All capitalized terms not defined herein shall have the meanings ascribed to them in the Master Service Agreement, dated ______, 20__ executed by [INSERT VENDOR NAME] (“’Licensor”) and ______(“Licensee”) as may be amended from time to time (the “Agreement”). As of the effective date of the Agreement, Licensor shall have implemented, and shall thereafter maintain current, a comprehensive security policy or policies (“Security Policy”) that satisfies the requirements set forth below. Licensor agrees that it shall not make any change(s) to its Security Policy that effectively reduces or limits the rights or protections offered to Licensee under this Schedule or the Agreement generally.
Promptly upon execution of the Agreement by the parties and subsequently, upon request by Licensee on an annual basis, the Licensor shall provide Licensee’s Chief Information Security Officer or his or her designee with a copy of its Security Policy and an opportunity to discuss Licensor’s security measures with a qualified IT management member of Licensor.
1. Objectives. The Licensor shall exercise best efforts to implement data security measures that are consistent with applicable industry best practices and standards given the nature of the data and are designed to:
a. Protect the privacy, confidentiality, integrity, and availability of all data which is disclosed by Licensee and/or Licensee’s Related Companies”) to, or otherwise comes into the possession of, the Licensor, its affiliates or sub-contractors, directly or indirectly as a result of this Agreement, including but not limited to Licensee’s Confidential Information and any Licensee Data (collectively, “Licensee Data”) ;
b. Protect against accidental, unauthorized, unauthenticated, or unlawful access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of the Licensee Data including, but not limited to, identity theft;
c. Comply with all applicable federal, state and foreign laws, rules, regulations, directives and decisions (each, to the extent having the force of law) that are relevant to the handling, processing and use of Licensee Data by Licensee or Licensor, on Licensee’s behalf, in accordance with this Agreement;
d. Manage, controls and remediates any threats identified in the Risk Assessments findings that could result in unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of any of the Licensee Data, including without limitation identity theft; and
e. Comply with and implements the risk policies listed in this Schedule, together with the data protection and confidentiality obligations of the Agreement and, subject to Section 5 below, any other relevant Licensee security policies, procedures and standards notified to the Licensor from time to time (the “Licensee Security Policies”).
2. Risk Assessments.
a. The Licensor shall perform regular (and in any event no less frequently than at every twelve month intervals) robust, comprehensive internal or external risk assessments which include, among other things, several methods of risk identification and evaluation and remediation tracking and verification that:
(1) identify reasonably foreseeable threats that could result in unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of any of the Licensee Data;
(2) assess the likelihood of these threats occurring, and the potential damage that might result, taking into consideration the sensitivity of the relevant types or categories of Licensee Data (and any special risks or issues identified by Licensee); and
(3) assess the sufficiency of the security measures, policies, and procedures, information systems, technology, and other arrangements that the Licensor has in place to control such risks (“Risk Assessments”).
b. The Licensor shall notify Licensee in advance of the performance of any Risk Assessments and shall provide Licensee with the written (high level summary) results, upon request. If at any time Licensee, in its reasonable opinion, believes that vulnerabilities or threats identified in the Risk Assessment findings have not been sufficiently resolved despite remediation efforts by Licensor or that other vulnerabilities or security threats may exist, Licensor shall employ an independent third party expert, jointly selected by both parties, to perform a follow-up risk assessment to determine whether Licensor has cured its failure to meet its obligations hereunder or remediated the deficiencies to Licensee’s satisfaction. Licensee shall pay the costs of such follow-up Risk Assessments, except where the additional Risk Assessment was required to assess whether the Licensor had sufficiently resolved vulnerabilities in its systems or processes, in which case the Licensor shall bear the cost of the Risk Assessment. In the event that Licensor’s information technology controls as detailed in any of the Risks Assessments does not satisfy any of Licensor’s obligations under its Security Policy, Licensor shall remediate its information technology controls in a timely manner. Licensor shall provide to Licensee any available reports prepared by independent auditors as to Licensors’ controls and security requirements. Upon request by Licensee, Licensor agrees that it shall make available qualified senior management of Licensor and, if also requested, subcontractors, responsible for security and data protection to discuss any assessment report and its findings and any remedial plans to address deficiencies.
c. Licensor shall permit one or more Licensee Personnel or agents prior to engaging Licensor to perform Services described in any Requisition, and at such other times as reasonably requested, to conduct one or more penetration tests on information systems and network having access to, or holding or containing Licensee Data to verify that Licensor is employing appropriate administrative, technical and procedural access controls and system security requirements and devices necessary to protect Licensee Data Information in Licensor’s possession or control from threats or hazards to the privacy, confidentiality or integrity of the Licensee Data.
3. Security Measures.
a. Based on any Risk Assessment findings and other requirements of the Agreement, the Licensor shall develop (or modify, as appropriate), implement and maintain appropriate security measures and procedures (which shall be reflected in an up-dated Security Policy, to be provided to Licensee’s Chief Information Security Officer or his or her designee for Licensee' approval) so as to achieve the objectives set forth in Section 1 above and to manage and control the risks identified during the Risk Assessment, commensurate with the sensitivity of the Licensee Data, as well as the complexity and scope of the activities of the Licensor pursuant to the Agreement.
b. Such security measures and procedures shall include (but shall not be limited to) administrative, physical, technical, procedural and organizational safeguards appropriate to:
(1) the nature of the Licensee Data involved, including the quality, quantity, and age of the data, and the sensitivity of the data,
(2) the significance of the processing to the protection of privacy,
(3) the nature of the risks and the harm that might result from the threats identified during the Risk Assessment, and
(4) the state of the art, state of technological development, and the security techniques available.
c. The Licensor shall also be responsible for performing the following non-exhaustive obligations:
4. Physical Security Measures
a. Physical Security and Access Control – Ensure that all systems hosting Licensee Data and/or providing services on behalf of Licensee are maintained in a manner consistent with applicable industry best practices and standards given the nature of the data in a physically secure environment that prevents unauthorized access, with access restrictions at physical locations containing Licensee Data, such as buildings, computer facilities, and records storage facilities, designed and implemented to permit access only to authorized individuals and to detect any unauthorized access that may occur, including without limitation 24 x 7 security personnel at all relevant locations (“Licensee Secure Area”).
b. Physical Security for Media – Ensure that all systems hosting Licensee Data and/or providing services on behalf of Licensee are maintained in a manner consistent with applicable industry best practices and standards given the nature of the data to prevent the unauthorized viewing, copying, alteration or removal of any media containing Licensee Data, wherever located. No removable media on which Licensee Data is stored by Licensor (including thumbdrives, CDs, and DVDs, but excluding laptops, PDAS and back-up tapes) may be used or re-used by Licensor to store data of any other customer of Licensor unless the Licensee Data is securely erased prior to such re-use. No removable media on which Licensee Data is stored by Licensor (including thumbdrives, CDs, DVDs, laptops, PDAS and back-up tapes) may be used to deliver data to a third party, including another Licensor customer, unless the Licensee Data is securely erased prior to such delivery.
c. Media Destruction – Ensure that all systems hosting Licensee Data and/or providing services on behalf of Licensee are maintained in a manner consistent with applicable industry best practices and standards given the nature of the data to destroy removable media and any mobile device (such as discs, USB drives, DVDs, back-up tapes, laptops and PDAs) containing Licensee Data where such media or mobile device is no longer used, or alternatively to render Licensee Data on such removable media or mobile device unintelligible and not capable of reconstruction by any technical means before re-use of such removable media is allowed.
d. Shredding - All paper waste generated in supplying the Services must be subject to secure confidential disposal by shredding all paper waste so as to render it unreadable. Either the Licensor, or a reputable subcontractor selected by Licensor with reasonable care and due diligence, may shred the paper waste.
5. Technical Security Measures
a. Access Controls on Information Systems – Ensure that all systems hosting Licensee Data and/or providing services on behalf of Licensee are maintained in a manner consistent with applicable industry best practices and standards given the nature of the data to ensure the logical separation such that access to all systems hosting Licensee Data and/or being used to provide services to Licensee shall: be protected through the use of access control systems that uniquely identify each individual requiring access, grant access only to authorized individuals and based on the principle of least privileges, prevent unauthorized persons from gaining access to Licensee Data, appropriately limit and control the scope of access granted to any authorized person, and log all relevant access events. These security measures and procedures shall include, but shall not be limited to, the Licensor exercising its best efforts to implement and maintain:
(1) Access Rights Policies – appropriate policies and procedures regarding the granting of access rights to Licensee Data in Licensor’s possession or control, in order to ensure that only the personnel expressly authorized pursuant to the terms of the Agreement or by Licensee in writing may create, modify or cancel the rights of access of the personnel. The Licensor shall maintain an accurate and up to date list of all personnel who have access to the Licensee Data and shall have the facility to promptly disable access by any individual personnel. For purposes of this Schedule, the term “personnel” as to Licensee or Licensor shall mean such party’s employees, consultants, subcontractor or other agents.
(2) Authorization Procedures for Persons Entitled to Access – appropriate security measures and procedures to establish and configure authorization profiles in order to ensure that personnel will only have access to the Licensee Data and resources they need to know to perform their duties, and that they are only able to access the Licensee Data within the scope and to the extent covered by their respective access permission. Personnel working on development must not normally have access to production systems. For occasional and essential support purposes, such personnel may be granted special access for a limited period of time provided such access is managed, appropriately authorised and logged (e.g. by issuing secure passwords via a Firecall system).
(3) Authentication Credentials and Procedures – appropriate security measures and procedures for strong authentication of authorized personnel, including, but not limited to, the following:
i. All systems shall prevent access by unauthorized users;
ii. New passwords shall be communicated to users in a secure manner, with an appropriate proof of identity check of the intended users;
iii. Passwords shall not be stored or transmitted in readable form;
iv. When privileged access (e.g. root or superuser level access) is granted to systems which handle or hold Licensee Data and/or are used to provide Services, such access shall be for a limited duration only and shall be fully logged;
v. Systems shall not go into production and services under this Agreement shall not commence until all personnel have received appropriate documentation and training, including:
(A) the handling of security breaches;
(B) the management of emergency access support for Licensor’s developers; and
(C) procedures to follow when personnel forget their password.
(4) Access Control from outside the Licensee Secure Area – appropriate security measures and procedures to prevent the information systems used in connection with the Agreement or Licensee Data from being accessed by unauthorized persons from outside the Licensee Secure Area.
(5) Access Monitoring – appropriate security measures and procedures for monitoring all access to the information systems used in connection with this Agreement and Licensee Data and for monitoring additions, alterations, deletions, and copying of Licensee Data, including, but not limited to:
i. Making available to Licensee, on request, all logs and records; and
ii. Maintaining full records of system or applicable access attempts, both successful and failed.
(6) Intrusion Detection/Prevention and Malware – appropriate security measures and procedures:
i. to ensure that Licensee Data in Licensor’s possession and control, and /or systems being used to provide Services, is protected against the risk of intrusion and the effects of viruses, Trojan horses, worms, and other forms of malware, and
ii. to monitor and record each and every instance of access to the Licensor’s assets and information systems and to Licensee Data to detect the same, and to promptly respond to the same.
If any malicious code is found to have been introduced by Licensor or any third party into any of Licensor’s information systems handling or holding Licensee Data, Licensor shall exercise best efforts to take appropriate measures to prevent any unauthorized access or disclosure of any Licensee Data and in any case (wherever such code originated), Licensor shall exercise best efforts at no additional charge to Licensee to remove such malicious code and eliminate, to the extent practicable, the effects of the malicious code. If such malicious code causes a loss of operational efficiency or loss of data, Licensor shall monitor such losses and restore such lost data in accordance with the terms of the Agreement. Unless, and to the extent, prohibited by law enforcement authorities, the Licensor shall immediately notify Licensee’s Chief Information Security Officer or his or her designee if it knows or reasonably suspects that there has been an actual or attempted instances of unauthorized access to the Licensee Data and/or systems holding or handling Licensee Data and shall cooperate fully in assisting Licensee as necessary to enable Licensee to comply with its statutory and other legal breach notice requirements, if any.
(7) Prohibited Devices –
i. The following devices are not permitted to be used on the Licensee network unless approved by Licensee in writing :
(A) Network connections;
(B) Connection to the Internet;
(C) Dial-in access;
(D) Equipment such as laptops or additional workstations;
(E) Wireless equipment; and
ii. The following devices are not permitted to be used in the provisioning of services to Licensee unless approved by Licensee in writing:
(A) Dial-in access;
(B) Wireless equipment
(8) Unused Network Ports - All unused network ports must be disabled or disconnected.
(9) Equipment Access Control - The Licensor / Licensee shall have ultimate control over access to the network equipment and voice switch (e.g. for maintenance purposes), but may delegate physical access to such equipment to those personnel who have been authorised by the Licensee security team for physical support of this equipment. [MODIFY BASED UPON WHO HAS ACTUAL CONTROL]
b. Data Management Controls
(1) Licensee Data - Licensee Data must only be used by the Licensor for the purposes specified in this Agreement.
(2) Licensee Production Data - Where access is given to Licensee Data on any Licensee production system, unless otherwise agreed to in writing by Licensee, the Licensor must not and shall procure that its personnel and Sub-contractors shall not copy, download or store such Licensee Data on any desktop, server or other device at any Location, in the Licensor’s or its personnel’s possession or otherwise.
(3) Data Input Control – Implementing and maintaining appropriate security measures and procedures to ensure that it is possible to check and establish whether, when, and by whom Licensee Data has been input into the information systems used in connection with this Agreement, or accessed, copied, modified, or removed.
(4) Data Processing Control – Implementing and maintaining appropriate security measures and procedures to ensure that Licensee Data in Licensor’s possession or control may only be processed in accordance with the Agreement, and to ensure that data collected for different purposes can be processed separately, including, but not limited to, the following:
i. Production systems shall not depend on development infrastructure;
ii. No production data shall be used for development testing;
iii. The development of new application or system software shall be kept separate from the production environment.
(5) Data Integrity Controls – Implementing and maintaining appropriate security measures and procedures to protect the integrity of the Licensee Data in the Licensor’s possession or control, to prevent the unauthorized recording, alteration or erasure of such Licensee Data, and to ensure that it is subsequently possible to determine when, by whom and which Licensee Data were recorded, altered or erased.