Chapter 4: Board VR Contract Standards

The Board VR Requirements Manual: 

• Outlines the roles, responsibilities, coordination of, and fee structure for each of the three Board-VR services;
• Establishes basic standards that apply to all of the services; 
• Provides published standards for maintaining compliance; and
• provides criteria in order to meet TWC performance expectations for each purchase.

All policies established in this chapter apply to Summer Earn and Learn (SEAL), Wage Services for VR Participants in Paid Work Experience (PWE), and the Student HireAbility Navigator programs unless otherwise specified.
 

1.2.1 Paper Record Storage

Paper is the preferred method for storing records. Stored paper documents must be protected:

• as required in 1.3 Confidentiality; and
• in a retrievable and organized manner that prevents the documents from being stolen, tampered with, or damaged.

The Board assumes all business risk associated with lost records. Lost records could result in adverse action against the Board. 

1.2.2 Electronic Storage (Not Cloud-Based or on a Third-Party Server)

Records stored on desktop computers or on portable devices (for example, on laptops, USB flash drives, hard drives, CDs, and DVDs) must be protected as required in 1.3 Confidentiality and 1.4 Data Encryption.

Portable devices must be protected from theft, tampering, or damage. The Board is responsible for all data collection and assumes all business risk associated with lost data. Lost data could result in adverse action against the Board.

1.2.3 Cloud-Based Storage

Records that are stored entirely or partially in the cloud must be stored in compliance with the Federal Risk and Authorization Management Program (FedRAMP), or must be able to be made compliant in a short, defined period of time, as independently verified and validated by a FedRAMP-accredited third-party assessment organization (3PAO).

The Board must comply with TWC's requirement that all data remain in the United States and meet TWC's stringent privacy and security requirements.

TWC's privacy and security requirements include the following:

Protecting confidential TWC information, including personally identifiable information, from—at a minimum—unauthorized disclosure, unauthorized access, and misuse in accordance with the National Institute of Standards and Technology's (NIST) Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), by establishing controls such as role-based access, encryption at rest, and encryption in transit

Disposing of data in a manner that complies with NIST Special Publication 800-88, Guidelines for Media Sanitization

Complying with TWC's minimum encryption standards, that is, with the Federal Information Processing Standard (FIPS) 140-2, validated 256 bit, Advanced Encryption Standard (AES), and SHA-256 Cryptographic Hash Algorithm

Complying with TWC's minimum cryptographic protocol Transport Layer Security (TLS) 1.1 (TLS 1.2 preferred) for protecting the security and privacy of communications over a computer network, including over the internet

Maintaining continuous process improvement and vigilance to assess risks, monitor and test security protection, and implement changes needed to protect TWC data

Cooperating fully with TWC's chief information security officer to detect and remediate vulnerability of the hosting infrastructure and/or the application

Giving TWC access to the Board's facilities, installations, technical capabilities, operations, documentation, records, and databases, to the extent required to carry out FedRAMP assessments and FedRAMP continuous monitoring, to safeguard against threats and hazards to the security, integrity, and confidentiality of the nonpublic TWC data that are collected and stored by the Board

The Board must notify TWC about new or unanticipated threats or hazards or about safeguards that cease to function, as the issues are discovered.

Complying with any additional FedRAMP privacy requirements

Understanding that TWC has the right to perform manual or automated audits, scans, reviews, or other inspections of the IT environment being used to provide or facilitate services for TWC

In accordance with Federal Acquisition Regulation 52.239-1, the Board must do as follows:

Obtain the contract officer's written consent before publishing or disclosing the details of safeguards that the Board designs, develops, or otherwise provides to TWC under contract (exception: disclosures to a consumer agency for the purposes of certifying or verifying authorization)

Give TWC access within 72 hours to the Board's facilities, installations, technical capabilities, operations, documentation, records, and databases, to the extent required to conduct an inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of TWC data

Inspections include vulnerability scans of authenticated and unauthenticated:

• operating systems and networks;
• web applications; and
• database applications.

Automated scans can be performed by TWC personnel (or agents acting on behalf of TWC) using equipment operated or authorized by TWC and using TWC-specified tools.

Notify TWC immediately, if new or unanticipated threats or hazards are discovered, or if safeguards cease to function

If the Board chooses to run its own automated scans or audits, results from the scans or audits may, at TWC's discretion, be accepted in lieu of vulnerability scans performed by TWC; however:

• the scanning tools and their configurations must be approved by TWC; and
• the complete results must be provided to TWC
   

VR policy and federal law requires that all email messages that contain confidential information must be sent using the level of encryption required by publication 140-2 of the Federal Information Processing Standard (FIPS).

If a Board is not equipped to use the FIPS 140-2 level of encryption, the Board must ask a VR staff member who is equipped to send the email message. The same message can then be used to send encrypted information back to VR, when the directions are followed accurately.

If the Board fails to use the FIPS 140-2 level of encryption, the Board must report a breach of confidentiality to the assigned TWC contract manager.

Texas Family Code §261.101 requires a professional person who has cause to believe that a child's physical or mental health or welfare has been adversely affected by abuse or neglect by any individual to immediately (within 48 hours) report the suspected abuse.

Texas Human Resources Code §48.051 requires a professional individual (such as any TWC contractor) to make a report if there is cause to believe that an individual age 65 or older or an individual with a disability is being abused, neglected, or exploited.

Any TWC contractor is a professional and is required to report any allegations or incidents of abuse, neglect, or exploitation.

Any Board or Board's employee or subcontractor that has cause to believe that a child who is a minor, an adult with a disability, or an individual 65 years of age or older is at risk of or in a state of harm due to abuse, neglect, or exploitation must immediately report the information to the appropriate investigatory agency (see the table below). If the incident is a threat to health or safety, the local law enforcement agency must also be notified.

Reporting suspected abuse, neglect, or exploitation directly to the appropriate investigatory agency is required, regardless of the circumstances.

A Board is responsible for any abuse, fraud, misconduct, or waste that is committed by the Board's staff or subcontractors.
If abuse, fraud, misconduct, or waste is reported, the Board must provide the assigned TWC contract manager with:

• the name of the individual providing the information;
• the name of the individual submitting the information (if different from the individual providing the information);
• the name of an additional contact person;
• details about whether and when law enforcement was notified;
• the names of witnesses;
• the name of the individual or facility being reported; and
• detailed information about the abuse, fraud, misconduct, or waste.

Boards must report all allegations of fraud, misconduct, and waste to TWC Fraud Reporting.
 

Boards, their employees, and any subcontractors must perform in a professional manner and dress in business casual attire that is appropriate for the work activity and workplace:

• when interacting with VR participants and staff; and
• when providing services and visiting VR offices.
• A professional manner is defined as:
• maintaining the confidentiality of all customer information in full compliance with state and federal regulations;
• obtaining a written confidentiality release when sharing information with others who are not VR staff or are not the customer's legal guardian;
• not representing oneself as a state of Texas employee;
• not representing the Board as a state agency;
• reporting in a timely manner and to appropriate authorities the abuse or neglect of any customer or customer's family member;
• considering the negative impacts of action or inaction on the part of the individual or contractor to the health, safety, or welfare of any customer or customer's family member;
• avoiding relationships with VR participants or VR staff that would impair the contractor's objectivity in performing his or her duties or that would endanger confidentiality;
• not engaging in activities or relationships with VR participants that might be misconstrued by the VR participant; or
• not allowing a third party to be present when meeting with a VR participant at the VR participant's home or business, unless the VR participant has signed a release allowing the third party to be present or unless the third party is a potential employer.

The Board must develop and adhere to policies and procedures to protect VR participants, VR participant interests, visitors, and the Board's staff.
Boards must have policies and procedures in place before providing services to VR participants and must review and update their policies to ensure continued compliance with the standards. Boards must ensure that their policies and procedures do not conflict with the standards or the requirements of their contract. Boards must develop a written plan and maintain documentation that staff and customers, as appropriate, have been educated on policies and procedures.

At a minimum, Boards must have written policy and procedures on the following:

• Maintaining confidentiality of VR participant and employee information (refer to 1.3 Confidentiality and 1.4 Data Encryption), including:
  • providing physical safeguards;
  • providing authorized access; and
  • reporting a breach of confidentiality
• Managing VR participant expectations and responsibilities
• Managing VR participant grievances
• Providing VR participants with the VR toll-free telephone number (1-800-628-5115) and explaining that the number is for applicants and customers to use to report complaints or compliments about the contractor
• Maintaining the Board's standards on
  • promoting employment of qualified individuals with disabilities;
  • maintaining professionalism;
  • avoiding conflicts of interest;
  • maintaining confidentiality;
  • using data encryption;
  • following sound fiscal and business practices;
  • reporting abuse, fraud, misconduct, and waste;
  • referring customers to VR; and
  • adhering to the terms of the contract.
• Providing VR participant orientation on the reporting of allegations or incidents of abuse, exploitation, or neglect that involve individuals with disabilities (see 1.5.4.6 Allegations or Incidents of Abuse, Neglect, or Exploitation).
• Reporting observations or evidence that a customer is using alcohol or drugs (see 1.5.4.11 Reporting Substance Abuse by VR participants)
• Reporting unusual or unexpected incidents that compromise or may compromise the health or safety of individuals or the security of property used by the Board's employees or VR participants and visitors, including:
• how to obtain emergency medical services for VR participants; and
• how and when to report incidents.