Common use of Compliance with NYS Information Security Policies and Procedures Clause in Contracts

Compliance with NYS Information Security Policies and Procedures. Contractor warrants, covenants and represents that it shall comply fully with all security procedures of the State communicated to it in the performance of this Contract, including ITS Information Security policies and procedures located at xxxxx://xxx.xx.xxx/eiso/policies/security. ITS shall have the right at any time to require that the Contractor remove from interaction with ITS any Contractor representative who ITS believes is detrimental to its working relationship with the Contractor. The State will provide the Contractor with notice of its determination, and the reasons it requests the removal. If ITS signifies that a potential security violation exists with respect to the request, the Contractor shall immediately remove such individual. Contractor shall not assign the person to any aspect of the Contract or future work orders without ITS consent. Contractor shall use industry standard security measures, including standard encryption protocols, to protect and guard the availability and security of all NYS Confidential Information, and adhere to all the State’s security policies. Contractor shall be strictly prohibited from using NYS Confidential Information in any fashion other than that defined herein. There may be instances whereby ITS will communicate security procedures necessitated by ITS operations. Contractor will use reasonable efforts to implement same. In the event Contractor does not implement or communicates that it cannot or will not implement such security procedures, the Parties will reasonably work to resolve such dispute pursuant to the Contract's Dispute Resolution process. Contractor warrants that its Contractor Staff members are properly informed and trained regarding security standards andare prohibited from disclosing NYS Confidential Information to any persons without a need to know. Contractor will work cooperatively with the State so that software applications accessed by members of the public or others are accessed by the single sign-on service provided by New York State Directory Services or such other service chosen by ITS. The Contractor’s solution may be required to pass an internal NYS security review conducted by NYS prior to implementation and after any significant system modifications. This review will determine whether adequate controls are in place to protect the availability of the System and the integrity and confidentiality of the information. A significant system modification is considered any change to the underlying architecture of the System. The Contractor must work with NYS to perform a security risk assessment of the proposed security architecture that will be comprised of, but not limited to: • NYS review of Contractor documentation • As needed, the State will perform vulnerability, web application, and penetration scans • Contractor will remediate all issues until their solution is compliant with all NYS Policies and Standards as determined by the State • Completion of a Security Assessment Questionnaire The Contractor must remediate all risks identified by the security assessment that are part of services provided by the contractor or obtain approval by NYS for compensating controls.

Compliance with NYS Information Security Policies and Procedures. Contractor warrants, covenants covenants, and represents that it shall comply fully with all security procedures of the State communicated to it in the performance of this the Contract, including ITS NYS Information Security policies and procedures standards located at xxxxx://xxx.xx.xxx/eiso/policies/securityxxxxx://xxx.xx.xxx/ciso/policies/security. ITS shall have At the right State’s discretion, it may, at any time during the term of the Contract, request that Contractor provide documentation validating its adherence to require that these security policies and standards. Contractor must deliver such documentation within thirty (30) days of a request by the Contractor remove from interaction with ITS any Contractor representative who ITS believes is detrimental to its working relationship with State or as mutually agreed to, in writing, by the Parties. Contractor. The State will provide the Contractor with notice of its determination, and the reasons it requests the removal. If ITS signifies that a potential security violation exists with respect to the requestextent the following meets or exceeds the NYS Information Security policies and standards described above, the Contractor shall immediately remove such individual. Contractor shall not assign the person to any aspect of the Contract or future work orders without ITS consent. Contractor shall use industry standard security measures, including standard encryption protocols, to protect and guard the availability and security of all NYS Confidential Information, and adhere to all the State’s security policies. Contractor shall be strictly prohibited from using NYS Confidential Information in any fashion other than that defined herein. There may be instances whereby ITS the State will communicate security procedures necessitated by ITS the State’s operations. Contractor will use reasonable efforts to implement same. In the event Contractor does not implement or communicates that it cannot or will not implement such security procedures, the Parties will reasonably work to resolve such dispute pursuant to the Contract's Dispute Resolution processprocess to the extent such dispute does not adversely impact the State’s legal obligations. Contractor warrants that its Contractor Staff members are properly informed and trained regarding industry standard security standards andare measures, NYS Information Security policies and standards, and are prohibited from disclosing NYS Confidential Information to any persons without a need to know. To the extent applicable, Contractor will work cooperatively with the State so that software applications accessed by members of the public or others are accessed by the single sign-on service provided by New York State Directory Services or such other service chosen by ITS. The Contractor’s solution may be required to pass an internal NYS security review conducted by NYS prior to implementation and after any significant system modifications. This review will determine whether adequate controls are in place to protect the availability of the System and the integrity and confidentiality of the information. A significant system modification is considered any change to the underlying architecture of the System. The Contractor must work with NYS to perform a security risk assessment of the proposed security architecture that will be comprised of, but not limited to: • NYS review of Contractor documentation • As needed, the State will perform vulnerability, web application, and penetration scans • Contractor will remediate all issues until their solution is compliant with all NYS Policies and Standards as determined by the State • Completion of a Security Assessment Questionnaire The Contractor must remediate all risks identified by the security assessment that are part of services provided by the contractor or obtain approval by NYS for compensating controls.

Compliance with NYS Information Security Policies and Procedures. Contractor warrants, covenants and represents that it shall comply fully with all security procedures of the State communicated to it in the performance of this Contract, including ITS Information Security policies and procedures located at xxxxx://xxx.xx.xxx/eiso/policies/security. ITS shall have the right at any time to require that the Contractor remove from interaction with ITS any Contractor representative who ITS believes is detrimental to its working relationship with the Contractor. The State will provide the Contractor with notice of its determination, and the reasons it requests the removal. If ITS signifies that a potential security violation exists with respect to the request, the Contractor shall immediately remove such individual. Contractor shall not assign the person to any aspect of the Contract or future work orders without ITS consent. Contractor shall use industry standard security measures, including standard encryption protocols, to protect and guard the availability and security of all NYS Confidential Information, and adhere to all the State’s security policies. Contractor shall be strictly prohibited from using NYS Confidential Information in any fashion other than that defined herein. There may be instances whereby ITS will communicate security procedures necessitated by ITS operations. Contractor will use reasonable efforts to implement same. In the event Contractor does not implement or communicates that it cannot or will not implement such security procedures, the Parties will reasonably work to resolve such dispute pursuant to the Contract's Dispute Resolution process. Contractor warrants that its Contractor Staff members are properly informed and trained regarding security standards andare prohibited from disclosing NYS Confidential Information to any persons without a need to know. Contractor will work cooperatively with the State so that software applications accessed by members of the public or others are accessed by the single sign-on service provided by New York State Directory Services or such other service chosen by ITS. The Contractor’s solution may be required to pass an internal NYS security review conducted by NYS prior to implementation and after any significant system modifications. This review will determine whether adequate controls are in place to protect the availability of the System and the integrity and confidentiality of the information. A significant system modification is considered any change to the underlying architecture of the System. The Contractor must work with NYS to perform a security risk assessment of the proposed security architecture that will be comprised of, but not limited to: • NYS review of Contractor documentation • As needed, the State will perform vulnerability, web application, and penetration scans • Contractor will remediate all issues until their solution is compliant with all NYS Policies and Standards as determined by the State • Completion of a Security Assessment Questionnaire The Contractor must remediate all risks identified by the security assessment that are part of services provided by the contractor or obtain approval by NYS for compensating controls.

Compliance with NYS Information Security Policies and Procedures. Contractor warrants, covenants covenants, and represents that it shall comply fully with all security procedures of the State communicated to it in the performance of this the Contract, including ITS NYS Information Security policies and procedures standards located at xxxxx://xxx.xx.xxx/eiso/policies/securityxxxxx://xxx.xx.xxx/ciso/policies/security. ITS shall have At the right State’s discretion, it may, at any time during the term of the Contract, request that Contractor provide documentation validating its adherence to require that these security policies and standards. Contractor must deliver such documentation within thirty (30) days of a request by the Contractor remove from interaction with ITS any Contractor representative who ITS believes is detrimental to its working relationship with State or as mutually agreed to, in writing, by the Parties. Contractor. The State will provide the Contractor with notice of its determination, and the reasons it requests the removal. If ITS signifies that a potential security violation exists with respect to the requestextent the following meets or exceeds the NYS Information Security policies and standards described above, the Contractor shall immediately remove such individual. Contractor shall not assign the person to any aspect of the Contract or future work orders without ITS consent. Contractor shall use industry standard security measures, including standard encryption protocols, to protect and guard the availability and security of all NYS Confidential Information, and adhere to all the State’s security policies. Contractor shall be strictly prohibited from using NYS Confidential Information in any fashion other than that defined herein. There may be instances whereby ITS the State will communicate security procedures necessitated by ITS the State’s operations. Contractor will use reasonable efforts to implement same. In the event Contractor does not implement or communicates that it cannot or will not implement such security procedures, the Parties will reasonably work to resolve such dispute pursuant to the Contract's Dispute Resolution processprocess to the extent such dispute does not adversely impact the State’s legal obligations. Contractor warrants that its Contractor Staff members are properly informed and trained will undergo annual traininged regarding industry standard security standards andare measures, NYS Information Security policies and standards, and are prohibited from disclosing NYS Confidential Information to any persons without a need to know. To the extent applicable, Contractor will work cooperatively with the State so that software applications accessed by members of the public or others are accessed by the single sign-on service provided by New York State Directory Services or such other service chosen by ITS. The Contractor’s solution may be required to pass an internal NYS security review conducted by NYS prior to implementation and after any significant system modifications. This review will determine whether adequate controls are in place to protect the availability of the System and the integrity and confidentiality of the information. A significant system modification is considered any change to the underlying architecture of the System. The Contractor must work with NYS to perform a security risk assessment of the proposed security architecture that will be comprised of, but not limited to: • NYS review of Contractor documentation • As needed, the State will perform vulnerability, web application, and penetration scans • Contractor will remediate all issues until their solution is compliant with all NYS Policies and Standards as determined by the State • Completion of a Security Assessment Questionnaire The Contractor must remediate all risks identified by the security assessment that are part of services provided by the contractor or obtain approval by NYS for compensating controls.