TERMS OF SERVICE
SECUREACCESS WASHINGTON SERVICE
This Service is subject to and governed by the Customer’s separate signed Master Services Agreement (MSA) or Customer Service Agreement (CSA) as applicable, with Consolidated Technology Services (CTS), calling itself Washington Technology Solutions or “WaTech” for short. The reference to WaTech means the same as Consolidated Technology Services. This Agreement is entered into between you and CTS for the provision of CTS’ SecureAccess Washington Service. For the purposes of this agreement “You” and “Customer” are used interchangeably and means the entity to which CTS is providing service.
A. Service Description
The SecureAccess Washington (SAW) Service provides a secure single sign-on portal for external users, to access government web applications.
SecureAccess Washington allows businesses and citizens to access multiple government services via the Internet with a single user ID and password that they create and manage themselves.
- Protects the location of network resources, data, and applications by masking the URL.
- Authenticates users before allowing access to requested applications or services.
- Allows only authenticated users to access applications, and services based on partner agency approval and access control.
The basic service offering includes Identity Management, Identity Verification, Multifactor Authentication, and Reverse Proxy.
Additional services you can receive for an additional cost include Knowledge Based Authentication, professional services to assist with deployment or other issues unique to your environment, and
WaTech administers, maintains, and provides end user support for all services included in this service offering.
The Production environment will be available 24 hours a day, 7 days a week excluding scheduled maintenance periods during the third Tuesday of each month from 8:00 to 11:30 pm. The Test environment will be available Monday through Friday from 8:00 am to 5:00 pm. Maintenance to the Test environment is scheduled the first Tuesday of each month from 8:00 to 10:30 am. A brief service impact is possible for up to 10 minutes while a system is restarted for installation of system patches or software updates when necessary. WaTech will coordinate with the Customer in advance of any scheduled maintenance that is outside of the regular maintenance window or when the impact duration is expected to exceed 10 minutes.
WaTech technical and operational staff monitors availability and performance of this service. WaTech contracts with system software and hardware vendors to provide extended technical support whenever system problems and degradation require vendor intervention. In the event of system problems or service degradation, notification to customers will be made through all appropriate contacts names listed in this agreement.
WaTech conducts operations in accordance with industry best practices to ensure that the service level goal is 99.7%, excluding scheduled maintenance periods. WaTech will use generally accepted information technology management practices and tools to ensure every reasonable effort is made to meet the service level defined above.
WaTech will provide restoration services in the form of system backups for onsite and off-site storage on a scheduled basis. In the event system restoration is needed, WaTech will restore the system from the last backup that supports the most complete functionality.
WaTech offers disaster recovery that will provide customers with limited service functionality and capability until the primary site is fully restored. Recovery exercises are conducted biannually in accordance with the WaTech exercise schedule.
The SecureAccess Washington Enabled Agency Portal service fees can be found on the WaTech website: https://watech.wa.gov/solutions/it-services/SecureAccess-Washington. These include fees for setup, professional services, and user identity verification.
Additional fees are as follows:
- Deployment of Knowledge Based Authentication is charged separately pursuant to the pricing stated at: https://watech.wa.gov/solutions/it-services/SecureAccess-Washington.
- Professional Services, additional information located at: https://watech.wa.gov/solutions/it-services/SecureAccess-Washington.
WaTech shall furnish the necessary personnel, equipment, materials and/or services and otherwise do all things necessary for or incidental to the performance of work as set forth below:
- The service will be available 24 hours a day, 7 days a week, excluding scheduled maintenance periods.
- WaTech will configure and maintain the SAW platform including all appliances, servers, virtual machines, applications, and operating systems.
- WaTech will ensure the SAW service provides Identity Management, Identity Verification, Multi-Factor Authentication, and Reverse Proxy in accordance with industry standards.
- Identity Management includes the process to create, store and retrieve user credentials that are required to validate and authorize secure access to the SAW portal as well as partner agency applications or services.
- Identity Verification provides a higher level of confidence about a user’s true identity for applications and services that require a higher level of authorization.
- Multi-Factor Authentication is a security feature which requires users to provide additional information beyond their username and password to access applications containing sensitive data.
- Reverse Proxy includes the process to securely retrieve resources on behalf of a client from one or more backend servers by masking the URL and protecting the location of network resources, data, and applications.
- WWaTech will configure and maintain the SAW portal content on secureaccess.wa.gov.
- WWaTech will provide assistance with and end user support for the SAW platform and portal excluding assistance that is specific to the access, operation, and functionality of Customer applications and other applicable resources to include third party hardware, software, and services.
- WWaTech will assign the Customer the appropriate level of system access necessary to perform authorized functions in accordance with their delegated roles as listed in this agreement.
- WWaTech will configure and maintain security policy settings on the SAW platform to protect against known security risks in accordance with regulatory and industry standards, guidelines, and best practices. This may cause legacy Customer applications or Customer applications using vulnerable technologies to behave unexpectedly.
- WWaTech will log all system access and configuration changes that occur on the SAW platform.
- WWaTech will report any observed security breaches or suspicious activity on the SAW platform to the Customer.
- WWaTech will ensure the SAW platform is in compliance with the State of Washington OCIO IT Security Policy and Standards.
- WWaTech will ensure Customer has an approved Security Design Review on file with the Washington State Office of Cyber Security before Customer applications and other applicable resources to include third party hardware, software, and services are integrated with the SAW platform.
- WWaTech will ensure Customer applications and other applicable resources to include third party hardware, software, and services are compliant with regulatory and industry standards, guidelines, and best practices before, during and after integration with the SAW platform and will notify appropriate WaTech and Washington State Office of Cyber Security representatives at any point in time that they are determined not to be in compliance.
- Services required for agency use of this Services, that are outside the scope of this Terms of Service, will be documented in a separate Service Level Agreement. The SLA will include all associated fees and costs with the Professional Services and will be mutually agreed to and signed prior to WaTech performing any of the Services.
⇒ WaTech Responsibilities for Knowledge Based Authentication – Additional Fee
Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. The terms governing use of the additional service are available at https://secureaccess.wa.gov/privacy-notice.html.
- WaTech will configure a subaccount for each agency using this service with the external party providing the service.
- WaTech will provide billing detail from the vendor to each agency consuming the service.
- WaTech will maintain the universal rulesets and settings regarding the use of LexisNexis services.
- Customer agrees to comply with Washington State OCIO IT Security Policy and Standards at all times.
- Customer agrees to comply with WaTech policies, standards and best practices for developing and integrating applications and other applicable resources including third party hardware, software and services with the SAW platform at all times.
- Customer agrees to complete and have an approved Security Design Review on file with the Washington State Office of Cyber Security before Customer applications and other applicable resources to include third party hardware, software, and services are integrated with the SAW platform.
- Customer agrees that applications and other applicable resources to include third party hardware, software, and services will be configured and maintained in a manner that is compliant with regulatory and industry standards, guidelines, and best practices before, during and after integration with the SAW platform.
- Customer agrees to review any changes to applications and other applicable resources to include third party hardware, software, and services that are integrated with and could impact the SAW platform prior to making such changes. If recommended, Customer also agrees to complete and have an approved Security Design Review on file with the Washington State Office of Cyber Security prior to making such changes.
- Customer agrees to demonstrate proper functionality and compliance of applications in the Customer test environment prior integration with the SAW Production Environment.
- Customer agrees that Customer shall utilize the SAW Service to engage only authorized servers and networks. Any attempt to utilize the Service to access unauthorized servers or networks is strictly prohibited and may result in the termination of Services.
- Customer will configure and maintain all appliances, servers, virtual machines, applications, and operating systems for applications and other applicable resources to include third party resources that are integrated with the SAW platform.
- Customer will configure and maintain security policy settings to protect applications and other applicable resources including third party hardware, software and services integrated with the SAW platform against known security risks in accordance with regulatory and industry standards, guidelines, and best practices.
- Customer will configure and maintain the content for applications and other applicable resources to include third party services that are integrated with the SAW platform.
- Customer will provide contact information for applications and other applicable resources including third party hardware, software and services integrated with the SAW platform for use by the WaTech Support Center and SAW Administrators to alert Customer of service problems. Customer will review this contact information annually and make appropriate updates.
- Customer will provide assistance with and end user support for applications and other applicable resources including third party hardware, software and services integrated with the SAW platform. This includes processing end user requests to bypass the Identity Verification process and/or unsuspend access to Multifactor Authentication profile for the Customer’s high security applications and services.
- Customer will designate at least one Agency Registration Authority (ARA) authorized to execute the following responsibilities:
- Assigns Agency Technical Administrator (ATA) and Application Owner (AO) roles
- Approves or rejects ATA requests and changes
- Customer agrees the ARA will designate at least one Agency Technical Administrator (ATA) and Application Owner (AO) for each application or service that is authorized to execute the following responsibilities:
- Has the appropriate level of training and expertise required to support the Customer application or service
- Is the “central point of contact” for all questions and concerns relating to the administration and maintenance of the Customer application or service
- Registers and manages the Customer application or service
- Collects data from end users to support the authorization and access control processes
- Administers end user requests for access to the Customer application or service
- Validates all data submitted by end users
- Reports all SAW Service problems to the WaTech Support Center via email at firstname.lastname@example.org or phone at (360) 586-1000 or 1-855-928-3241.
- Customer agrees that the ATA will designate one agency helpdesk contact per application or service.
E. Special Terms
1. ENVIRONMENT SET UP
WaTech shall assist Customer in the initial set up and configuration of their Customer Development, Test, and Production Environments necessary for the integration of the Customer application or service with the SAW platform. Standard set-up assistance is provided for up to 10 hours per domain and first application. Support hours requested beyond this will be assessed a professional services charge.
2. ENVIRONMENT MANAGEMENT
WaTech shall build each environment with a base rule set. Customer acknowledges and accepts that they cannot make changes to the base rule set or any other global settings on the SAW platform.
Customer will review with WaTech all changes to the Customer’s architecture prior to implementing such change in an effort to ensure that the change does not compromise the security of the Customer’s or WaTech’ s system or result in system and access problems.
Customer accepts sole accountability for all use of the Service by Customer’s systems and users. Customer further agrees to assume full responsibility for restricting access to State servers by policy, rules, filters and/or other reasonable methods including agreements with contractors or other third parties. The filtering shall be documented showing the real Customer address(es), the address(es) of the State server(s) and the services (telnet, FTP, WWW, etc) allowed. In so doing, Customer agrees to comply with all applicable Washington State IT Security Policy and Standards and shall ensure that each and every Contractor or third party complies with all the conditions set forth herein as well as the applicable Washington State IT Security Policies and Standards.
Customer acknowledges that the State of Washington Auditor’s Office may audit and/or inspect remote clients and/or servers accessed via the Service without any advance notice.
Customer acknowledges and accepts WaTech’ s right to suspend service without prior notice upon detection, confirmation, or notification of any unauthorized access, malicious traffic caused by infection or abuse deemed harmful to the State Government Network. If unauthorized access, malicious traffic caused by infection or abuse occurs, WaTech and customer will attempt to resolve security issues to the satisfaction of WaTech and customer. If no satisfactory resolution of security issues is identified, WaTech reserves the right to terminate Service to Customer.
WaTech provides a security system infrastructure that reasonably protects its Customers from unauthorized external access to or broadcast on the Internet of the customer’s intellectual property, proprietary and confidential data. In the event that WaTech becomes aware of a breach of the security of the system involving personal information maintained but not owned by WaTech, WaTech shall immediately notify the agency that owns the information. Breach of the security of the system means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency.
4. SAW SERVICE DISCLAIMER
This WaTech service is designed to prevent outsiders from gaining access and will provide an effective method of monitoring and limiting access. However, it may not prevent some instances of dedicated hackers, or an employee from gaining unauthorized access to the Web application or to confidential information stored on the network. WaTech does not and will not accept liability for any losses or damage to Customer’s business or data that arise as a result of the SAW platform not preventing unauthorized access.
The WaTech service does provide a high standard of protection and service, but no system can claim to be completely secure.
WaTech does not support the following services. The following items are the sole responsibility of the Customer:
- User support outside the State Network (supporting only access to systems within the State Network).
- Implementation and management of Customer LAN environment (i.e., firewalls, hubs, servers, workstations, etc.).
- Help desk support for client devices and applications.
- Internet Access is not provided pursuant to this agreement.
- Remote Client Internet access.
- Data encryption within the State Network.
- Protocols other than IP (Internet Protocol).
6. EXPORT CONTROL LAW COMPLIANCE
You may not download, use, or otherwise export or re-export any Software associated with this TOS or any underlying information or technology except in full compliance with all United States and other applicable foreign laws and regulations. By using WaTech, you represent and warrant that you are not located in, under the control of or a national or resident of any country on the U.S. Treasury Departments Specially Designated Nationals list or the U.S. Commerce Department Denied Persons List.
7. ACCESS TO SOFTWARE
Customer understands that WaTech licenses software from third party providers for the purpose of providing services to its customers. Customer may access such software as part of the services provided to the Customer hereunder. Customer agrees that it will not, nor will it allow its agents, employees or its authorized third parties to decompile, disassemble, reverse engineer or otherwise access the source code of any software provided by WaTech whether the software is owned by WaTech or licensed by WaTech from a third party provider. Customer shall be liable to WaTech and/or any third party provider of software for any breach of this provision.