Common use of Contractor Hosted Data Clause in Contracts

Contractor Hosted Data. If Contractor hosts University Compliant Data or Business Sensitive Data, in or on Contractor facilities, the following clauses apply. A. Contactor computers that host University Compliant Data or Business Sensitive Information shall be housed in secure areas that have adequate walls and entry control such as a card controlled entry or staffed reception desk. Only authorized personnel shall be allowed to enter and visitor entry will be strictly controlled. B. Contractor shall design and apply physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disasters. Contractor shall protect hosted systems with Uninterruptible Power Supply (UPS) devices sufficient to meet business continuity requirements. C. Contractor shall backup systems or media stored at a separate location with incremental back-ups at least daily and full back-ups at least weekly. Incremental and full back-ups shall be retained for 15 days and 45 days respectively. Contractor shall test restore procedures not less than once per year. D. Contractor shall provide for reasonable and adequate protection on its network and system to include firewall and intrusion detection/prevention. E. Contractor shall use strong encryption and certificate-based authentication on any server hosting on-line and e-commerce transactions with the University to ensure the confidentiality and non-repudiation of the transaction while crossing networks. F. The installation or modification of software on systems containing University Compliant Data or Business Sensitive Information shall be subject to formal change management procedures and segregation of duties requirements. G. Contractor who hosts University Compliant Data or Business Sensitive Information shall engage an independent third-party auditor to evaluate the information security controls not less than every two (2) years. Such evaluations shall be made available to the University upon request. H. Contractor shall require strong passwords for any user accessing personally identifiable information or data covered under law, regulation, or standard such as HIPAA, FERPA, or PCI. Strong passwords shall be at least eight characters long; contain at least one upper and one lower case alphabetic characters; and contain at least one numeric or special character.