Common use of Additional Security Controls Clause in Contracts

Additional Security Controls. Vendor will store and process Student Data in accordance with the industry best practices, which at a minimum shall be in accordance with the standards set forth in this Contract, as may be amended in writing by the authorized representatives of the parties and with the approval of the Board’s General Counsel. This includes appropriate administrative, physical, and technical safeguards to secure Student Data from unauthorized access, disclosure, and use. All Student Data must be secured in transit using secure FTP services or https/TLS 1.0+. Vendor is required to specify any personally identifiable information (PII) collected or used. In addition, Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures. Industry certifications, such as International Organization for Standardization (ISO), SysTrust, Cloud Security Alliance (CSA) STAR Certification, or WebTrust security for SaaS environments are recommended. Such safeguards shall be no less rigorous than accepted industry practices, including specifically the NIST 800-53r4 moderate level, International Organization for Standardization’s standards ISO/IEC 27001:2005 (Information Security Management Systems – Requirements), and ISO-IEC 27002:2005 (Code of Practice for International Security Management). Vendor shall ensure that the manner in which Student Data is collected, accessed, used, stored, processed, disposed of and disclosed complies with applicable data protection and privacy laws, as well as the terms and conditions of this Contract. Vendor will conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Student Data security practices. Vendor agrees to share its incident response plan upon request. Vendor shall assure that all Student Data that is transmitted between the Board’s access points and the ultimate server, by Vendor or its recipients, will use Board- approved encryption of no less rigor than NIST-validated DES standards.

Additional Security Controls. Vendor will store and process Student Data in accordance with the industry best practices, which at a minimum shall be in accordance with the standards set forth in this Contract, as may be amended in writing by the authorized representatives of the parties and with the approval of the Board’s General Counsel. This includes appropriate administrative, physical, and technical safeguards to secure Student Data from unauthorized access, disclosure, and use. All Student Data data must be DocuSign Envelope ID: B93E46A5-1622-4A2D-B1AC-CC045CEED495 secured in transit using secure FTP services or https/TLS 1.0+. Vendor is required to specify any personally identifiable information (PII) collected or usedused by their Products. In addition, Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures. Industry certifications, such as International Organization for Standardization (ISO), SysTrust, Cloud Security Alliance (CSA) STAR Certification, or WebTrust security for SaaS environments are recommended. Such safeguards shall be no less rigorous than accepted industry practices, including specifically the NIST 800-53r4 moderate level, International Organization for Standardization’s standards ISO/IEC 27001:2005 (Information Security Management Systems – Requirements), and ISO-IEC 27002:2005 (Code of Practice for International Security Management). Vendor shall ensure that the manner in which Student Data is collected, accessed, used, stored, processed, disposed of and disclosed complies with applicable data protection and privacy laws, as well as the terms and conditions of this Contract. Vendor will conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Student Data security practices. Vendor agrees to share its incident response plan upon request. Vendor shall assure that all Student Data data that is transmitted between the Board’s access points and the ultimate server, by Vendor or its recipients, will use Board- Board-approved encryption of no less rigor than NIST-NIST- validated DES standards.

Additional Security Controls. Vendor will store and process Student Data in accordance with the industry best practices, which at a minimum shall be in accordance with the standards set forth in this Contract, as may be amended in writing by the authorized representatives of the parties and with the approval of the Board’s General Counsel. This includes appropriate administrative, physical, and technical safeguards to secure Student Data from unauthorized access, disclosure, and use. All Student Data data must be secured in transit using secure FTP services or https/TLS 1.0+. Vendor is required to specify any personally identifiable information (PII) collected or usedused by their Products. In addition, Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures. Industry certifications, such as International Organization for Standardization (ISO), SysTrust, Cloud Security Alliance (CSA) STAR Certification, or WebTrust security for SaaS environments are recommended. Such safeguards shall be no less rigorous than accepted industry practices, including specifically the NIST 800-53r4 moderate level, International Organization for Standardization’s standards ISO/IEC 27001:2005 (Information Security Management Systems – Requirements), and ISO-IEC 27002:2005 (Code of Practice for International Security Management). Vendor shall ensure that the manner in which Student Data is collected, accessed, used, stored, processed, disposed of and disclosed complies with applicable data protection and privacy laws, as well as the terms and conditions of this Contract. Vendor will conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Student Data security practices. Vendor agrees to share its incident response plan upon request. Vendor shall assure that all Student Data data that is transmitted between the Board’s access points and the ultimate server, by Vendor or its recipients, will use Board- Board-approved encryption of no less rigor than NIST-NIST- validated DES standards.

Additional Security Controls. Vendor will store and process Student Data in accordance with the industry best practices, which at a minimum shall be in accordance with the standards set forth in this ContractAgreement, as may be amended in writing by the authorized representatives of the parties and with the approval of the Board’s General Counsel. This includes appropriate administrative, physical, and technical safeguards to secure Student Data from unauthorized access, disclosure, and use. All Student Data data must be secured in transit using secure FTP services or https/TLS 1.0+. Vendor Proposer is required to specify any personally identifiable information (PII) collected or usedused by their Products. In addition, Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures. Industry certifications, such as International Organization for Standardization (ISO), SysTrust, Cloud Security Alliance (CSA) STAR Certification, or WebTrust security for SaaS environments are recommended. Such safeguards shall be no less rigorous than accepted industry practices, including specifically the NIST 800-53r4 moderate level, International Organization for Standardization’s standards ISO/IEC 27001:2005 (Information Security Management Systems – Requirements), and ISO-IEC 27002:2005 (Code of Practice for International Security Management). Vendor shall ensure that the manner in which Student Data is collected, accessed, used, stored, processed, disposed of and disclosed complies with applicable data protection and privacy laws, as well as the terms and conditions of this ContractAgreement. Vendor will conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Student Data security practices. Vendor agrees to share its incident response plan upon request. Vendor shall assure that all Student Data data that is transmitted between the Board’s access points and the ultimate server, by Vendor or its recipients, will use Board- Board-approved encryption of no less rigor than NIST-validated DES standards.