(a) Each Application Services Center Customer shall
provide to the department the name, title, contact information, including
emergency contact, of the designated employee(s) authorized to initiate,
change, modify, or amend services. At a minimum it shall include:
(1) Executive level technology officer such as a Chief
Information Officer or Information Resources Manager; and
(2) Customer Representative.
(b) Each Application Services Center Customer is responsible
for ensuring that its use of Application Services Center services
is in compliance with applicable law, policy, and procedures.
(c) For software products not initially procured by
or through the Application Services Center program on behalf of Application
Services Center Customer, the Application Services Center Customer
shall coordinate with the Application Services Center program to ensure
complete documentation of entitlement is on file. The Application
Services Center Customer is responsible for providing proof of entitlement;
without which, the Application Services Center Customer is solely
responsible for software license compliance.
(d) Audit notification.
(1) Application Services Center Customers shall promptly
notify the department whenever the customer becomes aware that an
audit or compliance review is planned by external, internal, software
vendor, or federal oversight auditors that will require audit assistance
from the Application Services Center program Service Providers. In
any event, where audit assistance is required, the Application Services
Center Customer shall notify the department of planned audit or compliance
review no less than five business days prior to anticipated start
of audit or compliance review.
(2) In performing audits, Application Services Center
Customers shall endeavor to avoid unnecessary disruption of the DCS
program operations and duplication of other audits. Therefore, Application
Services Center Customers shall leverage SOC or comparable audits
provided for under the Application Services Center contract, to the
extent possible.
(3) The state auditor, the department's internal auditors,
a state agency's internal auditors, and if applicable, the Office
of Inspector General of the agency, or federal auditors, may conduct
audits or investigations of any entity receiving funds from the state
directly under a contract or indirectly under a subcontract for Statewide
Technology Center services.
(4) An Application Services Center Customer may request
copies of audit reports submitted to the department as required by
the Statewide Technology Center services contract and governed by
the Auditing Standards Board of the American Institute of Certified
Public Accountants (AICPA) or successor group. The requesting Application
Services Center Customer should submit the request to the department's
designated audit representative. Due to the confidential nature of
information in the report, the requesting Application Services Center
Customer shall only distribute the report to its staff that have a
legitimate business need for access to the report and may not distribute
the report to external auditors or entities. External auditors that
require access to a report in connection with an audit of a Application
Services Center Customer must contact the department's designated
audit representative and sign a non-disclosure agreement prior to
receiving a copy of the report.
(e) Technology planning.
(1) Each Application Services Center Customer will
participate in an annual Application Services Center technology planning
process based on instructions provided in the technology planning
process as documented in the applicable Service Management Manual.
This planning will relate to the services the Application Services
Center Customer receives or expects to receive through the program.
(2) All Application Services Center Customers shall
follow the technology standards for hardware and software configurations
as specified in the annual technology plan and Service Management
Manual. Application Services Center Customers seeking exception to
specified technology standards shall comply with the relevant Service
Management Manual.
(f) Governance process.
(1) All Application Services Customers will participate
in the governance process designed to facilitate individual customer
input into enterprise decisions that affect all customers. Each customer
is assigned to a group of similar customers, called a "partner group",
and that group will be given one membership position on each governance
committee. Members of the partner group are expected to represent
the interests of all partner group members in governance decisions.
(2) Enterprise-level decisions and resolution of escalated
Application Services Center Customer-specific issues shall be addressed
through standing governance committees, organized by subject area
and comprised of representatives from the department, DCS Customers,
and service providers. Participation on committees is selected from
each designated partner group.
(g) Confidential data.
(1) Application Services Center Customer shall provide
its specific confidentiality requirements as determined by the nature
of the data stored in the Application Services Center program. Generally,
the specific confidentiality requirements shall be appended to the
interagency or interlocal contract. The applicable Service Management
Manual shall provide additional documentation on the specific procedures,
including the process Application Services Center Customers shall
follow to identify confidential information.
(2) In general, an Application Services Center Customer
shall include in the interagency or interlocal agreement:
(A) General notification as to the type of confidential
data and the laws that guide in the handling of such data; and
(B) Subsequent changes to laws that apply to previously
identified confidential data.
(h) Security.
(1) Application Services Center Customers shall comply
with the Security Incident Management and Response process available
in the Service Management Manual.
(2) Application Services Center Customers shall be
in compliance with 1 Texas Administrative Code Chapter 202.
|