Common use of General Security Requirements Clause in Contracts

General Security Requirements. The application/system must meet the general security standards based upon ISO 17799 – Code of Practice for Information Security and ISO 27799 – Security Management in Health Using ISO 17799. • The application must run on an operating system that is consistently and currently supported by the operating systems vendor. Applications under maintenance are expected to always be current in regards to the current version of the relevant operating system. • For applications hosted by OCHCA, OCHCA will routinely apply patches to both the operating system and subsystems as updated releases are available from the operating system vendor and or any third party vendors. The vendors must keep their software current and compatible with such updated releases in order for the application to operate in this environment. • Vendors must provide timely updates to address any applicable security vulnerabilities found in the application. • OCHCA utilizes a variety of proactive, generally available, monitoring tools to assess and manage the health and performance of the application server, network connectivity, power etc. The application must function appropriately while the monitoring tools are actively running. • All application services must run as a true service and not require a user to be logged into the application for these services to continue to be active. OCHCA will provide an account with the appropriate security level to logon as a service, and an account with the appropriate administrative rights to administer the application. The account password must periodically expire, as per OCHCA policies and procedures. • In order for the application to run on OCHCA server and network resources, the application must not require the end users to have administrative rights on the server or subsystems.

General Security Requirements.  The application/system must meet the general security standards based upon ISO 17799 – Code of Practice for Information Security and ISO 27799 – Security Management in Health Using ISO 17799. •  The application must run on an operating system that is consistently and currently supported by the operating systems vendor. Applications under maintenance are expected to always be current in regards to the current version of the relevant operating system. •  For applications hosted by OCHCA, OCHCA will routinely apply patches to both the operating system and subsystems as updated releases are available from the operating system vendor and or any third party vendors. The vendors must keep their software current and compatible with such updated releases in order for the application to operate in this environment. •  Vendors must provide timely updates to address any applicable security vulnerabilities found in the application. •  OCHCA utilizes a variety of proactive, generally available, monitoring tools to assess and manage the health and performance of the application server, network connectivity, power etc. The application must function appropriately while the monitoring tools are actively running. •  All application services must run as a true service and not require a user to be logged into the application for these services to continue to be active. OCHCA will provide an account with the appropriate security level to logon as a service, and an account with the appropriate administrative rights to administer the application. The account password must periodically expire, as per OCHCA policies and procedures. •  In order for the application to run on OCHCA server and network resources, the application must not require the end users to have administrative rights on the server or subsystems.

General Security Requirements. The application/system must meet the general security standards based upon ISO 17799 – Code of Practice for Information Security and ISO 27799 – Security Management in Health Using ISO 17799. • The application must run on an operating system that is consistently and currently supported by the operating systems vendor. Applications under maintenance are expected to always be current in regards to the current version of the relevant operating system. • For applications hosted by OCHCA, OCHCA will routinely apply patches to both the County of Orange MA-042-20012181 Health Care Agency Page 47 of 65 Folder No. C025988 operating system and subsystems as updated releases are available from the operating system vendor and or any third party vendors. The vendors must keep their software current and compatible with such updated releases in order for the application to operate in this environment. • Vendors must provide timely updates to address any applicable security vulnerabilities found in the application. • OCHCA utilizes a variety of proactive, generally available, monitoring tools to assess and manage the health and performance of the application server, network connectivity, power etc. The application must function appropriately while the monitoring tools are actively running. • All application services must run as a true service and not require a user to be logged into the application for these services to continue to be active. OCHCA will provide an account with the appropriate security level to logon as a service, and an account with the appropriate administrative rights to administer the application. The account password must periodically expire, as per OCHCA policies and procedures. • In order for the application to run on OCHCA server and network resources, the application must not require the end users to have administrative rights on the server or subsystems.

General Security Requirements. The application/system must meet the general security standards based upon ISO 17799 – Code of Practice for Information Security and ISO 27799 – Security Management in Health Using ISO 17799. • The application must run on an operating system that is consistently and currently supported by the operating systems vendor. Applications under maintenance are expected to always be current in regards to the current version of the relevant operating system. • For applications hosted by OCHCA, OCHCA will routinely apply patches to both the County of Orange Page 41 of 53 MA-042-19011809 Health Care Agency File Folder No. C018820 operating system and subsystems as updated releases are available from the operating system vendor and or any third party vendors. The vendors must keep their software current and compatible with such updated releases in order for the application to operate in this environment. • Vendors must provide timely updates to address any applicable security vulnerabilities found in the application. • OCHCA utilizes a variety of proactive, generally available, monitoring tools to assess and manage the health and performance of the application server, network connectivity, power etc. The application must function appropriately while the monitoring tools are actively running. • All application services must run as a true service and not require a user to be logged into the application for these services to continue to be active. OCHCA will provide an account with the appropriate security level to logon as a service, and an account with the appropriate administrative rights to administer the application. The account password must periodically expire, as per OCHCA policies and procedures. • In order for the application to run on OCHCA server and network resources, the application must not require the end users to have administrative rights on the server or subsystems.

General Security Requirements.  The application/system must meet the general security standards based upon ISO 17799 – Code of Practice for Information Security and ISO 27799 – Security Management in Health Using ISO 17799. •  The application must run on an operating system that is consistently and currently supported by the operating systems vendorContractor. Applications under maintenance are expected to always be current in regards to the current version of the relevant operating system. •  For applications hosted by OCHCA, OCHCA will routinely apply patches to both the operating system and subsystems as updated releases are available from the operating system vendor Contractor and or any third party vendorscontractors. The vendors Contractors must keep their software current and compatible with such updated releases in order for the application to operate in this environment. • Vendors  Contractors must provide timely updates to address any applicable security vulnerabilities found in the application. •  OCHCA utilizes a variety of proactive, generally available, monitoring tools to assess and manage the health and performance of the application server, network connectivity, power etc. The application must function appropriately while the monitoring tools are actively running. •  All application services must run as a true service and not require a user to be logged into the application for these services to continue to be active. OCHCA will provide an account with the appropriate security level to logon as a service, and an account with the appropriate administrative rights to administer the application. The account password must periodically expire, as per OCHCA policies and procedures. • County of Orange Health Care Agency 39 MA-042-16011679 Environmental Health Data Management System  In order for the application to run on OCHCA server and network resources, the application must not require the end users to have administrative rights on the server or subsystems.

General Security Requirements. The To the extent applicable application/system must meet the general security standards based upon ISO 17799 – Code of Practice for Information Security and ISO 27799 – Security Management in Health Using ISO 17799. • The application must run on an operating system that is consistently and currently supported by the operating systems vendor. Applications under maintenance are expected to always be current in regards to the current version of the relevant operating system. • For applications hosted by OCHCA, OCHCA will routinely apply patches to both the operating system and subsystems as updated releases are available from the operating system vendor and or any third party vendors. The vendors must keep their software current and compatible with such updated releases in order for the application to operate in this environment. • Vendors must provide timely updates to address any applicable security vulnerabilities found in the application. • OCHCA utilizes a variety of proactive, generally available, monitoring tools to assess and manage the health and performance of the application server, network connectivity, power etc. The application must function appropriately while the monitoring tools are actively running. • All application services must run as a true service and not require a user to be logged into the application for these services to continue to be active. OCHCA will provide an account with the appropriate security level to logon as a service, and an account with the appropriate administrative rights to administer the application. The account password must periodically expire, as per OCHCA policies and procedures. • In order for the application to run on OCHCA server and network resources, the application must not require the end users to have administrative rights on the server or subsystems.

General Security Requirements. The application/system must meet the general security standards based upon ISO 17799 – Code of Practice for Information Security and ISO 27799 – Security Management in Health Using ISO 17799. • The application must run on an operating system that is consistently and currently supported by the operating systems vendor. Applications under maintenance are expected to always be current in regards to the current version of the relevant operating system. • For applications hosted by OCHCA, OCHCA will routinely apply patches to both the operating system and subsystems as updated releases are available from the operating system vendor and or any third party vendors. The vendors must keep their software current and compatible with such updated releases in order for the application to operate in this environment. • Vendors must provide timely updates to address any applicable security vulnerabilities found in the application. • OCHCA utilizes a variety of proactive, generally available, monitoring tools to assess and manage the health and performance of the application server, network connectivity, power etc. The application must function appropriately while the monitoring tools are actively running. • All application services must run as a true service and not require a user to be logged into the application for these services to continue to be active. OCHCA will provide an account with the appropriate security level to logon as a service, and an account with the appropriate administrative rights to administer the application. The account password must periodically expire, as per OCHCA policies and procedures. • In order for the application to run on OCHCA server and network resources, the application must not require the end users to have administrative rights on the server or subsystems.

General Security Requirements. The application/system must meet the general security standards based upon ISO 17799 – Code of Practice for Information Security and ISO 27799 – Security Management in Health Using ISO 17799. • The application must run on an operating system that is consistently and currently supported by the operating systems vendor. Applications under maintenance are expected to always be current in regards to the current version of the relevant operating system. • For applications hosted by OCHCA, OCHCA will routinely apply patches to both the operating system and subsystems as updated releases are available from the operating system vendor and or any third party vendors. The vendors must keep their software current and compatible with such updated releases in order for the application to operate in this environment. DocuSign Envelope ID: 32AC7F38-40B4-4FD7-9103-57D01A9AA5C7 • Vendors must provide timely updates to address any applicable security vulnerabilities found in the application. • OCHCA utilizes a variety of proactive, generally available, monitoring tools to assess and manage the health and performance of the application server, network connectivity, power etc. The application must function appropriately while the monitoring tools are actively running. • All application services must run as a true service and not require a user to be logged into the application for these services to continue to be active. OCHCA will provide an account with the appropriate security level to logon as a service, and an account with the appropriate administrative rights to administer the application. The account password must periodically expire, as per OCHCA policies and procedures. • In order for the application to run on OCHCA server and network resources, the application must not require the end users to have administrative rights on the server or subsystems.

General Security Requirements. The application/system must meet the general security standards based upon ISO 17799 – Code of Practice for Information Security and ISO 27799 – Security Management in Health Using ISO 17799. • The application must run on an operating system that is consistently and currently supported by the operating systems vendorContractor. Applications under maintenance are expected to always be current in regards to the current version of the relevant operating system. • For applications hosted by OCHCA, OCHCA will routinely apply patches to both the operating system and subsystems as updated releases are available from the operating system vendor Contractor and or any third party vendorscontractors. The vendors Contractors must keep their software current and compatible with such updated releases in order for the application to operate in this environment. • Vendors Contractors must provide timely updates to address any applicable security vulnerabilities found in the application. • OCHCA utilizes a variety of proactive, generally available, monitoring tools to assess and manage the health and performance of the application server, network connectivity, power etc. The application must function appropriately while the monitoring tools are actively running. • All application services must run as a true service and not require a user to be logged into the application for these services to continue to be active. OCHCA will provide an account with the appropriate security level to logon as a service, and an account with the appropriate administrative rights to administer the application. The account password must periodically expire, as per OCHCA policies and procedures. County of Orange Health Care Agency 39 MA-042-16011679 Environmental Health Data Management System • In order for the application to run on OCHCA server and network resources, the application must not require the end users to have administrative rights on the server or subsystems.

General Security Requirements. The application/system must meet the general security standards based upon ISO 17799 – Code of Practice for Information Security and ISO 27799 – Security Management in Health Using ISO 17799. • The application must run on an operating system that is consistently and currently supported by the operating systems vendor. Applications under maintenance are expected to always be current in regards to the current version of the relevant operating system. • For applications hosted by OCHCA, OCHCA will shall routinely apply patches to both the operating system and subsystems as updated releases are available from the operating system vendor and or any third party vendors. The vendors must keep their software current and compatible with such updated releases in order for the application to operate in this environment. • Vendors must provide timely updates to address any applicable security vulnerabilities found in the application. • OCHCA utilizes a variety of proactive, generally available, monitoring tools to assess and manage the health and performance of the application server, network connectivity, power etc. The application must function appropriately while the monitoring tools are actively running. • All application services must run as a true service and not require a user to be logged into the application for these services to continue to be active. OCHCA will shall provide an account with the appropriate security level to logon as a service, and an account with the appropriate administrative rights to administer the application. The account password must periodically expire, as per OCHCA policies and procedures. • In order for the application to run on OCHCA server and network resources, the application must not require the end users to have administrative rights on the server or subsystems.