Common use of Communication and Connectivity Clause in Contracts

Communication and Connectivity. 4.1 Data flow is documented for all CyberGRX data, from origination to end-point. CyberGRX Confidential Information is encrypted when in transit outside of CyberGRX’s network. 4.2 Firewall management processes are documented. All changes to the firewall are performed via change management processes. Firewall access is restricted to a small set of super users/administrators with appropriate approvals. 4.3 Periodic network vulnerability scans are performed, and any critical vulnerabilities identified are promptly remediated. 4.4 Defined Access Control Lists (ACLs) to restrict traffic on routers and/or firewalls are reviewed and approved by network administrators. IP addresses in the ACLs are specific and anonymous connections are not allowed. 4.5 Unauthorized remote connections from devices are disabled as part of standard configuration. 4.6 The data flow in the remote connection is encrypted and multi-factor authentication is used during the login process. 4.7 Remote connection settings limit the ability of remote users to access both initiating network and remote network simultaneously. 4.8 Dependent third party service provider remote access adheres to the same or similar controls, and any subcontractor remote access has valid business justification. 4.9 Emails are encrypted via opportunistic TLS if leaving CyberGRX’s network. CyberGRX employees are trained to use manual encryption or an alternate, secure sharing mechanism if they are unsure whether encryption is available. If an external organization is sending emails on behalf of CyberGRX, additional controls are implemented to restrict spam and phishing emails.