/17, effective 5/5/17.]