ORDF,R NO. 3093
STATE FISCAL YEAR 08-09 STATE CASE REGISTRY/LOCAL CUSTOMER
SERVICE CONTRACT
Came to be heard this the 11 `" day of August, 2008, with a motion made by
Commissioner Letz, seconded by Commissioner Oehler. The Court unanimously
approved by a vote of 3-0-0 to:
Approve the State Fiscal Year 2008-09 State Case Registry/Local Customer Service
Contract between Kerr County and the Office of the Attorney General, Child Support
Division, subject to the County Attorney reviewing the form.
3O~ 3 3
COMMISSIONERS' COURT AGENDA REOUEST
PLEASE FURNISH ONE ORIGINAL AND TEN COPIES OF THE REQUEST AND
DOCUMENTS TO BE REVIEWED BY THE COURT
MADE BY Linda Uecker .Director OFFICE: District Clerk
MEETIlVG DATE:
TIME PREFERRED:
SUBJECT: (PLEASE BY SPECIFIC)
Renewal of SFY08-09 State Case Registry/Local Customer Service Contract between Kerr
County and the Office of the Attorney General, Child Support Division ..
EXECUTIVE SESSION REQUESTED: (PLEASE STATE REASON)_
NAME OF PERSON ADDRESSING THE COURT_
ESTIMATED LENGTH OF PRESENTATION:
IF PERSONNELL MATTER -NAME OF EMPLOYEE:
Time for submitting this request for Court to assure that the matter is posted pursuant with Title
5, Chapter 551 and 552, Government Code is by 5:00 PM on the previous Tuesday of a meeting
scheduled for Mondays.
THIS REQUEST RECEIVED BY:
THIS REQUEST RECENED ON:
All agenda requests will be screened by the County Judge's Office to determine if adequate
information has been prepared for the Court's formal consideration and action at time of Court
meetings. See Agenda Request Rules adopted by the Commissioners' Court.

ATTORNEY GENERAL OF TEXAS
GREG ABBOTT
cHtt.u sueeoe•r otvtstov
July 28, 2008
The Honorable Linda Decker
Kerr County District Clerk
700 Main Street
Kerrville TX 78028-
RE: Two Original Copies of FY09/10 State Case Registry and Local Customer Service Contract
Dear Ms. Decker:
Attached are two original copies of the renewal for the FY09/10 State Case Registry/Local Customer
Service Contract. Please have both copies signed where indicated. Also attached is the Incident
Response Plan, Attachment G, which is designed to provide a general reference to both OAG and county
staff when a security incident may threaten the confidentiality of personal data. Pursuant to contract
requirement 6.4.1.1, please complete the Incident Response Plan and return it and both copies of the
original signed contract to the following:
Office of the Attorney General
Child Support Division
P. O. Box 12017
Mail Code 062, Attn: Deborah Fecteau
Austin, Texas 78711-2017
Upon receipt of the two signed original copies and the completed incident response plan, the documents
will be routed to Alicia G. Key, Deputy Attorney General for Child Support, for signature. After the
documents have been signed by all parties, one original copy will be returned to you. Please be advised.
the contract cannot be executed before both signed copies and the Incident Response Plan have been
returned.
If you have questions regarding the execution of this contract, please contact Debbie Symmes at (512)
460-6768 or Debbie Mullen at (512) 460-6736.
Sincerely,
~~~
Allen Broussard
Manager, Government Contracts
Cooperative Agreement
between
The Office of the Attorney General
of the State of Texas
and
Kerr County, Texas
CONTRACT NO. 09-00050
1. INTRODUCTION & PURPOSE
1.1. This document encompasses furnishing Registry Only court order information relating to Child Support, Protective
Orders and Family Violence under the Texas Family Code, Title 4, Subtitle B and Suits Affecting the Parent-Child
Relationship under the Texas Family Code, Title 5, Subtitle B for use in the State and Federal Case Registries
("State Case Registry") and local handling of inquiries on (including any necessary research) and receiving
information about Child Support Cases where child support payments are remitted to the Texas Child Support State
Disbursement Unit (TxCSDU) ("Local Customer Service"). A County may contract to provide State Case Registry
services only. However a county contracting to provide Local Customer Service must also contract to provide State
Case Registry.
1.2. Kerr ("County") is contracting with the Office of the Attorney General ("OAG") to furnish Registry Only court
order information relating to Child Support, Protective Orders and Family Violence under the Texas Family Code,
Title 4, Subtitle B and Suits Affecting the Parent-Child Relationship under the Texas Family Code, Title 5, Subtitle
B for use in the State and Federal Case Registries and handle inquiries on (including any necessary research) and
receive information about Child Support Cases where child support payments are remitted to the TxCSDU.
1.3. This Contract and its attachments (all of which are made a part hereof and expressly included herein) is entered into
under the authority of Texas Family Code Section 231.002.
1.4. The term "OAG Systems" when used in this Contract encompasses the OAG Child Support Case Management
System (commonly referred to as TXCSES and TXCSES Web) and any applicable automated systems used by the
OAG's Vendor for the TxCSDU including all of their subsystems, functions, processes, and security requirements.
1.5. Unless specified otherwise in this Contract, all procedures required to be followed by the County will be made
available to the County on the OAG child support portal at http://portal.cs.oag.state.tx.us.
2. CONTRACT PERIOD
2.1. This Contract shall commence on September 1, 2008 and shall terminate on August 31, 2010, unless terminated
earlier by provisions of this Contract.
3. REQUIREMENTS OF THE OAG AND THE COUNTY
3.1. State Case Registry Activities
3.1.1. County shall provide to OAG new and modified child support court orders entered after the effective date
of the Contract for Registry Only child support court order information relating to Suits Affecting the
Parent-Child Relationship.
3.1.1.1. County shall use the original court ordered documents to obtain the relevant information for entry to
the OAG Systems or may use the "Record of Support" published in the Texas Family Law Manual,
or a similar form completed by the District Clerk or Local Registry's office that summarizes the
relevant court ordered child support information.
3.1.1.2. County must provide, if available, the following data elements:
SCR/LCS 7/16/08 Page 1 of 19
3.1.1.2.1. participant type (dependent, custodial parent, non-custodial parent)
3.1.1.2.2. family violence indicator
3.1.1.2.3. name of each participant (last and first)
3.1.1.2.4. sex code for each participant
3.1.1.2.5. social security number for each custodial parent and non-custodial parent and/or date of birth
for each participant
3.1.1.2.6. cause number
3.1.1.2.7. cause county code
3.1.1.2.8. start date of cause
3.1.1.2.9. order modification date
3.1.1.2.10. address lines 1, 2, and 3, City, State, Zip (custodial parent only).
3.1.1.2.11. sex code for each participant
3.1.1.2.12. family violence indicator, if applicable
3.1.1.3. County shall provide data elements and/or information updates to the OAG Systems for Registry
Only child support court orders signed on or after October 1, 1998.
3.1.1.4. County shall enter updates on OAG Systems for new case and /or member information provided
by the custodial parent, non-custodial parent, employer, court or attorney of record to the County.
This includes but is not limited to address information, changes in custody, court order
terminations of all types, child emancipation, multiple payees or payors, case deactivation and
order transfers.
3.1.1.5. County shall provide new order information within either five (5) working days of the judge
signing the order or five (5) working days of the date that the County is notified by the Texas State
Disbursement Unit ("TxCSDU") that a payment has been received at the TxCSDU; whichever is
earlier.
3.1.1.6. County shall provide update order information within three (3) working days of receipt.
3.1.1.7. County shall provide new and updated order information by data entry directly onto OAG
Systems, unless agreed to otherwise in writing by the OAG Contract Manager.
3.1.1.8. County shall ensure that payments on cases that have been redirected from the County registry to
the TxCSDU are paid to the TxCSDU and that disbursements on such cases are no longer made by
the County. The District Clerk or the Domestic Relations Office (as applicable) shall send all
erroneously received child support payments to the TxCSDU within one day of receipt.
3.1.1.9. County agrees that all court orders must direct child support payments to the (TxCSDU) in
accordance with Section 154.004 of the Texas Family Code and 42 USC 654b of the Code of
Federal Regulations. Where the County identifies a pattern of court orders from a particular court
or attorney that fail to comply with Section 154.004 of the Texas Family Code and 42 USC 654b
of the Code of Federal Regulations, the County will notify the OAG of same.
3.1.1.10. County shall work with the TxCSDU to perform the required due diligence to place child support
payments into the hands of custodial parents.
3.2. LOCAL CUSTOMER SERVICE
3.2.1. County Customer Service Unit Resources and Services
3.2.1.1. The term "Child Support Cases" when used in this Section and its Subsections means: Registry
Only cases (a Registry Only case is a case where the payment is remitted to the State
Disbursement Unit by an employer pursuant to an original order signed on or after January 1,
1994) and all IV-D cases (also known as "Full Service Cases").
3.2.1.2. County shall provide the resources necessary to accomplish the following allowable categories of
customer service activity on Child Support Cases in accordance with the requirements of the
Confidentiality and Security Section below: Payment Inquiry, Payment Research, Employer
SCR/LCS 7/16/08 Page 2 of 19
Payment Related Calls, OAG Payment Related Calls, Withholding Inquiry (Employer, Custodial
Parent, Non-Custodial Parent). These activities include but are not limited to:
3.2.1.2.1. Researching payments on Child Support Cases that should have been but were not received
by the OAG.
3.2.1.2.2. Researching disbursements on Child Support Cases that should have been but were not
received by the custodial parent.
3.2.1.2.3. Providing payment records on Child Support Cases to the court, the guardian ad litem for the
child, the custodial and non-custodial parent and their attorneys, a person authorized by the
custodial or non-custodial parent to have the payment history information, and a District or
County attorney for purposes of pursuing prosecution for criminal non-support of a child.
3.2.1.2.4. The County Customer Service unit shall take inquiries and receive information by, but not
limited to, a-mail, letters, phone calls, facsimiles and walk-ins.
3.2.2. Resources as used in this Customer Service Unit Resources and Services section include, but are not
limited to, personnel, office space, equipment, phones and phone lines.
3.2.3. Customer Service Unit Documentation
3.2.3.1. County shall follow OAG procedures relating to data integrity, set forth in Attachment D, when
accepting changes to case information i. e., procedures to properly identify the caller.
3.2.3.2. County shall perform the Customer Service Unit services using the following guidelines: Respond to
written inquiries within five (5) County work days, take action on information received within three
(3) County work days, document case record of action or information received at time of receipt,
follow up to a telephone inquiry within three (3) County work days, return phone calls within three
(3) County work days, see a customer the same day or schedule appointment within three (3) County
work days of request.
3.2.3.3. County shall use OAG processes and procedures for forwarding misdirected inquiries between the
County, and the OAG and the OAG's designated agent where necessary by providing. the toll free
number to the OAG's Call Center.
3.2.3.4. The electronic files associated with customer service activity that the County may receive and
process are:
3.2.3.4.1. Full Service and Registry Only Collections, technical document name: Interface Control
Document 012 (ICD012).
3.2.3.4.2. Registry Only Disbursement Data, technical document name: Interface Control Document
013 (ICD013).
3.2.3.4.3. Full Service and Registry Only Collection Adjustments, technical document name Interface
Control Document 015 (ICDO15).
3.2.3.4.4. Registry Only Case Data from Local Registries, technical document name: Interface Control
document 050 (ICDO50).
3.2.4. The electronic file associated with customer service activity that the County may transmit is:
3.2.4.1. OAG Systems and Local Registries Customer Service Activities, technical document name:
Interface Control Document 035 (ICD035).
3.2.5. In the event of a failed transmission, or if an unprocessable electronic file is produced, County shall correct
the problem and retransmit within one (1) working day of notification by the OAG.
SCRlLCS 7/16/08 Page 3 of 19
3.2.6. County shall record on its automated system all fmancial data available from the OAG required to support
the accurate dissemination of payment record information contemplated by this Contract or the County
shall access, as needed, an OAG/TXCSES payment history record, as available, from the OAG TXCSES
Web application.
3.3. ACCESSING OAG SYSTEMS
3.3.1. County Responsibilities
3.3.1,1. Work with the OAG or its designated agent to acquire, when needed, (at no cost to the County) from
the OAG or its designated. agent one personal computer, including the necessary software, to access
the OAG Systems. County will work with the OAG or its designated agent to obtain the database
access required. County is responsible for connecting the hardware to its own County network and
for the cost associated therewith.
3.3.1.2. County must make necessary programming changes to its own automated child support system to
accomplish the local customer service activities in this Contract. If the County employs a Vendor for
maintenance and changes to its automated child support system, County must coordinate efforts
between the County Vendor and the OAG or its designated agent.
3.3.1.3. Should the County desire to retain their legacy case management system, whether in-house or
vendor based, the County is required to maintain strict data synchronization with the OAG Systems.
To accomplish this, the County must demonstrate sufficient resources and ability to receive and
process into the County legacy system daily data updates from the OAG in ICDO50 format.
3.3.1.4. County will be authorized to implement the data synchronization process upon completion of
demonstrated ability and a documented system test.
3.3.1.5. Whether the County retains their legacy case management system or if data synchronization with the
OAG Systems is not feasible the County shall enter all case/member information directly onto the
designated OAG System unless agreed to otherwise in writing by the OAG Contract Manager.
3.3.1.6. The ICDO50 computer file specifications and format will be made available to the County on the
OAG child support portal. If these specifications change during the term of the Contract, the
changes will be made available on the OAG child support portal and an e-mail notice of such
availability will be sent to the County liaison. The County shall be responsible for implementing the
changes to the electronic file specifications when and as required for OAG Systems processing,
within a reasonable time frame.
3.3.1.7. To the extent necessary to fulfill its obligations under this Contract, County shall maintain, at no cost
to the OAG, County hardware and software compatibility with the OAG Computer Systems and
OAG file format needs, to include OAG software and OAG computer hardware and related
equipment upgrades. OAG will provide County with as much notice as possible of intended OAG
Computer Systems upgrades.
3.3.1.8. County is responsible for all the necessary phone lines. For those counties that do not have Internet
access the OAG will ensure that Internet service is established for at least one personal computer.
However, if the County is not covered by a local Internet Service Provider local telephone coverage
area, then the County is responsible for any unavoidable long distance telephone charges that occur.
3.4. OAG Responsibilities
3.4.1. OAG will work with the County to make sure the County has one personal computer, including the
necessary software, to access the OAG Systems. For those counties that do not have Internet access, the
OAG will ensure that Internet service is established for at least one personal computer. However, if the
County is not covered by a local Internet Service Provider local telephone coverage area, then the County is
responsible for any unavoidable long distance telephone charges that occur.
4. REIMBURSEMENT
SCR/LCS 7/16/08 Page 4 of 19
4.1. OAG shall monitor County OAG Systems State Case Registry and, if applicable, Local Customer Service activities
(direct data entry or electronic file) and summarize for monthly reimbursement amounts.
4.2. OAG shall forward a Summary and Reimbursement Voucher to the County for review and approval.
4.3. If the County approves the Summary and Reimbursement Voucher, the County signs the voucher and returns it to
OAG for payment within ten (10) County work days. County's signature constitutes approval of the voucher and
certification that all services provided during the period covered by the voucher are included on the voucher. The
OAG shall process the invoice for payment in accordance with the state procedures for issuing state payments and
the Texas Prompt Payment Act.
4.3.1. County shall submit the invoice to:
Contract Manager, State Case Registry and Local Customer Service
Mail Code: 062
Office of the Attorney General
P.O. Box 12017
Austin, Texas 78711-2017
4.4. If County does not approve the Summary and Reimbursement Voucher, it shall return the voucher to the OAG
within ten (10) County work days of receipt, detailing the basis of any disputed item, and include supporting
documentation. The OAG shall review the returned voucher. If the dispute is resolved in the County's favor the
OAG shall make payment as set forth in the preceding subsection. If the dispute is not resolved in the County's
favor, the OAG shall make payment in accordance with the voucher originally sent to the County and forward a
letter of explanation to the County.
4.4.1. OAG Rights Upon Loss of Funding
4.4.1.1. Legislative Appropriations
4.4.1.1.1. All obligations of the OAG are subject to the availability of legislative appropriations and, for
federally funded procurements, to the availability of federal funds applicable to this
procurement (see Provision of Funding by the United States, subsection below). The parties
acknowledge that the ability of the OAG to make payments under this Contract is contingent
upon the continued availability of funds for the Child Support Enforcement Strategy and the
State Disbursement Unit Strategy (collectively "Strategies"). The parties acknowledge that
funds are not specifically appropriated for this Contract and the OAG's continual ability to
make payments under this Contract is contingent upon the funding levels appropriated to the
OAG for the Strategies for each particular appropriation period. The OAG will use all
reasonable efforts to ensure that such funds are available. The parties agree that if future
levels of funding for the OAG Child Support Enforcement Strategy and/or the State
Disbursement Unit Strategy are not sufficient to continue operations without any operational
reductions, the OAG, in its discretion, may terminate this Contract, either in whole or in part.
In the event of such termination, the OAG will not be considered to be in default or breach
under this Contract, nor shall it be liable for any further payments ordinarily due under this
Contract, nor shall it be liable for any damages or any other amounts which are caused by or
associated with such termination. The OAG shall make best efforts to provide reasonable
written advance notice to County of any such termination. In the event of such a termination,
County shall, unless otherwise mutually agreed upon in writing, cease all work immediately
upon the effective date of termination. OAG shall be liable for payments limited only to the
portion of work the OAG authorized in writing and which the County has completed,
delivered to the OAG, and which has been accepted by the OAG. All such work shall have
been completed, per the Contract requirements, prior to the effective date of termination.
4.4.2. Provision of Funding by the United States
4.4.2.1. It is expressly understood that any and all of the OAG's obligations and liabilities hereunder are
contingent upon the existence of a state plan for child support enforcement approved by the United
States Department of Health and Human Services providing for the statewide program of child
SCR/LCS 7/16/08 Page 5 of 19
support enforcement, pursuant to the Social Security Act, and on the availability of Federal
Financial Participation for the activities described herein. In the event that such approval of the
state plan or the availability of Federal Financial Participation should lapse or otherwise terminate,
the OAG, in its discretion, may terminate this contract, either in whole or in part. In the event of
such termination, the OAG will not be considered to be in default or breach under this contract,
nor shall it be liable for any further payments ordinarily due under this contract, nor shall it be
liable for any damages or any other amounts which are caused by or associated with such
termination. The OAG shall make best efforts to provide reasonable written advance notice to
Contractor of any such termination. In the event of such a termination, County shall, unless
otherwise mutually agreed upon in writing, cease all work immediately upon the effective date of
termination. OAG shall be liable for payments limited only to the portion of work the OAG
authorized in writing and which the County has completed, delivered to the OAG, and which has
been accepted by the OAG. All such work shall have been completed, per the Contract
requirements, prior to the effective date of termination.
4.5. Reimbursement Rates
4.5.1. State Case Registry
4.5.1.1. The OAG shall be fmancially liable to the County for the federal share of the County's Contract
associated cost. Federal share means the portion of the County's Contract associated cost that the
federal Office of Child Support Enforcement reimburses the state as federal financial participation
under Title IV-D; for purpose of reference only the federal share on the effective date of this
Contract is 66%. The County agrees that for the purposes of this Contract all of the County's
Contract associated costs for any given calendar month is equal to the number of new and modified
Registry Only Court Orders (together with all required data elements) provided to the OAG during
the calendar month multiplied by a per new and modified Registry Only Court Order fee of $12.25
plus the number of Registry Only Court Orders updated during the calendar month multiplied by a
per Registry Only Court Order updated fee of $3.89 per Registry Only Court Order updated. Thus:
[(Calender Month new and modified Registry Only Court Orders provided x $12.25) + (Calender
Month Registry Only Court Orders updated x $3.89)] x Federal Share = OAG Liability.
4.5.2. Local Customer Service
4.5.2.1. The OAG shall be fmancially liable to the County for the federal share of the County's Contract
associated cost. Federal share means the portion of the County's Contract associated cost that the
federal Office of Child Support Enforcement reimburses the state as federal financial participation
under Title IV-D; for purpose of reference only the federal share on the effective date of this
Contract is 66%. The County agrees that for the purposes of this Contract all of the County's
Contract associated costs for any given calendar month is equal to the number of inquiries on IV-D
cases handled by County personnel during the calendar month, plus the number of inquiries on
Registry Only cases (See Section 3.2.1 for the meaning of Registry Only cases) minus the Federal
Disallowance Percentage, multiplied by a per inquiry fee of $4.01 per inquiry. For purpose of
reference only the Federal Disallowance Percentage for SFY 2008 annualized is 18%. Thus:
(Calender Month IV-D Inquiries Handled by County Personnel) + (Calendar Month Registry Only
Inquiries Handled by County Personnel -Federal Disallowance Percentage) x ($4.01) x (Federal
Share) = OAG Liability.
4.6. Limitation of OAG Liability
4.6.1. The OAG shall. be liable only for Contract associated costs incurred after commencement of this Contract
and before termination of this Contract.
4.6.2. The OAG may decline to reimburse Allowable Costs which are submitted for reimbursement more than
sixty (60) calendar days after the State Fiscal Year calendar quarter in which such costs are incurred.
4.6.3. County shall refund to the OAG within thirty (30) calendar days any sum of money which has been paid to
the County which the OAG and County agree has resulted in an overpayment to County, provided that such
sums may be offset and deducted from any amount owing but unpaid to County.
SCR/LCS 7/16/08 Page 6 of 19
4.6.4. The OAG shall not be liable for reimbursing the County if the County fails to comply with the State Case
Registry Activities, the County Customer Service Unit Resources and Services, and/ or the Customer
Service Unit Documentation Sections above in accordance with the requirements of those sections.
4.6.5. The OAG shall not be liable for reimbursing the County for any activity currently eligible for
reimbursement as of right without the necessity for a prior existing contract e.g. sheriff/processor fees. Nor
shall- the OAG be liable for reimbursing the County for any activities eligible for reimbursement under
another contract or Cooperative Agreement with the OAG e.g. customer service related to cases in the same
County's Integrated Child Support System ("ICSS") caseload, when the County has an ICSS contract
with the OAG. Nor shall the OAG be liable for reimbursing the County for information correcting
erroneous information previously provided by the County.
4.6.6. Notwithstanding any other provision of this Contract, the maximum liability of the OAG under this
Contract is Three Thousand Dollars and No Cents ($3,000.00).
4.7. Assignment of Claims
4.7.1. County hereby assigns to the OAG any claims for overcharges associated with this Contract under 15
U.S.C. § 1, et seq., and Tex. Bus. & Comm. Code § 15.01, et seq.
5. CONTRACT MANAGEMENT
5.1. Written Notice Delivery
5.1.1. Any notice required or permitted to be given under this Contract by one party to the other party shall be in
writing and shall be addressed to the receiving party at the address hereinafter specified. The notice shall
be deemed to have been given immediately if delivered in person to the recipient's address hereinafter
specified. It shall be deemed to have been given on the date of certified receipt if placed in the United
States mail, postage prepaid, by registered or certified mail with return receipt requested, addressed to the
receiving party at the address hereinafter specified.
5.1.1.1. County
5.1.1.1.1. The address of the County for all purposes under this Contract and for all notices hereunder
shall be:
5.1.1.1.1.1. The Honorable Linda Uecker (or his/her successor in office)
Kerr County District Clerk
700 Main Street
Kerrville TX 78028-
5.1.1.2. OAG
5.1.1.2.1. The address of the OAG for all purposes under this Contract and for all notices hereunder
shall be:
5.1.1.2.1.1. Alicia G. Key (or her successor in office)
Deputy Attorney General for Child Support
Office of the Attorney General
P.O. Box 12017
Austin, Texas 78711-2017
5.1.1.2.2. With copies to:
5.1.1.2.2.1. Joseph Fiore (or his successor in office)
Managing Attorney, Contracts Attorneys, Child Support Division
Office of the Attorney General
P. O. Box 12017
Austin, Texas 78711-2017
SCR/LCS 7/16/08 Page 7 of 19
5.1.1.2.2.2. Allen Broussard (or his successor in office)
Manager, Government Contracts
Office of the Attorney General
P. O. Box 12017
Austin, Texas. 78711-2017
5.2. Inspections, Monitoring and Audits
5.2.1. The. OAG may monitor and/or conduct fiscal and/or program audits and/or investigations of the County's
program performance at reasonable times. The OAG may at its option or at the request of County provide
technical assistance to assist County in the operation of this program. County shall provide physical access
without prior notice to all sites used for performance of service under this Contract to the OAG, United
States Department of Health and Human Services, Comptroller General of the United States, and State
Auditor of Texas. County shall grant to the OAG, the United States Department of Health and Human
Services, Comptroller General of the United States, and State Auditor of Texas access, without prior notice,
to all books, documents, and records of the County pertinent to this Contract. The County books,
documents, and records may be inspected, monitored, evaluated, audited and copied. County shall
cooperate fully with the OAG, United States Department of Health and Human Services, Comptroller
General of the United States, and State Auditor of Texas in the conduct of any audit and/or investigation
including the providing of any requested books, documents, and records. County shall retain all fmancial
records, supporting documents, statistical records, and any other records, documents, papers, logs, audit
trails or books (collectively referred to as records) relating to the performances. called for in this Contract.
County shall retain all such records for a period of three (3) years after the expiration of the term of this
Contract, or until the OAG or the United States are satisfied that all audit claim, negotiation, and litigation
matters are resolved, whichever period is longer. Reports or other information relating to this program
prepared by the County or at the request of the County shall be furnished to the OAG within ninety (90)
days of availability. The requirements of this Subsection shall be included in all subcontracts.
5.3. Reimbursement of Audit Penalty
5.3. L If funds are disallowed as a result of an audit fmding contained in an audit (by County or County's
independent auditor, the OAG, the State Auditor, the U.S. Department of Health and Human Services, the
Comptroller General of the United States, or any of their duly authorized representatives) that County has
failed to follow federal requirements for the IV-D program, then County agrees that the County shall refund
to OAG the amount disallowed within thirty (30) calendar days of the date of the written OAG request for
refund; provided further that such amounts may be offset and deducted from any funds payable under this
Agreement.
5.4. Remedies for Non-Performance
5.4.1. Failure of the County to perform the contracted for services as required by this Contract shall be considered
unsatisfactory performance. Any finding of unsatisfactory performance shall be communicated to the
County in writing by the OAG Contract Manager. If the County wants to dispute the finding, a written
dispute must be received by the OAG Contract Manager no later then fifteen (15) calendar days from the
date the County received the written finding of unsatisfactory performance. The written dispute must detail
why the County believes the finding is erroneous and must contain all supporting documentation. The
OAG Contract Manager will review the dispute submission to determine the validity of the original finding
of unsatisfactory performance. The determination of the OAG Contract Manager shall be fmal and shall
conclude the review process. The OAG Contract Manager's determination shall be communicated to the
County in writing. If a written dispute of the original finding of unsatisfactory performance is not received
by the OAG Contract Manager by the time set forth above, the fmding of unsatisfactory performance shall
be deemed validated and the County shall have waived its right to dispute the finding.
5.4.2. If the fmding of unsatisfactory performance is validated, the County shall be requested to provide the OAG
Contract Manager with a corrective action plan. A corrective action plan, acceptable to the OAG Contract
Manager, must be provided within a reasonable time period as specified by the OAG Contract Manager.
Failure to provide an acceptable corrective action plan within the specified time period shall result in a
withholding of payments due to County under this Contract until such time that an acceptable corrective
SCR/LCS 7/16/08 Page 8 of 19
action plan is provided.
5.4.3. If the County does not return to satisfactory status within four months of receiving notice that an
unsatisfactory performance finding has been validated, OAG may withhold payments due to County under
this Contract until the County is once again performing satisfactorily. If the unsatisfactory status persists
for a total of six months after receiving notice of the validated unsatisfactory performance fmding, OAG
may terminate this Contract (in accordance with the Termination Section below) without payment to
County for any costs incurred by County from the time that OAG commenced withholding payments due to
County being in an unsatisfactory status. Where payments are to resume due to County having provided an
acceptable corrective action plan or having attained satisfactory performance status the first payment after
resumption shall include all costs accrued during the period when payments to the County were withheld.
5.5. Training on OAG Systems
5.5.1. Any County staff performing functions under this Contract must be trained on OAG Systems. Classroom
Training on OAG Systems will be scheduled upon request from the County, by the end of the quarter
following such request. Classroom Training will be provided by OAG Regional Trainers at each of the
OAG Regional Training Centers. County shall be responsible for any and all costs associated with this
training, including, but not limited to, costs for travel, lodging, meals and per diem; provided, however that
the OAG shall be responsible for the cost of training materials and equipment required to complete the
training class. County is responsible for scheduling the training with the OAG and shall direct training
requests to:
5.5.1.1. Larry Acevedo
Office of the Attorney General
Mail Code 053
P.O. Box 12017
Austin, Texas 78711-2017
email address: CSD-TRN@cs.oag.state.tx.us
5.6. Assignment
5.6.1. County will not assign its rights under this Contract or delegate the performance of its duties under this
Contract without prior written approval from the OAG.
5.7. Liaison
5.7. L County and OAG each agree to maintain specifically identified liaison personnel for their mutual benefit
during the term of the Contract. The liaison(s) named by County shall serve as the initial point(s) of
contact for any inquiries made pursuant to this Contract by OAG and respond to any such inquiries by
OAG. The liaison(s) named by OAG shall serve as the initial point(s) of contact for any inquiries made
pursuant to this Contract by County and respond to any such inquiries by County. The liaison(s) shall be
named in writing at the time of the execution of this Contract. Subsequent changes in liaison personnel
shall be communicated by the respective parties in writing.
5.8. Subcontracting
5.8.1. It is contemplated by the parties hereto that County shall conduct the performances provided by this
Contract substantially with its own resources -and through the services of its own staff. In the event that
County should determine that it is necessary or expedient to subcontract for any of the performances
specified herein, County shall subcontract for such performances only after County has transmitted to the
OAG a true copy of the subcontract County proposes to execute with a subcontractor and has obtained the
OAG's written approval for subcontracting the subject performances in advance of executing a subcontract.
County, in subcontracting for any performances specified herein, expressly understands and acknowledges
that in entering into such subcontract(s), the OAG is in no manner liable to any subcontractor(s) of County.
In no event shall this provision relieve County of the responsibility for ensuring that the performances
rendered under all subcontracts comply with all terms of this Contract.
5.9. Dispute Resolution Process for County Breach of Contract Claim
SCR/LCS 7/16/08 Page 9 of 19
5.9.1. The dispute resolution process provided for in Chapter 2260 of the Government Code shall be used, as
further described herein, by the OAG and County to attempt to resolve any claim for breach of contract
made by County.
5.10
5.9.2. County's claim for breach of this Contract that the parties cannot resolve in the ordinary course of business
shall be submitted to the negotiation process provided in Chapter 2260, subchapter B, of the Government
Code. To initiate the process, the County shall submit written notice, as required by subchapter B, to the
Director, Child Support Division, Office of the Attorney General, P.O. Box 12017 (Mail Code 033),
Austin, Texas 78711-2017. Said notice shall specifically state that the provisions of Chapter 2260,
subchapter B, are being invoked. A copy of the notice shall also be given to all other representatives of the
OAG and the County otherwise entitled to notice under this Contract. Compliance by the County with
subchapter B is a condition precedent to the filing of a contested case proceeding under Chapter 2260,
subchapter C, of the Government Code.
5.9.3. The contested case process provided in Chapter 2260, subchapter C, of the Government Code is the
County's sole and exclusive process for seeking a remedy for any and all alleged breaches of contract by
the OAG if the parties are unable to resolve their disputes under the immediate preceding subsection.
5.9.4. Compliance with the contested case process provided in subchapter C is a condition precedent to seeking
consent to sue from the Legislature under Chapter 107 of the Civil Practices and Remedies Code. Neither
the execution of this Contract by the OAG nor any other conduct of any representative of the OAG relating
to the Contract shall be considered a waiver of sovereign immunity to suit.
5.9.5. The submission, processing and resolution of the County's claim is governed by the published rules adopted
by the OAG pursuant to Chapter 2260, as currently effective, hereafter enacted or subsequently amended.
5.9.6. Neither the occurrence of an event nor the pendency of a claim constitutes grounds for the suspension of
performance by the County, in whole or in part.
Reporting Fraud, Waste or Abuse
5.10.1. County must report any suspected incident of fraud, waste or abuse associated with the performance of
this Contract to any one of the following listed entities:
5.10.1.1. the Contract Manager
5.10.1.2. the Deputy Director for Contract Operations, Child Support Division
5.10.1.3. the Director, Child Support Division the Deputy Director, Child Support Division
5.10.1.4. the OAG Ethics Advisor
5.10.1.5. the Director of the OAG Office of Special Investigations
5.10.1.6. the OAG's Agency Integrity Program ("AIP") Hotline (866-552-7937) or the AIP E-mailbox
(AIP@oag. state.tx.us)
5.10.1.7. the State Auditor's Office hotline for fraud (1-800-892-8348); or the Texas State Auditor's Special
Investigation Unit, (512) 936-9500.
5.10.2. The report of suspected misconduct shalLinclude (if known):
5.10.2.1. the specific suspected misconduct
5.10.2.2. the names of the individual(s)/entity(ies) involved
5.10.2.3. the date(s)/location(s) of the alleged activity(ies)
SCR/LCS 7/16/08 Page 10 of 19
5.10.2.4. the names and all available contact information (phone numbers, addresses) of possible witnesses
or other individuals who may have relevant information; and
5.10.2.4.1. any documents which tend to support the allegations.
5.10.3. The words fraud, waste or abuse as used in this Section have the following meanings:
5.10.3.1. Fraud is the use of one's occupation for obtaining personal benefit (including benefit for
family/friends) through the deliberate misuse or misapplication of resources or assets.
5.10.3.2. Waste is the extravagant careless or needless expenditure of funds or consumption of property that
results from deficient practices, system controls, or decisions.
5.10.3.3. Abuse, being distinct from fraud, encompasses illegal acts or violations of policy or provisions of
contracts or grant agreements. When abuse occurs, no law, regulation or provision of a contract or
grant agreement is necessarily violated. Rather, the conduct of an individual falls short of behavior
that is expected to be reasonable and necessary business practice by a prudent person. An example
of abuse would be misuse of the power or authority of an individual's position.
6. CONFIDENTIALITY AND SECURITY
6.1. Confidentiality and Security Provisions
6.1.1. General
6.1.1.1. Both OAG and County recognize and assume the duty to protect and safeguard confidential
information. Confidential information specifically includes personally identifiable information such
as Social Security Number, full name, date of birth, home address, account number, and case status.
Each entity acknowledges that the loss of confidentiality, integrity and availability of information
assets is a risk which can be minimized by effective security safeguards and enforced compliance
with information security policies, standards and procedures.
6.1.1.2. OAG recognizes that County has existing statutory responsibilities to maintain confidentiality of
records related to state district courts (juvenile, family, probate, civil and criminal), county courts
and national and state criminal records (FBI, NCIC, TCIC). OAG also recognizes that County has
existing processes and procedures that ensure the security and confidentiality of this information and
data and is subject to security audits or assessments by these authorities.
6.1.1.3. This agreement requires County to retrieve data from the courts and other sources and create data
within TXCSES or TXCSES Web.
6.1.1.4. County acknowledges and agrees to protect OAG Data as confidential. All references to "OAG
Data" shall mean all data and information (i) originated by OAG and/or submitted to County by or
on behalf of OAG, or (ii) which County accesses from OAG systems in connection with provision of
the Agreement Services. OAG Data does not include data and information originated by County in
the performance of its duties. Upon request by OAG, County shall execute and deliver any
documents that may be necessary or desirable under any law to preserve or enable OAG to enforce
its rights with respect to OAG Data. Tex. Gov't Code Chapter 552 defines the exclusive mechanism
for determining whether OAG Data are subject to public disclosure. However, data that is publicly
known and generally available to the public is not subject to these Confidentiality and Security
Provisions.
6.1.1.5. If any term or provision of this Confidentiality and Security Provision, shall be found to be illegal or
unenforceable, it shall be deemed independent and divisible, and notwithstanding such illegality or
unenforceability, all other terms or provisions in this Confidentiality and, Security Provision, shall
remain in full force and effect and such illegal or unenforceable term or provision shall be deemed to
be deleted.
6.1.1.6. County shall develop and implement access protection lists. The access protection lists shall
SCR/LCS 7/16/08 Page 11 of 19
document the name and other identifying data for any individual, authorized pursuant to County's
request, to access, use or disclose OAG Data, as well as any. special conditions and limitations
applicable to each authorization. County shall remove individuals from or change the access rights
of individuals on the access protection list immediately upon such individual no longer requiring
access. At least quarterly, UAG shall send County a list of TXCSES Web users and County shall
review and update its access protection lists and ensure that the access protection lists accurately
reflect the individuals and their access level currently authorized. County shall notify OAG of the
authorized personnel that should have access rights to OAG Data and information in the method
prescribed by OAG. County will immediately notify OAG when an individual's access to OAG
systems is no longer relevant. OAG, in its sole discretion, may deny or revoke an individual's
access to OAG Data and information and any of its systems.
6.1.1.7. County shall perform background reviews, to include a criminal history record review, on all County
employees who will have access to OAG Data and information, and any OAG system. County shall
certify to OAG that such reviews have been conducted and that in County's opinion the aforesaid
employees are deemed trustworthy. County may request OAG to perform such reviews. In such an
instance, County shall provide OAG with any required information, consent and authorization to
perform the reviews and OAG shall perform the reviews at its own expense.
6.1.1.8. All references to "Agreement Services" shall include activities within the scope of this Agreement. .
6.1.1.9. County shall comply with all applicable statutory and regulatory provisions requiring that
information be safeguarded and kept confidential. These statutes and regulatory provisions include
but are not limited to 42 U.S.C. §§ 653 and 654; 45 CFR §§ 307.10, 307.11 and 307.13; 26 U.S.C.
6103 (IRC 6103); IRS Publication 1075 (Rev. 10-2007) and § 231.108 of the Texas Family Code,
each as currently written or as may be amended, revised or enacted. County shall also comply with
OAG policy, processes and procedures concerning the safeguarding and confidentiality of
information, and computer security (including any requirements set forth in Attachment F, entitled
"United States Internal Revenue Service Requirements for the Safeguarding of Federal Tax
Information Including Federal Tax Returns and Return Information"). The requirements of these
Confidentiality and Security Provisions shall be included in, and apply to, subcontracts and
agreements the County has with anyone performing Agreement Services on County's behalf.
6.1.1.10. This Agreement is between County and OAG, and is not intended to create any independent cause of
action by any third party, individual, or entity against OAG or County.
6.2. OAG Data Usage and Storage
6.2.1. County agrees to maintain physical security for OAG data by maintaining an environment designed to
prevent loss or unauthorized removal of data. County shall ensure that all persons having access to data
obtained from OAG Systems are thoroughly briefed on related security procedures, use restrictions, and
instructions requiring their awareness and compliance. County shall ensure that all County personnel
having access to OAG Data receive annual reorientation sessions when offered by the OAG and all County
personnel that perform or are assigned to perform Agreement Services shall re-execute, and/or renew their
acceptance of, all applicable security documents and to ensure that they remain alert to all security
requirements. County personnel shall only be granted access to OAG Systems after they have received all
required security training, read the OAG Data Security Policy Manual (Attachment A), signed the
acknowledgment (and County has given the signed acknowledgment to the OAG Contract Manager) and
read and accepted the OAG Automated Computer System Access Statement of Responsibility and the
Child Support online Login Policy (Attachment C),.
6.2.2. OAG Data are not allowed on mobile/remote/portable storage devices; nor may storage media be removed
from the facility used by County. Any exception to this prohibition must have OAG prior approval. Such
approval may only be granted by Controlled Correspondence or Contract amendment. This prohibition
does not apply to County Information Systems backup procedure. County Information Systems backup
procedure is subject to the United States Internal Revenue Service requirements set forth in IRS Publication
1075 (Rev.2-2007) and Attachment F entitled "United States Internal Revenue Service Requirements for
the Safeguarding of Federal Tax Information Including Federal Tax Returns and Return Information".
SCR/LCS 7/16/08 Page 12 of 19
6.2.3. County stipulates, covenants, and agrees that it will not access, use or disclose OAG Data beyond its
limited authorization, or for any purpose not necessary for the performance of its duties .under this
Agreement. Without OAG's approval (in its sole discretion), County will not: (i) use OAG Data other than
in connection with providing the Agreement Services; (ii) disclose, sell, assign, lease, or otherwise provide
OAG Data to third parties, including any local, state, or Federal legislative body; (iii) commercially exploit
OAG Data or allow OAG Data to be commercially exploited; or (iv) create, distribute or use any electronic
or hard copy mailing list of OAG Customers for purposes other than in connection with providing the
Agreement Services. However, nothing in this agreement is intended to restrict County from performing its
other authorized duties. For example, the duty to disseminate copies of court orders to requesting parties
that necessarily includes data such as names and addresses. In the event that County fails to comply with
this subsection, OAG may exercise any remedy, including immediate termination of this Agreement.
6.2.3.1. County agrees that it shall comply with all state and federal standards regarding the protection and
confidentiality of OAG Data as currently effective, subsequently enacted or as may be amended.
OAG Data accessed shall always be maintained in a secure environment (with limited access by
authorized personnel both during work and non-work hours) using devices and methods such as, but
not limited to: alarm systems, locked containers of various types, fireproof safes, restricted areas,
locked rooms, locked buildings, identification systems, guards, or other devices reasonably expected
to prevent loss or unauthorized removal of manually held data. County shall also protect against
unauthorized use of passwords, keys, combinations, access logs, and badges. Whenever possible,
computer operations must be in a secure area with restricted access. In situations such as remote
terminals, or office work sites where all of the requirements of a secure area with restricted access
cannot be maintained, the equipment shall receive the highest level of protection.
6.3. OAG Data Retention and Destruction, and Public Information Requests
6.3.1.. Any destruction or purging of OAG Data shall be destroyed and/or purged in accordance with state and
federal statutes, rules and regulations. Within ten (10) business days of destruction or purging, County will
provide the OAG with a signed statement(s) containing the date of destruction or purging, description of
OAG Data destroyed or purged, and the method(s) used.
6.3.2. In the event of Agreement expiration or termination for any reason, County shall ensure the security of any
OAG Data remaining in any storage component to prevent unauthorized disclosures. Within twenty (20)
business days of Agreement expiration or termination, County shall provide OAG with a signed statement
detailing the nature of the OAG Data retained, type of storage media, physical location(s), and any planned
destruction date.
6.3.3. County expressly does not have any actual or implied authority to determine whether any OAG Data are
public or exempted from disclosure. County is not authorized to respond to public information requests
which would require disclosure of otherwise confidential information on behalf of the OAG. County agrees
to forward to the OAG, by facsimile within one (1) business day from receipt all request(s) for information
associated with the County's services under this Agreement. County shall forward via fax any information
requests to:
6.3.3.1. Public Information Coordinator
Office of the Attorney General
Fax (512) 494-8017
6.4. Security Incidents
6.4.1. Response to Security Incidents
6.4.1.1. County shall respond to detected security incidents. The term "security incident" means an
occurrence or event where the confidentiality of OAG Data may have been compromised. County
shall maintain an internal incident response plan to facilitate a quick, effective and orderly response
to information security incidents. The incident response plan should cover such topics as:
6.4.1.1.1. Initial responders
6.4.1.1.2. Containment
SCR/LCS 7/16/08 Page 13 of 19
6.4.1.1.3. Management Notification
6.4.1.1.4. Documentation of Response Actions
6.4.1.1.5. Expeditious confirmation of system integrity
6.4.1.1.6. Collection of audit trails and similar evidence
6.4.1.1.7. Cause analysis
6.4.1.1.8. Damage analysis and mitigation
6.4.1.1.9. Internal Reporting Responsibility
6.4.1.1.10. External Reporting Responsibility
6.4.1.1.11. OAG Contract Manager's and OAG CISO's name, phone number and email address
6.4.2. Attachment G is County's current internal incident response plan. Any changes to this incident response
plan require OAG approval (which approval shall not be unreasonably withheld) and may be made by
Controlled Correspondence.
6.5. Notice
6.5.1. Within one (1) hour of concluding that there has been, any OAG Data security incident County shall
initiate damage mitigation and notify the OAG Chief Information Security Officer ("OAG CISO") and the
OAG Contract Manager, by telephone and by email, of the security incident and the initial damage
mitigation steps taken. Current contact information shall be contained in the Incident Response Plan.
6.5.2. Within twenty-four (24) hours of the discovery, County shall conduct a preliminary damage analysis of the
security incident; commence an investigation into the incident; and provide a written report to the OAG
CISO, with a copy to the OAG Contract Manager fully disclosing all information relating to the security
incident and the results of the preliminary damage analysis. This initial report shall include, at a minimum:
time and nature of the incident (e.g., OAG data loss/corruption intrusion); cause(s); mitigation efforts;
corrective actions; and estimated recovery time.
6.5.3. Each day thereafter until the investigation is complete, County shall (i) provide the OAG CISO, or the
OAG CISO's designee, with a daily oral or email report regarding the investigation status and current
damage analysis; and (ii) confer with the OAG CISO, or the OAG CISO's designee, regarding the proper
course of the investigation and damage mitigation.
6.5.4. Whenever daily oral reports are provided, County shall provide, by close of business each Friday, an email
report detailing the foregoing daily requirements.
6.6. Final Report
6.6.1. Within five (5) business days of completing the damage analysis and investigation, County shall submit a
written Final Report to the OAG CISO with a copy to the OAG Contract Manager, which shall include:
6.6.1.1. a detailed explanation of the cause(s) of the security incident;
6.6.1.2. a detailed description of the nature of the security incident, including, but not limited to, extent of
intruder activity (such as files changed, edited or removed; Trojans), and the particular OAG Data
affected; and
6.6.1.3. a specific cure for the security incident and the date by which such cure shall be implemented, or if
the cure has been put in place, a certification to OAG that states the date County implemented the
cure, a description of how the cure protects against the possibility of a recurrence, and that County's
security program is operating with the effectiveness required to assure that the security,
confidentiality and integrity of OAG Data are protected.
6.6.2. If the cure has not been put in place by the time the report is submitted, County shall within five (5)
business days after submission of the fmal report, provide a certification to OAG that states the date County
implemented the cure, a description of how the cure protects against the possibility of a recurrence, and that
County's security program is operating with the effectiveness required to assure that the security,
confidentiality and integrity of OAG Data are protected.
SCR/LCS 7/16/08 Page 14 of 19
6.6.3. If County fails to provide a Final Report or Certification within fifteen (15) calendar days of the security
incident, County agrees that OAG may exercise any right, remedy or privilege which may be available to it
under applicable law of the State and any other applicable law. The exercise of any of the foregoing
remedies will not constitute a termination of this Agreement unless OAG notifies County in writing prior to
the exercise of such remedy.
6.7. Independent Right to Investigate
6.7.1. OAG reserves the right to conduct an independent investigation of any security incident, and should OAG
choose to do so, County shall cooperate fully, making resources, personnel and systems access available. If
at all possible, OAG will provide reasonable notice to County that it is going to conduct an independent
investigation.
6.8. Security Audit
6.8.1. Right to Audit, Investigate and Inspect the Facilities, Operations, and Systems Used in the Performance of
Agreement Services.
6.8.1.1. County shall permit OAG, the State Auditor of Texas, the United States Internal Revenue Service,
the United States Department of Health and Human Services and the Comptroller General of the
United States to:
6.8.1.1.1. monitor and observe the operations of, and to perform security investigations, audits and
reviews of the operations and records of, the County;
6.8.1.1.2. inspect its information system in order to access security at the operating system, network,
and application levels; provided, however, that such access shall. not interfere with the daily
operations of managing and running the system; and
6.8.1.1.3. enter into the offices and places of business of County and County's subcontractors for a
security inspection of the facilities and operations used in the performance of Agreement
Services. Specific remedial measures may be required in cases where County or County's
subcontractors are found to be noncompliant with physical and/or OAG data security
protection.
6.8.1.2. When OAG performs any of the above monitoring, observations, and inspections, OAG will provide
County with reasonable notice that conforms to standard business audit protocol. However prior
notice is not always possible when such functions are performed by the State Auditor of Texas, the
.United States Internal Revenue Service, the United States Department of Health and Human
Services and the Comptroller General of the United States. In those instances the OAG will
endeavor to provide as much notice as possible but the right to enter without notice is specifically
reserved.
6.8.1.3. Any audit of documents shall be conducted at County's principal place of business and/or the
location(s) of County's operations during County's normal business hours and at OAG's expense.
County shall provide on County's premises, (or if the audit is being performed of a County's
subcontractor, the County's subcontractor's premises; if necessary) the physical and technical
support reasonably necessary for OAG auditors and inspectors to perform their work
6.9. Remedial Action
6.9.1. Remedies Not Exclusive and Injunctive Relief
6.9.1.1. The remedies provided in this section are in addition to, and not exclusive of, all other remedies
available within this Agreement, or at law or in equity. OAG's pursuit or non-pursuit of any one
remedy for a security incident(s) does not constitute a waiver of any other remedy that OAG may
have at law or equity.
6.9.1.2. If injunctive or other equitable relief is available, then County agrees that OAG shall not be required
SCR/LCS 7/16/08 Page 15 of 19
to post bond or other security as a condition of such relief.
6.10. Notice to Third Parties
6.10.1. Subject to OAG review and approval, County shall provide notice to individuals whose personal,
confidential, or privileged data were compromised or likely compromised as a result of the security
incident, with such notice to include: (i) a brief description of what happened; (ii) to the extent possible, a
description of the types of personal data that were involved in the security breach (e.g., full name, SSN,
date of birth, home address, account number, etc.); (iii) a brief description of what is being done to
investigate the breach, mitigate losses, and to protect against any further breaches; (iv) contact
procedures for those wishing to ask questions or learn additional data, including a telephone number,
website, if available, and postal address; and, (v) instructions for accessing the Consumer Protection
Identity Theft section of the OAG website. County and OAG shall mutually agree on the methodology
for providing the notice.
6.10.2. County shall be responsible for responding to and following up on inquiries and requests for further
assistance from persons notified under the preceding section.
6.10.3. If County does not provide the required notice, OAG may elect to provide notice of the security incident.
County and OAG shall mutually agree on the methodology for providing the notice. Costs (excluding
personnel costs) associated with providing notice shall be reimbursed to OAG by County. If County does
not reimburse such cost within thirty (30) calendar days of request, OAG shall have the right to collect
such cost. Additionally, OAG may collect such cost by offsetting or reducing any future payments owed
to County.
6.11. Commencement of Legal Action
6.11.1. County shall not commence any legal proceeding on OAG's behalf outside the scope of the Agreement
Services without OAG's express written consent. OAG shall not commence any legal proceedings on
County's behalf without County's express written consent.
7. AMENDMENT
7.1. This Contract shall not be amended or modified except by written amendment executed by duly authorized
representatives of both parties. Any alterations, additions or deletions to the terms of this Contract which are
required by changes in federal or state law are automatically incorporated into this Contract without written
amendment to this Contract and shall be effective on the date designated by said federal or state law.
8. TERMINATION OF CONTRACT
8.1. Termination
8.1.1. Either party to this Contract shall have the right to either terminate this Contract in its entirety or in part.
However, a County continuing to contract to provide Local Customer Service services must also continue
to contract to provide State Case Registry services. The Contract, or portion of the Contract, may be
terminated by the terminating party notifying the other party in writing of such termination and the
proposed date of the termination no later than thirty (30) calendar days prior to the effective date of such
termination.
8.2. Survival of Terms
8.2.1. Termination of this Contract for any reason shall not release the parties from any liability or obligation set
forth in this Contract that is expressly stated to survive any such termination or by its nature would be
intended to be applicable following any such termination.
9. TERMS AND CONDITIONS
SCR/LCS 7/16/08 Page 16 of 19
9.1. Federal Terms and Conditions
9.1.1. Compliance with Law, Policy and Procedure
9.1.1.1. County shall perform its obligations hereunder in such a manner that ensures its compliance with
OAG, policy, processes and procedure. It shall also comply with all state and federal laws, rules,
regulations, requirements and guidelines applicable to County: (1) performing its obligations
hereunder and to assure with respect to its performances hereunder that the OAG is carrying out the
program of child support enforcement pursuant to Title IV, Part D of the federal Social Security Act
of 1935 as amended; (2) providing services to the OAG as these laws, rules, regulations,
requirements and guidelines currently exist and as they are amended throughout the term of this
Contract County understands and agrees that from time to time OAG may need to change its policy,
processes or procedures and that such change shall not entitle County to any increased cost
reimbursement under this Contract; provided, however, that County may exercise its right to
terminate the Contract in accordance with the Termination Section below.. OAG shall provide
County e-mail notice of any change in OAG policy, processes or procedures.
9.1.2. Civil Rights
9.1.2.1. County agrees that no person shall, on the ground of race, color, religion, sex, national origin, age,
disability, political affiliation, or religious belief, be excluded from participation in, be denied the
benefits of, be subjected to discrimination under, or be denied employment in the administration of,
or in connection with, any program or activity funded in whole or in part with funds provided by this
Contract. County shall comply with Executive Order 11246, "Equal Employment Opportunity" as
amended by Executive Order 11375, "Amending Executive Order 11246 relating to Equal
Employment Opportunity" and as supplemented by regulations at 41 C.F.R. Part 60, "Office of
Federal Contract Compliance Programs, Equal Employment Opportunity, Department of Labor."
County shall ensure that all subcontracts comply with the above referenced provisions.
9.1.3. Certification Regarding Debarment, Suspension, Ineligibility, and Voluntary Exclusion from Participation
in Contracts Exceeding $100,000.00
9.1.3.1. County certifies by entering into this Contract, that neither it nor its principals are debarred,
suspended, proposed for debarment, declared ineligible, or voluntarily excluded from participation in
this transaction by any federal department or agency.
9.1.3.2. The certification requirement of this provision shall be included in all subcontracts that exceed
$100,000.
9.1.4. Environmental Protection (Contracts in Excess of $100,000.00)
9.1.4.1. County shall be in compliance with all applicable standards, orders, or requirements issued under
section 306 of the Clean Air Act (42 USC 1857(h)) Section 508 of the Clean Water Act (33 USC
1368) Executive Order 11738, and Environmental Protection Agency regulations (40 CFR part 15).
The requirements of this provision shall be included in all subcontracts that exceed $100,000.
9.1.5. Certain Disclosures Concerning Lobbying [Contracts in excess of $100,000]
9.1.5.1. Certain Counties shall comply with the provisions of a federal law known generally as the Lobbying
Disclosure Acts of 1989, and the regulations of the United States Department of Health and Human
Services promulgated pursuant to said law, and shall make all disclosures and certifications as
required by law. County must submit at the time of execution of this Contract a Certification
Regarding Lobbying (Attachment E). This certification certifies that the County will not and has not
used federally appropriated funds to pay any person or organization for influencing or attempting to
influence any officer or employee of any Federal agency, a member of Congress, officer or
employee of Congress, or an employee of a member of Congress in connection with obtaining any
Federal Contract, grant or any other award covered by 31 U.S.C. 1352. It also certifies that the
County will disclose any lobbying with non-Federal funds that takes place in connection with
obtaining any Federal award by completing and submitting Standard Form LLL.
SCR/LCS 7/16/08 Page 17 of 19
9.1.5.2. The requirements of this provision shall be included in all subcontracts exceeding $100,000.
9.2. News Releases or Pronouncements
9.2.1. News releases, advertisements, publications, declarations, and any other pronouncements pertaining to this
Contract by County, using any means or media, must be approved in writing by the OAG prior to public
dissemination.
9.3. Date Standard
9.3.1. Four-digit year elements will be used for the purposes of electronic data interchange in any recorded form.
The year shall encompass a two digit century that precedes, and is contiguous with, a two digit year of
century (e.g. 1999, 2000, etc.). Applications that require day and Month information will be coded in the
following format: CCYYMMDD. Additional representations for week, hour, minute, and second, if
required, will comply with the international standard ISO.8601: 1988, "Data elements and interchange
formats--Information interchange--Representation of dates and times."
9.4. Headings
9.4.1. The headings for each section of this Contract are stated for convenience only and are not to be construed
as limiting.
9.5. Agreement Relating to Debts or Delinquencies Owed to the State
9.5.1. As required by §2252.903, Government Code, the County agrees that any payments due under this Contract
shall be directly applied towards eliminating any debt or delinquency including, but not limited to,
delinquent taxes, delinquent student loan payments, and' delinquent child support.
9.6. Non-Waiver of Rights
9.6.1. Failure of a party to require performance by another party under this Contract will not affect the right of
such party to require performance in the future. No delay, failure, or waiver of either party's exercise or
partial exercise of any right or remedy under this Contract shall operate to limit, impair, preclude, cancel,
waive or otherwise affect such right or remedy. A waiver by a party of any breach of any term of this
Contract will not be construed as a waiver of any continuing or succeeding breach. Should any provision
of this Contract be invalid or unenforceable, the remainder of the provisions will remain in effect.
9.7. No Waiver of Sovereign Immunity
9.7.1. The parties expressly agree that no provision of this contract is in any way intended to constitute a waiver
by the OAG or the State of Texas of any immunities from suit or from liability that the OAG or the State of
Texas may have by operation of law.
9.8. Severability
9.8.1. If any provision of this contract is construed to be illegal or invalid, such construction will not affect the
legality or validity of any of its other provisions. The illegal or invalid provision will be deemed severable
and stricken from the contract as if it had never been incorporated herein, but all other provisions will
continue in full force and effect.
9.9. Applicable Law and Venue
9.9.1. Applicable Law and Venue: County agrees that this Contract in all respects shall be governed by and
construed in accordance with the laws of the State of Texas, except for its provisions regarding conflicts of
laws. County also agrees that the exclusive venue and jurisdiction of any legal action or suit brought by
County concerning this Contract is, and that any such legal action or suit shall be brought, in a court of
competent jurisdiction in Travis County, Texas. OAG agrees that any legal action or suit brought by OAG
concerning this Contract shall be brought in a court of competent jurisdiction in Kerr County. All
SCR/LCS 7/16/08 Page 18 of 19
payments under this Contract shall be due and payable in Travis County, Texas.
9.10. Entire Contract
9.10.1. This instrument constitutes the entire Contract between the parties hereto, and all oral or written contract
between the parties relating to the subject matter of this Contract that were made prior to the execution of
this Contract have been reduced to writing and are contained herein.
9.11. Counterparts
9.11.1. This Contract may be executed in one or more counterparts, each of which shall be deemed an original, but
all of which together shall constitute one and the same instrument.
9.12. Attachments
9.12.1. Attachment A: OAG Information Security Policy Manual
9.12.2. Attachment B: OAG Automated Computer System Access -Statement of Responsibility
9.12.3. Attachment C: Child Support Online Login Policy
9.12.4. Attachment D: Data Integrity Procedures Changes to Case Information
9.12.5. Attachment E: Certification Regarding Lobbying
9.12.6. Attachment F: IRS Publication 1075 (Rev.10-2007)
9.12.7. Attachment G: Incident Response Plan
THIS CONTRACT IS HEREBY ACCEPTED
Office of the Attorney General
Alicia G. Key
Deputy Attorney General for Child Support
~ ~
The Ho e Pat Tinley
ounty Judge, Kerr County
SCR/LCS 7/16/08 Page 19 of 19
TTACHMENT A
~~

~.~

~a ~ -
M--
~+ ~ ~. ..`C'am
ti y.. t.~:
y'.,
.f i.,.
`1 1
~ ~ ~X{ ..
A,::
Y
,.. .t
~'
.r. ~ ]
s _'.~
~ ~` ~+
I.+
~` ~ ~
Information Security
Policy Manual
THIS PAGE INTENTIONALLY LEFT BLANK
June, 1999
0. Executive Summary .............................................................................................................4
1.0 Policy : ................................................................................................................................5
1.1 Program Polic	y : ...............................................................................................................	..5
1.2 Scope	of Policy : ...................................................................................................	..5
1.3 Issue-Specific Policy :............................................................................................	..5
1.3.1	Use of OAG Information Resources :.........................................................	..5
1.3.2	Classification of Information (Data)Assets :............................................	..5
1.3.3	Information Asset Protection :....................................................................	..5
1.3.4	Access to OAG Information Assets :..........................................................	..6
1.3.5.	Data Inte~rity :............................................................................................	..6
1.3.6	E-Mail :.......................................................................................................	..6
1.3.7	Copyright :..................................................................................................	..6
1.3.8	Personal Hardware and Software :...............:..............................................	..6
1.3.9	Shareware and Freeware :...........................................................................	..6
1.3.10	Asset Protection :........................................................................................	..7
1.3.11	Voice/Phone Mail :.....................................................................................	..7
1.3.12	Data Encryption and Key Mana eg ment :....................................................	..7
1.3.13	Security Awareness :..................................................................................	..7
1.3.14	Risk Analysis and Risk Mana eg ment :.......................................................	..8
1.3.15	Contingency Plannin~ :...............................................................................	..8
1.3.16	Termination and Transfers :........................................................................	..8
.1.3.17	Bulletin Board Access :..............................................................................	..8
1.3.18	Internet Policy :...........................................................................................	..8
1.3.19	Passwords :.................................................................................................	..9
1.3.20	Securi Breaches :.....................................................................................	..9
1.3.21	Data Communications Systems :................................................................	..9
1.3.22	Dial-Up Access :.........................................................................................	..9
1.3.23	User Identification :....................................................................................	..9
1.3.24	Warning Statements :.......................................................................:.........	10
1.3.25	System Development and Testin~ :............................................................	10
1.3.26	Statement of Responsibility :......................•......•••••••••••..............................	10
1.3.27	Automatic Suspension /Deletion of User ID's :.........................................	10
1.3.28	Physical Security :......................................................................................	i0
1.3.29	Positions of Special Trust :........................................................................	10
June, 1999 3
The Office of Attorney General [OAG] has a commitment to the citizens of Texas to ensure
that the information entrusted to them will be reasonably secure and protected.
Unauthorized use of any kind must not be tolerated and such use should be punishable to
the fullest extent of the law. An effective information security program takes a lot of work,
commitment and cooperation among the employees of OAG. We are all involved in the
well-being of this strategic effort. The Information Security Officer for your division (i.e.,
CSD or A&L) may be contacted for further information as required.
Purpose
The intent of the OAG Information Security Policy Manual is threefold:
2) comprehensive documentation of the current information security and contingency planning
policies as determined by management;
3) education for the users on the proper usage of OAG information assets; and
4) legal ramifications of the misuse of information assets.
The Challenging OAG Environment
Information asset protection and contingency planning are becoming two of the more complex
challenges of the modem automated environment. Our automation systems consist of large central
databases, over one hundred (100) Local Area Networks (LAN) and one of the largest Wide Area
Networks (WAN) in the State of Texas. Our network is now tied to the Internet, and other State and
federal agencies as required.
Information Asset Protection and Disclosure
As technology becomes more prolific, the chance of OAG information assets becoming destroyed,
modified or disclosed, either intentionally or inadvertently, becomes more prevalent. The Texas
Administrative Code I TAC 201.13 (b) indicates a required classification and ownership
methodology under the Texas Public Information Act.
Security Awareness Program
A comprehensive security awareness program has been established for all OAG personnel.
It is incumbent upon each OAG employee, consultant or contractor to be familiar with the
Information Security Policy Manual and associated procedures in his or her respective
area.
Contingency Planning
Finally, the OAG is charged with providing a comprehensive contingency plan and disaster
recovery procedures for all data center, and field operations. Information security
"ownership," classification, access and controls, resulting risk assessment and criticality
analyses are used as a basis for business resumption planning.
June, 1999 4
1.0 Policy
1.1 Program Policy:
Information and information resources residing in the Office of the Attorney General
(OAG) are strategic and vital assets belonging to the people of Texas. These assets
require a degree of protection commensurate with their value. Measures will be
taken to protect these assets against accidental or unauthorized disclosure,
modification or destruction, as well as to assure the security, reliability, integrity
and availability of information.
1.2 Scope of Policy:
This policy applies to all information resources that are used by or for the OAG. It
applies to information processing systems throughout their life cycle. This policy
also applies to all users (manager, employees, contractors, etc.) of OAG
information assets.
1.3 Issue-Specific Policy:
The following are the policies that cover specific issues as they relate to the security
of information within the OAG.
1.3.1 Use of.OAG Information Resources:
State information resources will be used only for official State purposes.
Compliance with this policy will be monitored via periodic maintenance,
scheduled and random audits. The individual user of OAG information
resources shalt have no expectation of privacy for information contained
within or processed by an OAG information resource.
1.3.2 Classification of Information (Data Assets:
All information processed by or for the OAG is of value and therefore will be
classified. The OAG has three levels of data classification. They are
confidential, sensitive and unclassified. Further detailed descriptions of these
classifications can be found in the "Information Classifications" section of the
Information Security Procedure Manual.
June, 1999 5
1.3.3 Information Asset Protection:
Information which is confidential or sensitive will be protected from
unauthorized access or modification. Data which is essential to critical State
functions must be protected from loss, contamination or destruction. The
expense of security safeguards will be appropriate to the value of the assets
being protected.
1.3.4 Access to OAG Information Assets:
Access to OAG information resources must be strictly controlled. State law
requires that State owned information resources be used only for official
State purposes. Read access to OAG information is on a need-to-know
basis. When access by the user requires the use of a password, or other
security measure, that security measure must be kept confidential by the
intended user.
1.3.5 Data Integrity:
The integrity of data, its source, its destination and processes applied to it
must be assured. The creation or modification of OAG information may only
be performed by authorized personnel. Each user will be individually
accountable for his/her actions when handling, processing, or otherwise
using OAG information.
1.3.6 E-Mail:
Electronic mail (e-mail) is a form of communication which uses information
assets. However, as with the use of phones (excluding long distance)
employees may use the a-mail system for communicating with OAG
employees on non official business provided such communication does not
disrupt or interfere with official State business, is kept to a minimum duration
and frequency, and is not political in nature.
1.3.7 Copyriaht:
OAG information assets shall not be used to produce illegal copies of
copyrighted information. Illegal copies of software shall not be loaded or
June, 1999 6
executed on OAG information systems. Regular audits will be conducted to
search for unauthorized software installed on machines.
1.3.8 Personal Hardware and Software:
No personal programs of any kind are to be loaded onto any State computer.
Hardware provided by the user may not be used at the OAG or connected to
the OAG's networks. _
1.3.9 Shareware and Freeware:
Shareware and freeware will not be loaded or otherwise used on OAG
systems unless specifically approved by the Information Resource Manager.
1.3.10 Asset Protection:
Managing information security within the OAG requires commitment and
support on the part of executive, technical and program management. The
protection of information assets is a management responsibility. All
managers should be involved in the security awareness program and
should actively promote security awareness among their staff and enforce
OAG policies and procedures.
1.3.11 Voice/Phone Mail:
Voice or phone mail is a form of communication which uses information
assets. However, employees may use the voice mail system for
communicating with other OAG employees and personal business
provided such communication does not disrupt or interfere with official
State business, is kept to a minimum duration and frequency, and is not
political in nature.
1.3.12 Data Encryption and Kev Management:
It is not a requirement at this time for agencies to use data encryption
techniques for storage and transmission of data. However, those agencies
who choose to employ data encryption shall adopt the data encryption
standard, also referred to as the DES algorithm, which is defined in the
Federal Information Processing Standard Publication 46-2 (PIPS PUB 46-2).
Any use of encryption by OAG staff must be approved in advance by their
June, 1999 ~
Division Director. For systems employing encryption as described,
procedures shall be prescribed for secure handling, distribution, storage and
construction of DES key variables used for encryption and decryption.
Protection of the key shall be at least as stringent as the protection required
for the information encrypted with the key. Copies of the FIPS PUB 46-2 are
available from the Information Security Officer (ISO).
1.3.13 Security Awareness:
The OAG will provide an ongoing .awareness and training program in
information security and in the protection of State information resources for
all personnel whose duties bring them into contact with confidential or
sensitive data. New employee orientation will be used to establish security
awareness and inform new employees and contractors information security
policies and procedures. Information security programs must be responsive
and adaptable to changing vulnerabilities and technologies affecting State
information resources.
1.3.14 Risk Analysis and Risk Management:
Risks to information resources must be managed. The OAG will perform a
comprehensive risk analysis of all information processing systems on a
periodic basis. Risk analysis results will be presented to the owner of the
information resource for risk management.
1.3.15 Contingency Planning:
Ali information resources determined by agency management #o be essential
to the agency's critical mission and functions, shall have a written and cost-
effective contingency plan. The contingency plan shall be tested and updated
annually to assure that it is valid and current. Backups of data and software
will be maintained to mitigate the impact of such a disaster. A disaster
declaration will be issued by the Attorney General in the event that a disaster
destroys or makes inoperable a significant portion of the processing
capability of the OAG. This declaration will authorize the Information
Resource Manager to make timely decisions in the recovery of the
information assets.
1.3.16 Termination and Transfers:
June, 1999 8
Computer user identifications (User ID's) for employees that have terminated
employment with the OAG must be removed from the computer system
immediately following termination notification. If the agency is terminating the
employee, the ID should be removed prior to or at the same time of the
employee being notified of the termination. For employees transferring to
another position and/or section within the OAG, the user ID should also be
removed immediately.
1.3.17 Bulletin Board Access:
Users of OAG information assets are authorized to access electronic bulletin
boards in performance of their duties, but they remain responsible .for
ensuring that all security precautions and policies are followed. Policies 1.3.6
& 1.3.7 on personal software and freeware and shareware still apply to
anything that is downloaded from bulletin boards (including Texas State
bulletin boards).
1.3.18 Internet Policy:
The OAG has provided e-mail access to the Internet for all employees.
Employees should use caution and are responsible for his or her actions
when using this medium. Web browser access should be limited to those
areas relevant to your job functions. Web access to non-job related sites
represents an unauthorized use of government time, property and facilities.
Employees violating this policy are subject to disciplinary action, up to and
including dismissal from the Agency.
CAVEAT: The OAG has implemented reasonable security measures to
protect staff when using the Internet. However, the OAG
cannot guarantee the security when using this system.
Therefore, confidential and sensitive information will not be
transferred using this medium.
1.3.19 Passwords:
Systems which use passwords, shall follow the OAG guidelines based upon
the federal standard on password usage contained in the Federal Information
Processing Standard Publications 112 (PIPS PUB 112), which specifies
minimum criteria and provides guidance for selecting additional password
security criteria, when appropriate. Copies of PIPS PUB 112 are available
June, 1999 9
from the Information Security Officer.. Disclosure of an individual's password
or use of an unauthorized password or access device may be punishable
under both State and Federal law.
1.3.20 Security Breaches:
Any event which results in loss, disclosure, unauthorized modification, or
unauthorized destruction of information resources constitutes a security
incident or breach. Users should report any security breaches immediately to
the ISO, who will promptly investigated the incident. If criminal action is
suspected, the agency must contact the appropriate local law enforcement
and investigative authorities immediately.
1.3.21 Data Communications Systems:
Network resources (LAN-WAN-Mainframe) that access confidential or
sensitive information will assume the security level of that information for the
duration of the session. All network components under State control must
be identified and restricted to their intended use.
1.3.22 Dial-up Access:
For services other than those authorized for the public, authorized users of
dial-up access shall be positively and uniquely identifiable and their identity
authenticated to the systems being accessed.
1.3.23 User Identification:
Except for public users of systems where such access is authorized, or for
situations where risk analysis demonstrates no need for individual
accountability of users, each user of amultiple-user automated system shall
be assigned a unique personal identifier or user identification.
1.3.24 Warning Statements:
June, 1999 10
System identification screens will be provided at the time. of initial logon to the
mainframe or LAN/WAN. These screens will provide the following warning
statements:
(i) unauthorized use is prohibited;
(ii) usage may be subject to security testing and monitoring; and
(iii) abuse is subject to criminal prosecution.
1.3.25 System Development and Testing:
Security needs must be considered and addressed in all phases of
development or acquisition of new information processing systems.
Test functions shall be kept either physically or logically separate from
production functions.
1.3.26 Statement of Responsibility:
All OAG personnel shall be required to provide written
acknowledgment that they have received, read and understand th'e
Information Security Policy Manual.
1.3.27 Automatic Suspension /Deletion of User ID's:
Mainframe, LAN and Remote Access ID's will be monitored for usage.
Unused ID's pose a security threat and will be subject to suspension
after 30 days and deletion after 60 .days, without notice to the user.
1.3.28 Physicaf Security:
Management reviews of physical security measures will be conducted
annually, and when significant modifications are made to the facilities or
security procedures.
Physical access to mainframe computer and file server rooms will be
restricted to authorized personnel. Authorized visitors will be required to
record their visits via asign-in /sign-out log.
1.3.29 Positions of Special Trust:
June, 1999. 11
The OAG will establish procedures for reviewing information resource
functions to determine which positions require special trust or responsibilities.
June, 1999 12
:.OFFICE OF THE ATTORNEY GENERAL: AUTOMATED COMPUTER SYSTEM ACCESS
~~TATEMENT OF RESPONSIBILITY
General Information;
All information rnainta'med in the files and records of the Child Support Divis~on arc privileged and con`idential. Tire unauthorizer, use or release r,~f
the information ran result in crlminai prosecution and civil liability. Only authorized personnel may r~dd, modify andior delete information.
Statements:
I understand that the information concerning any person, customer or client that may come to niy knoraledge ~.vlii e using me coral :t .r ~=yst~-rn cf
the TxCSDU or TXCSES or any other OAG cernputer shall be held in strictest confidence and may not L~. dlscl~ ~d exc~t t as us_c e;<cl~r_i.ely
for purposes. directly conner_ted with the administration of programs under Title IV-A Iii-D and XC'< of tf~e fader ~I _ .~. _ purity ?~ t and t!u--
OAGConfideniiality Polk, ar,d Procedures.
Notwithstanding the above, I understand that I may not disclose ±o any individual or a_,enc~ ai ,r f~~.' i ~! tnx i~t~,~rn cr return int rmafion. I
further underst<~nd that if is unlawful to offer or reneive anything of value In exchange for fedar~l tax return ur raiurn nforr°~atlon. Sur,L
unauthorized di.;closure or exchange is punisfrable by fine up to 1:5.000, or in ~prisonrnent up tc 5 years, or ooth. unrier Internal Rw~nue Code
7213 Viand 713 A. Accessing tedera' tux information without e "need to know" is a federal rnlsdemeanor punishaole by nut more than one
year imprisonment, or a ~10D0 line or both, plus costs of prosecution. under 7213 A., Intenal Revenue (~odc. I also understand that I may be
civil!; liable inr damages of nCrt less than $1000 per violation, tocether ~:ith costs of pro eCUtion under ° ~clion r431 of t!i~~ Intema' P,~eenu ~,~ ~_~e
I also understand that I may not release Information to any committee or legislative belly (federal, state. or Icral) that identifies L ~ nr:~ne nr
address any such applicant or racipient of services. Use of such information b}~ a local government or component therec:f t"or any ether
purpase. including but not I(mited lo, collecting a fee is prohibited.
understand that I ma;~ not perfon7~ any work, revie~ti. update er othern~ise act to obtain information upon m} own, or any relafirre's, frienC's,
or b~,isiness associate's child support case, regardless if the case is open or closed. My failure to comply with the OAG Confidentiality Policy ~//ill
result in immediate termination of my computer access. I also understand that a violation ~riill be reporter'.- to my supervisor or other
appropriate personnel in myagency for disciplinaryaction, which may Include termination andkr referral for prosecuton:
~n~addition. if applicable, I understand that the computer password(s) I receive or devise is confidential, and must not be disclosed to an~ror~.e.
t understand that it is my responsibility to safeguard such password(s) by not allowing it to be viewed by anyone. I understand that I rim responsible,
for cernputer transactions performed through misuse of my password(s).
tagree I wilt not load unauthorized software, personal computer programs, shareware or freeware of any kind onto the UAG computr~r
equipment without the express written approval of the Office of the Attorney General, Information Resource f~4ai gager ur designee, or the
.contract manager or designee. 1 understand that use of a password not issued or devised specifically fior me is expressl;+ prohibited and is a
violation of state and fadera! law.
I also understand that failure to ol-serve the. above renditions may constitute. a "breach of computer a.curity" :2f~ir~d In thr,~ TFX ;5
PEN,4L CC3DE, CHAPTER 33, Section 33.02 (bj. and that such an offense i~~ay be classified as a felony. Similar r"ederal statutes may also
be appiicai~le.
certify that I understand that any copyrighted material, including but not limited to commercial rompuler softy are. ~r~hich ma,~~ hr~ mare ~ ~~ ilablr~
to ma for use by the UAG is profected by copyright laws 2nd is nDtto be copied for any reason without written permission teem the o~n-nee of
the copyright and the OAS.
https://portal.cs.oag.state.tx.uslwps/myportal/Agreements (1 of 2) [7/14/2006 4:29:46 PM]
r `
h *° Texas OAG Child Support
ATTACHMENT B
~_..,
By agreeing to this statement I certify#hat I:
:: -agree to abide by all written cendit~ons imposed by the OAG regarding infotmalion security;
i:ndersfand my responsibilities as described above;
have received, read and understand the I~AG security information policy manual; and
if applicable, I have read all appli~~able software licenses and agree fo abia`e by all restrictions.
https://portal.cs.oag.state.tx.us/wps/myportal/Agreements (2 of 2) [7/14/2008 4:29:46 PM]
Texas OAG Child Support
ATTACHMENT C
®~ My Account Logout
Agreements
~/Vhen you register for the OAG Portal Service. we may ask you to give us ccrtaln identifying information ('R~°.glstrafion") such as your name,
~ address, and r mad pr the company's name and address. and the company representatives name and e-mail address. This information will be
used solely for C!iild Support 1V-D purposes.
You agree to provide true, accurate, cotton) and complete information about yourself. You also agree not to impersonate any person vi
entity, misrepresent a~iy afti!iati~n +,~~ith another person, entity or association, use false headers or otherwise conceal your identity from the OAC=~
for an;~ purpose.
~I For ynur ~irotection anti the protection of our other members and lNeb site users. you agree that you will not share ,our Recistration
information (including passwords. User Names, and screen names) with any other person for the purposes of facilitating their access and
unauthorized use: o{(JAG Portal ServicES. You alone are responsible for aA transactions initiated. messages prst~~d, statements mane. or acts
or orni ,sirmti that occur :vithin any OAG Portal Service through the use of Rcgisfration ~ntoni~atiun. Your tail!ir~~ tc Honor any portion of this
~ agrecrncnt can result in termination otaccess to Portal Services.
9
https://portal.cs.oag.state.tx.us/wps/myportal/!u...dHNBY3Rpb24vITJmbG9naW5BZ3JIZW11bnRzQWN0aW9uLmRv/ [7/14/2008 4:36:44 PM]
Attachment D
Data Integrity Procedures Changes to Case Information
Before updating member/ case information, such as home address, phone number, etc., verify the caller's
identity. Ask the caller for the following identifiers:
• Name
• Date of Birth
• Home address
If there is any doubt about the caller's identity after these identifier's have been obtained, ask for the
children names and date of birth.
When pertinent information is unavailable on registry-only (RO) cases, county staff are prevented from
verifying a caller's identity. Once all attempts to verify the caller's identity have been exhausted, instruct
the caller to take one of the following actions in order to have the member/case information updated on
TXCSES Web:
• Mail:
• a copy of a photo ID
• information to be updated
• proof/verification of the information to be updated (ie., home address, SSN card, drivers license, etc.} to
the county address
• FAX:
• a photo ID
• information to be updated
• proof/verification of the information to be updated (ie., home address, SSN card, drivers license, etc.) to
the county FAX number
• E-mail the information to be updated with a scanned copy of the proof/verification information to be
updated (ie., home address, SSN card, drivers license, etc.) to the county email address
• In Person (District Clerk Office or Domestic Relations Office):
• a photo ID
• information to be updated
• proof/verification of the information to be updated (ie., home address, SSN card, drivers license, etc.)
• Visit the local child support office that is assigned to work the RO case and provide:
• a photo ID
• information to be updated
• proof/verification of the information to be updated (ie., home address, SSN card, drivers license, etc.)
ATTACHMENT E
CERTIFICATION REGARDING LOBBYING
DEPARTMENT OF HEALTH AND HUMAN SERVICES
ADMINISTRATION FOR CHILDREN AND FAMILIES
PROGRAM: CHILD SUPPORT ENFORCEMENT PROGRAM PURSUANT TO TITLE IV-D
OF THE SOCIAL SECURITY ACT OF 1935 AS ADMINISTERED BY THE OFFICE OF THE
ATTORNEY GENERAL OF TEXAS
PERIOD: September 1, 2007 -August 31, 2009
Certification for Contracts, Grants, Loans and Cooperative Agreements
The undersigned certifies, to the best of his or her knowledge and belief, that:
(1) No Federal appropriated funds have been paid or will be paid by or on behalf of the undersigned, to
any person for influencing or attempting to influence an officer or employee of any agency, a
Member of Congress, an office or employee of Congress, or an employee of a Member of congress in
connection with the awarding of any Federal contract, the making of any Federal grant, the making of
any Federal loan, the entering into of any cooperative agreement, and the extension, continuation,
renewal, amendment, or modification of any Federal contract, grant, loan, or cooperative agreement.
(2) If any funds other than Federal appropriated funds haven been paid or will be paid to any person for
influencing or attempting to influence an office or employee of any agency, a Member of congress,
an officer or employee of Congress, or an employee of Member of Congress in connection with this
Federal contract, grant, loan, or cooperative agreement, the undersigned shall complete and submit
standard Form LLL, "Disclosure Form to Report Lobbying," in accordance with its instructions.
(3) The undersigned shall require that the language of this certification be included in the award
documents for all subawards at all tiers (including subcontracts, subgrants, and contracts under
grants, loans, and cooperative agreements) and that all subrecipients shall certify and disclose
accordingly.
This certification is a material representation of fact upon which reliance was placed when this transaction
was made or entered into. Submission of this certification is a prerequisite for making or entering into this
transaction imposed by Section 1352, Title 31, U.S. Code. Any person who fails to file the required
certification shall be subj ect to a civil penalty of not less than $10,000 and not more than $100,000 for each
such failure.
Signature Date
Agency/Organization Date
Page 1 of 1
r'
` ATTACHMENT F
United States Internal Revenue Service Requirements for the Safeguarding of Federal
Tax Information Including Federal Tax Returns and Return Information
#.1. PERFORMANCE
#.1.1. In performance of this contract, the contractor agrees to comply with and assume
responsibility for compliance by his or her employees with the following requirements:
#.1.2. All work will be done under the supervision of the contractor or the contractor's
employees.
#.1.3. Any return or return information made available in any format shall be used only
for the purpose of carrying out the provisions of this contract. Information contained in
such material will be treated as confidential and will not be divulged or made known in
any manner to any person except as maybe necessary in the performance of this contract.
Disclosure to anyone other than an officer or employee of the contractor will be
prohibited.
#.l .4. All returns and return information will be accounted for upon receipt and properly
stored before, during, and after processing. In addition, all related output will be given the
same level of protection as required for the source material.
#.1.5. The contractor certifies that the data processed during the performance of this
contract will be completely purged from all data storage components of his or her
computer facility, and no output will be retained by the contractor at the time the work is
completed. If immediate purging of all data storage components is not possible, the
contractor certifies that any IRS data remaining in any storage component will be
safeguarded to prevent unauthorized disclosures.
#.1.6. Any spoilage or any intermediate hard copy printout that may result during the
processing of IRS data will be given to the agency or his or her designee. When this is
not possible, the contractor will be responsible for the destruction of the spoilage or any
intermediate hard copy printouts, and will provide the agency or his or her designee with
a statement containing the date of destruction, description of material destroyed, and the
method used.
#.1.7. All computer systems processing, storing, or transmitting Federal tax information
must meet the requirements defined in IRS Publication 1075. To meet functional and
assurance requirements, the security features of the environment must provide for the
managerial, operational, and technical controls. All security features must be available
and activated to protect against unauthorized use of and access to Federal tax
information.
#.1.8. No work involving Federal tax information furnished under this contract will be
subcontracted without prior written approval of the IRS.
#.1.9. The contractor will maintain a list of employees authorized access. Such list will be
provided to the agency and, upon request, to the IRS reviewing office.
IRS Pub 1075, Rev. Oct. 2007 Page 1 of 3

~.
ATTACHMENT F
United States Internal Revenue Service Requirements for the Safeguarding of Federal
Tax Information Including Federal Tax Returns and Return Information
#.1.10. The agency will have the right to void the contract if the contractor fails. to
provide the safeguards described above. (NOTE TO DRAFTER: Include any additional
safeguards that maybe appropriate.)
#.2. CRIMINAL/CIVIL SANCTIONS
#.2.1. Each officer or employee of any person to whom returns or return information is or
maybe disclosed will be notified in writing by such person that returns or return
information disclosed to such officer or employee can be used only for a purpose and to
the extent authorized herein, and that further disclosure of any such returns or return
information for a purpose or to an extent unauthorized herein constitutes a felony
punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long
as 5 years, or both, together with the costs of prosecution. Such person shall also notify
each such officer and employee that any such unauthorized further disclosure of returns
or return information may also result. in an award of civil damages against the officer or
employee in an amount not less than $1,000 with respect to each instance of unauthorized
disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at
26 CFR 301.6103(n)-l.
#.2.2. Each officer or employee of any person to whom returns or return information is or
maybe disclosed shall be notified in writing by such person that any return or return
information made available in any format shall be used only for the purpose of carrying
out the provisions of this contract. Information contained in such material shall be treated
as confidential and shall not be divulged or made known in any manner to any person
except as may be necessary in the performance of the contract. Inspection by or
disclosure to anyone without an official need to know constitutes a criminal misdemeanor
punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long
as 1 year, or both, together with the costs of prosecution. Such person shall also notify
each such officer and employee that any such unauthorized inspection or disclosure of
returns or return information may also result in an award of civil damages against the
officer or employee [United States for Federal employees] in an amount equal to the sum
of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect
to which such defendant is found liable or the sum of the actual damages sustained by the
plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a
willful inspection or disclosure which is the result of gross negligence, punitive damages,
plus the costs of the action. These penalties are prescribed by IRC section 7213A and
7431.
#.2.3. Additionally, it is incumbent upon the contractor to inform its officers and
employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5
U.S.C. SSZa. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors
by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by
virtue of his/her employment or official position, has possession of or access to agency
records which contain individually identifiable information, the disclosure of which is
prohibited by the Privacy Act or regulations established thereunder, and who knowing
that disclosure of the specific material is prohibited, willfully discloses the material in
IRS Pub 1075, Rev. Oct. 2007 Page 2 of 3
s "
,~
ATTACHMENT F
United States Internal Revenue Service Requirements for the Safeguarding of Federal
Tax Information Including Federal Tax Returns and Return Information
any manner to any person or agency not entitled to receive it, shall be guilty of a
misdemeanor and fined not more than $5,000.
#.3. INSPECTION
#.3.1. The IRS and the Agency shall have the right to send its officers and employees into
the offices and plants of the contractor for inspection of the facilities and operations
provided for the performance of any work under this contract. On the basis of such
inspection, specific measures maybe required in cases where the contractor is found to
be noncompliant with contract safeguards.
IRS Pub 1075, Rev. Oct. 2007 Page 3 of 3
ATTACHMENT G
COUNTY
INCIDENT RESPONSE PLAN
Adopted , 2008
ATTACHMENT G
Overview .............................................................................	3
................................................
Incident Response Team	
.....................................................................................................
Incident Response Team Roles and Responsibilities ..........................................................	3
4
Incident Contact List ......................................................	5
.....................................................
OAG Contact Information	
..............................................................................................
County Contact Information	5
...........................................................................................
ATTACHMENTS	5
Incident Identification ......................................................	6
...................................................
Incident Surve	
y ...................................................................................................................	7
Incident Containment ...............................................	8
...........................................................
Incident Eradication	
............................................................................................................	9
County
Incident Response Plan
Overview
Pursuant to the 2009 SCR/LCS Contract # , § 6.4.1.1, this Incident
Response Plan is designed to provide a general guidance to county staff, both
technical and managerial, to:
• enable quick and efficient recovery in the event of security incidents which
may threaten the confidentiality of OAG Data;
• respond in a systematic manner to incidents and carry out all necessary
steps to handle an incident;
• prevent or minimize disruption ofmission-critical services; and,
• minimize loss or theft of confidential data.
The plan identifies and describes the roles and responsibilities of the Incident
Response Team and outlines steps to take upon discovery of unauthorized
access to confidential data. The Incident Response Team is responsible for
putting the Plan into action.
Incident Response Team
The Incident Response Team is established to provide a quick, effective and
orderly response to any threat to confidential data. The Team's mission is to
prevent a serious loss of information assets or public confidence by providing an
immediate, effective and skillful response to any unexpected event involving
computer information systems, networks or databases. The Team is responsible
for investigating suspected security incidents in a timely manner and reporting
findings to management and the appropriate authorities as appropriate.
Page 3 of 9
Incident Response Tearn Roles and Responsibilities
Position'	Roles and Res. onsbilities i
Chief Information	.Immediately report incident directly to OAG CISO and OAG Contract
Security Officer	Manager
(CISO)	.Determine nature and scope of the incident
	• Contact members of the Incident Response Team
	• Determine which Team members play an active role in the investigation
	• Escalate to executive management as appropriate
	• Contact other departments as appropriate
	• Monitor and report progress of investigation to OAG CISO
	• Ensure evidence gathering and preservation is appropriate
	• Prepare and provide a written summary of the incident and corrective
	action taken to OAG CISO
Information	.Central point of contact for all computer incidents
Technology	.Notify CISO to activate Incident Response Team
Operations Center	.Complete Incident Identification form (Attachment One) and Incident
	Surve Attachment Two and forward to Coun CISO
Information Privacy	.Document the types of personal information that may have been
Office	breached
	• Provide guidance throughout the investigation on issues relating to
	privacy of customer and employee personal information
	• Assist in developing appropriate communication to impacted parties
	• Assess the need to change privacy policies, procedures and/or
	ractices as a result of the breach
Network	• Analyze network traffic for signs of external attack
Architecture	.Run tracing tool and event loggers
	• Look for signs of firewall breach
	• Contact external~internet service provider for assistance as appropriate
	• Take necessary action to block traffic from suspected intruder
	• Complete Incident Containment Forms (Attachment Three), as
	a ro riate, and forward to Coun CISO
Operating Systems	• Ensure all service packs and patches are current on mission-critical
Architecture	computers
	• Ensure backups are in place for all critical systems
	• Examine system logs of critical systems for unusual activity
	• Complete Incident Containment Forms (Attachment Three), as
	a ro riate, and forward to Coun CISO
Business	• Monitor business applications and services for signs of attack
Applications	.Review audit logs ofmission-critical servers for signs of suspicious
	activity
	• Contact the Information Technology Operations Center with any
	information relating to a suspected breach
	• Collect pertinent information regarding the incident at the request of
	the CISO
Internal Auditing	.Review systems to ensure compliance with information security policy
	and controls
	• Perform appropriate audit test work to ensure mission-critical systems
	are current with service packs and patches
	• Report any system control gaps to management for corrective action
	• Complete Incident Eradication Form (Attachment Four) and forward to
	Coun CISO
Page 4 of 9
Incident Contact List
OAG Contact Information
Position	Name	Phone	Email address
		Number	
OAG Chief of Information			

Securi Officer	Walt Foultz	512-936-1320	walt.foultz@oag.state.tx.us
OAG SCR/LCS Contract	Allen		

Mana er	
Broussard	512-460-6373	alien.broussard@cs.oag.state.tx.us
County Contact Information

Position	
Name(s)	Phone

Number	
Email address

Chief of Information Security		
g~_7gZ yzg7	_ _

fy
~
~
~
Offices			.
'
'°
County SCR/LCS Contract			

Mana er	
~ ~	r ~	~ ~
Information Technology
O erations Center	
,n~o-Q+~~	3 p -
73~ • '~$~ Z	,Q
,,~,~~ Lp ,C~1~1,~j[, uS
Information Privac Office	.c..		
Network Architecture	;1		
Operating Systems			

Architecture	~ ~		
Business A lications		g-	Z
Internal Auditin			
J
5-
~.~,~}C.L[S.
Page 5 of 9
Attachment One
Incident Identification
Date Updated:
Incident Detector's Information:
Name:
Title:
Phone:
Email:
Detector's
Signature:
- _General Information
Incident Summary
Type of Incident Detected:
• Denial of Service • Unauthorized Use • Espionage • Probe • Hoax
• Malicious Code • Unauthorized Access • Other
Incident Location:
Site:
Site Point Of Contact:
'Phone:
Email:
How was the Intellectual
Property Detected:
Additional Information:
Date and Time
Detected:
Location Incident
Detected From:
Date Signed:
Page 6 of 9
Attachment Two
Incident Survey
Date Updated:
Location(s) of affected systems:
Date and time incident handlers arrived at site:
Describe affected information system(s):
Is the affected system connected to a network? YES NO
Is the affected system connected to a modem? YES NO
Describe the physical security of the location of affected information systems (locks, security alarms,
building access, etc.):
Page 7 of 9
Attachment Three
Incident Containment
Date Updated:
Isolate Affected Systems:
CISO approved removal from network? YES NO
If YES, date and time systems were removed:
If NO, state reason:
8ackap.Affected Systems:
Successful backup for all systems? YES NO
Name of person(s) performing backup:
Date and time backups started:
Date and time backups complete:
Page 8 of 9
Attachment Four
Incident Eradication
Date Updated:
Name of person(s) performing forensics on systems:
Was the vulnerability identified: YES NO
Describe:
Page 9 of 9