{"component": "clause", "props": {"groups": [{"samples": [{"hash": "h3e3YzwsaLb", "uri": "/contracts/h3e3YzwsaLb#information-security-management-program", "label": "Participation Agreement", "score": 27.4900752909, "published": true}], "size": 2, "snippet": "2.1. Supplier shall have an Information Security Management Program (\"ISMP\") that addresses the overall security program of Supplier. The ISMP shall be formally documented, and such records shall be protected, controlled, and retained according to federal, state, and internal requirements.\n2.2. Supplier management support for the ISMP shall be demonstrated through signed acceptance or approval by Supplier\u2019s management.\n2.3. Buyer shall have the right to assess with reasonable notice the effectiveness of the ISMP by reviewing Supplier's information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions, and management support at least annually.", "snippet_links": [{"key": "supplier-shall", "type": "clause", "offset": [5, 19]}, {"key": "security-program", "type": "clause", "offset": [104, 120]}, {"key": "of-supplier", "type": "clause", "offset": [121, 132]}, {"key": "to-federal", "type": "definition", "offset": [245, 255]}, {"key": "management-support", "type": "clause", "offset": [305, 323]}, {"key": "by-supplier", "type": "clause", "offset": [397, 408]}, {"key": "buyer-shall", "type": "clause", "offset": [428, 439]}, {"key": "right-to", "type": "definition", "offset": [449, 457]}, {"key": "with-reasonable-notice", "type": "clause", "offset": [465, 487]}, {"key": "effectiveness-of-the", "type": "clause", "offset": [492, 512]}, {"key": "information-security-policy", "type": "clause", "offset": [542, 569]}, {"key": "security-objectives", "type": "clause", "offset": [583, 602]}, {"key": "audit-results", "type": "clause", "offset": [604, 617]}, {"key": "corrective-and-preventive-actions", "type": "clause", "offset": [649, 682]}], "hash": "02eaf1c54325ef16eb900553e9333cd2", "id": 2}, {"samples": [{"hash": "7yLzW8IYeS2", "uri": "/contracts/7yLzW8IYeS2#information-security-management-program", "label": "Saas Agreement", "score": 31.7031072384, "published": true}], "size": 1, "snippet": "Ultimate Software shall maintain a documented, approved and implemented information security management program in accordance with generally accepted industry standard practices that include reasonable administrative, technical, and physical safeguards to protect assets and Customer Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The information security management program will address the following areas: risk management, security policy, organization of information security, human resources security, asset management, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition, development, and maintenance, supplier management, information security incident management, information security aspects of business continuity management, and compliance.", "snippet_links": [{"key": "software-shall", "type": "definition", "offset": [9, 23]}, {"key": "in-accordance-with", "type": "definition", "offset": [112, 130]}, {"key": "generally-accepted", "type": "clause", "offset": [131, 149]}, {"key": "industry-standard-practices", "type": "definition", "offset": [150, 177]}, {"key": "physical-safeguards", "type": "definition", "offset": [233, 252]}, {"key": "customer-data", "type": "clause", "offset": [275, 288]}, {"key": "unauthorized-access", "type": "clause", "offset": [308, 327]}, {"key": "the-information", "type": "clause", "offset": [370, 385]}, {"key": "risk-management", "type": "clause", "offset": [448, 463]}, {"key": "security-policy", "type": "definition", "offset": [465, 480]}, {"key": "organization-of-information-security", "type": "clause", "offset": [482, 518]}, {"key": "human-resources-security", "type": "clause", "offset": [520, 544]}, {"key": "asset-management", "type": "definition", "offset": [546, 562]}, {"key": "access-control", "type": "clause", "offset": [564, 578]}, {"key": "physical-and-environmental-security", "type": "definition", "offset": [594, 629]}, {"key": "operations-security", "type": "definition", "offset": [631, 650]}, {"key": "communications-security", "type": "clause", "offset": [652, 675]}, {"key": "and-maintenance", "type": "clause", "offset": [710, 725]}, {"key": "supplier-management", "type": "clause", "offset": [727, 746]}, {"key": "information-security-incident-management", "type": "clause", "offset": [748, 788]}, {"key": "information-security-aspects-of-business-continuity-management", "type": "clause", "offset": [790, 852]}, {"key": "and-compliance", "type": "clause", "offset": [854, 868]}], "hash": "0de1aae1531ec9380446d51ff9bc8f96", "id": 3}, {"samples": [{"hash": "lcJOF6iwjsC", "uri": "/contracts/lcJOF6iwjsC#information-security-management-program", "label": "Service Agreement", "score": 31.4813804644, "published": true}, {"hash": "agYBstAYLqh", "uri": "/contracts/agYBstAYLqh#information-security-management-program", "label": "Service Agreement", "score": 31.4403199507, "published": true}, {"hash": "2ZSKqjPaPpK", "uri": "/contracts/2ZSKqjPaPpK#information-security-management-program", "label": "Service Agreement", "score": 31.2842899986, "published": true}], "size": 6, "snippet": "Sumo Logic will maintain throughout the Term of the Agreement an information security management program (the \u201cISMP\u201d) designed to protect and secure Your Data from unauthorized access or use. The ISMP will be documented and updated based on changes in applicable legal and regulatory requirements related to privacy and data security practices and industry standards.", "snippet_links": [{"key": "the-term-of-the-agreement", "type": "clause", "offset": [36, 61]}, {"key": "your-data", "type": "definition", "offset": [149, 158]}, {"key": "unauthorized-access-or-use", "type": "definition", "offset": [164, 190]}, {"key": "based-on", "type": "clause", "offset": [232, 240]}, {"key": "changes-in", "type": "clause", "offset": [241, 251]}, {"key": "legal-and-regulatory-requirements", "type": "clause", "offset": [263, 296]}, {"key": "related-to", "type": "clause", "offset": [297, 307]}, {"key": "security-practices", "type": "clause", "offset": [325, 343]}, {"key": "industry-standards", "type": "definition", "offset": [348, 366]}], "hash": "57f6b478aa6d651ee087be3e0586860e", "id": 1}, {"samples": [{"hash": "9ZRM95fLra2", "uri": "/contracts/9ZRM95fLra2#information-security-management-program", "label": "Master Services Agreement", "score": 32.7409012728, "published": true}], "size": 1, "snippet": "UKG shall maintain a documented, approved and implemented information security management program in accordance with generally accepted industry standard practices that include reasonable administrative, technical, and physical safeguards to protect assets and Customer Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The information security management program will address the following areas: risk management, security policy, organization of information security, human resources security, asset management, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition, development, and maintenance, supplier management, information security incident management, information security aspects of business continuity management, and compliance.", "snippet_links": [{"key": "in-accordance-with", "type": "definition", "offset": [98, 116]}, {"key": "generally-accepted", "type": "clause", "offset": [117, 135]}, {"key": "industry-standard-practices", "type": "definition", "offset": [136, 163]}, {"key": "physical-safeguards", "type": "definition", "offset": [219, 238]}, {"key": "customer-data", "type": "clause", "offset": [261, 274]}, {"key": "unauthorized-access", "type": "clause", "offset": [294, 313]}, {"key": "the-information", "type": "clause", "offset": [356, 371]}, {"key": "risk-management", "type": "clause", "offset": [434, 449]}, {"key": "security-policy", "type": "definition", "offset": [451, 466]}, {"key": "organization-of-information-security", "type": "clause", "offset": [468, 504]}, {"key": "human-resources-security", "type": "clause", "offset": [506, 530]}, {"key": "asset-management", "type": "definition", "offset": [532, 548]}, {"key": "access-control", "type": "clause", "offset": [550, 564]}, {"key": "physical-and-environmental-security", "type": "definition", "offset": [580, 615]}, {"key": "operations-security", "type": "definition", "offset": [617, 636]}, {"key": "communications-security", "type": "clause", "offset": [638, 661]}, {"key": "and-maintenance", "type": "clause", "offset": [696, 711]}, {"key": "supplier-management", "type": "clause", "offset": [713, 732]}, {"key": "information-security-incident-management", "type": "clause", "offset": [734, 774]}, {"key": "information-security-aspects-of-business-continuity-management", "type": "clause", "offset": [776, 838]}, {"key": "and-compliance", "type": "clause", "offset": [840, 854]}], "hash": "ae5dfa50429bda594fe02fc7378f6492", "id": 4}, {"samples": [{"hash": "eE8STTOyiyn", "uri": "/contracts/eE8STTOyiyn#information-security-management-program", "label": "Saas Agreement", "score": 30.9541666093, "published": true}], "size": 1, "snippet": "Ultimate Software shall maintain a documented, approved and implemented information security management program in accordance with generally accepted industry standard practices that include reasonable administrative, technical, and physical safeguards to protect assets and Customer Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The information security management program will address the following areas: risk management, security policy, organization of information security, human resources security, asset management, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition, development, and maintenance, supplier management, information security incident management, information security aspects of business continuity management, and compliance. When working with Customer Data, Ultimate Software shall maintain the following: Designated security and privacy personnel and departments responsible for the development and implementation of the information security and privacy practices required by this Agreement and applicable law; Require background checks (including criminal) on its workforce; Implement reasonably appropriate security and privacy awareness training for all members of its workforce; Transfer and store Customer Data in an encrypted/secure manner; Shall not store Customer Data on unencrypted mobile devices or media, such as laptops, phones, USB drives, etc; Implement reasonably appropriate technical safeguards to protect Customer Data, such as firewalls, intrusions detection systems, logging and monitoring systems, access control systems and encryption; Restrict access to data, applications, systems, databases and networks to approved users with a business need/job responsibility. Reasonably timely de-provisioning, revocation or modification of user access to Ultimate Software\u2019s systems, information assets and Customer Data shall be implemented by Ultimate Software upon any change in status of employees, contractors, customers, business partners or third parties. Any change in status is intended to include termination of employment, contract or agreement, change of employment, transfer within the organization or change in SaaS Service delivery. Maintain procedures for data retention and storage, and backup/redundancy mechanisms. Ultimate Software will test the recovery of backups at planned intervals Implement reasonable physical safeguards to restrict physical access to Confidential Information, such as restricted access requiring authentication, and appropriate environmental controls. Physical security perimeters (which may include fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to reasonably safeguard Customer Data and Ultimate Software\u2019s relevant information systems; Ultimate Software will have, at a minimum, an annual site audit of Ultimate Software\u2019s information technology general controls including, but not limited to, information security, confidentiality and availability controls, performed by an independent third-party audit firm based on the recognized audit standard SSAE 18 SOC 1 and SOC 2 report or equivalent. Ultimate Software will make available to Customer for review, its SSAE 18 SOC 1 and SOC 2 report or equivalent after the report\u2019s publication by the independent audit firm. Customer agrees to treat such audit reports as Confidential Information under this Agreement. Any control exceptions noted in the SSAE 18 SOC 1 or SOC 2 report or equivalent will be addressed in the report with management\u2019s corrective action. Ultimate Software maintains certification to ISO 27001 and ISO 27018 and will make the certificate of registration available to Customer upon request. Ultimate Software will have a network and application level penetration test conducted annually. This audit shall be performed by a recognized third-party audit firm engaged by Ultimate Software. Upon request, Customer shall be provided with a high level executive summary of such test. Customer may submit general security and privacy due diligence questionnaires for completion by Ultimate Software no more than annually. Questionnaires can be submitted directly to the Privacy, Risk & Compliance department at \u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587@\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587.\u2587\u2587\u2587.", "snippet_links": [{"key": "software-shall", "type": "definition", "offset": [9, 23]}, {"key": "in-accordance-with", "type": "definition", "offset": [112, 130]}, {"key": "generally-accepted", "type": "clause", "offset": [131, 149]}, {"key": "industry-standard-practices", "type": "definition", "offset": [150, 177]}, {"key": "physical-safeguards", "type": "definition", "offset": [233, 252]}, {"key": "customer-data", "type": "clause", "offset": [275, 288]}, {"key": "unauthorized-access", "type": "clause", "offset": [308, 327]}, {"key": "the-information", "type": "clause", "offset": [370, 385]}, {"key": "risk-management", "type": "clause", "offset": [448, 463]}, {"key": "security-policy", "type": "definition", "offset": [465, 480]}, {"key": "organization-of-information-security", "type": "clause", "offset": [482, 518]}, {"key": "human-resources-security", "type": "clause", "offset": [520, 544]}, {"key": "asset-management", "type": "definition", "offset": [546, 562]}, {"key": "physical-and-environmental-security", "type": "definition", "offset": [594, 629]}, {"key": "operations-security", "type": "definition", "offset": [631, 650]}, {"key": "communications-security", "type": "clause", "offset": [652, 675]}, {"key": "and-maintenance", "type": "clause", "offset": [710, 725]}, {"key": "supplier-management", "type": "clause", "offset": [727, 746]}, {"key": "information-security-incident-management", "type": "clause", "offset": [748, 788]}, {"key": "information-security-aspects-of-business-continuity-management", "type": "clause", "offset": [790, 852]}, {"key": "and-compliance", "type": "clause", "offset": [854, 868]}, {"key": "working-with", "type": "definition", "offset": [875, 887]}, {"key": "responsible-for", "type": "clause", "offset": [1009, 1024]}, {"key": "development-and-implementation", "type": "clause", "offset": [1029, 1059]}, {"key": "security-and-privacy-practices", "type": "definition", "offset": [1079, 1109]}, {"key": "by-this-agreement", "type": "clause", "offset": [1119, 1136]}, {"key": "applicable-law", "type": "clause", "offset": [1141, 1155]}, {"key": "background-checks", "type": "definition", "offset": [1165, 1182]}, {"key": "security-and-privacy-awareness-training", "type": "clause", "offset": [1255, 1294]}, {"key": "members-of", "type": "clause", "offset": [1303, 1313]}, {"key": "not-store", "type": "definition", "offset": [1399, 1408]}, {"key": "mobile-devices", "type": "definition", "offset": [1438, 1452]}, {"key": "technical-safeguards", "type": "clause", "offset": [1538, 1558]}, {"key": "monitoring-systems", "type": "clause", "offset": [1646, 1664]}, {"key": "access-control-systems", "type": "clause", "offset": [1666, 1688]}, {"key": "access-to-data", "type": "clause", "offset": [1714, 1728]}, {"key": "approved-users", "type": "definition", "offset": [1779, 1793]}, {"key": "business-need", "type": "clause", "offset": [1801, 1814]}, {"key": "modification-of", "type": "clause", "offset": [1884, 1899]}, {"key": "user-access", "type": "clause", "offset": [1900, 1911]}, {"key": "information-assets", "type": "clause", "offset": [1944, 1962]}, {"key": "status-of-employees", "type": "clause", "offset": [2042, 2061]}, {"key": "business-partners", "type": "clause", "offset": [2087, 2104]}, {"key": "third-parties", "type": "clause", "offset": [2108, 2121]}, {"key": "termination-of-employment", "type": "definition", "offset": [2167, 2192]}, {"key": "contract-or-agreement", "type": "definition", "offset": [2194, 2215]}, {"key": "change-of-employment", "type": "definition", "offset": [2217, 2237]}, {"key": "the-organization", "type": "definition", "offset": [2255, 2271]}, {"key": "service-delivery", "type": "definition", "offset": [2290, 2306]}, {"key": "retention-and-storage", "type": "clause", "offset": [2337, 2358]}, {"key": "recovery-of", "type": "clause", "offset": [2426, 2437]}, {"key": "access-to-confidential-information", "type": "clause", "offset": [2529, 2563]}, {"key": "restricted-access", "type": "definition", "offset": [2573, 2590]}, {"key": "environmental-controls", "type": "definition", "offset": [2633, 2655]}, {"key": "physical-security", "type": "definition", "offset": [2657, 2674]}, {"key": "electronic-surveillance", "type": "definition", "offset": [2745, 2768]}, {"key": "and-security", "type": "clause", "offset": [2822, 2834]}, {"key": "information-systems", "type": "definition", "offset": [2936, 2955]}, {"key": "site-audit", "type": "definition", "offset": [3010, 3020]}, {"key": "information-technology", "type": "clause", "offset": [3044, 3066]}, {"key": "general-controls", "type": "clause", "offset": [3067, 3083]}, {"key": "not-limited", "type": "clause", "offset": [3099, 3110]}, {"key": "availability-controls", "type": "clause", "offset": [3157, 3178]}, {"key": "performed-by", "type": "clause", "offset": [3180, 3192]}, {"key": "an-independent", "type": "clause", "offset": [3193, 3207]}, {"key": "based-on", "type": "clause", "offset": [3231, 3239]}, {"key": "the-recognized", "type": "clause", "offset": [3240, 3254]}, {"key": "audit-standard", "type": "definition", "offset": [3255, 3269]}, {"key": "ssae-18", "type": "definition", "offset": [3270, 3277]}, {"key": "soc-1", "type": "definition", "offset": [3278, 3283]}, {"key": "soc-2-report", "type": "definition", "offset": [3288, 3300]}, {"key": "or-equivalent", "type": "definition", "offset": [3301, 3314]}, {"key": "for-review", "type": "clause", "offset": [3366, 3376]}, {"key": "the-report", "type": "clause", "offset": [3433, 3443]}, {"key": "independent-audit-firm", "type": "definition", "offset": [3465, 3487]}, {"key": "customer-agrees-to", "type": "clause", "offset": [3489, 3507]}, {"key": "audit-reports", "type": "clause", "offset": [3519, 3532]}, {"key": "corrective-action", "type": "definition", "offset": [3713, 3730]}, {"key": "iso-27001", "type": "definition", "offset": [3777, 3786]}, {"key": "certificate-of-registration", "type": "clause", "offset": [3819, 3846]}, {"key": "upon-request", "type": "definition", "offset": [3869, 3881]}, {"key": "application-level", "type": "clause", "offset": [3925, 3942]}, {"key": "penetration-test", "type": "clause", "offset": [3943, 3959]}, {"key": "customer-shall", "type": "clause", "offset": [4093, 4107]}, {"key": "high-level", "type": "definition", "offset": [4127, 4137]}, {"key": "executive-summary", "type": "definition", "offset": [4138, 4155]}, {"key": "customer-may", "type": "clause", "offset": [4170, 4182]}, {"key": "general-security", "type": "definition", "offset": [4190, 4206]}, {"key": "due-diligence", "type": "clause", "offset": [4219, 4232]}, {"key": "compliance-department", "type": "clause", "offset": [4371, 4392]}], "hash": "485180e6f9a662d4600b1d630d64a88e", "id": 5}, {"samples": [{"hash": "87RWicxXxii", "uri": "/contracts/87RWicxXxii#information-security-management-program", "label": "Data Processing Addendum", "score": 26.4031485284, "published": true}], "size": 1, "snippet": "Administrative Safeguards", "snippet_links": [{"key": "administrative-safeguards", "type": "definition", "offset": [0, 25]}], "hash": "57227e74b93a5215d7776f3b60c61fff", "id": 6}, {"samples": [{"hash": "6Xsn0IGRDxU", "uri": "/contracts/6Xsn0IGRDxU#information-security-management-program", "label": "Box Service Agreement", "score": 25.0095824778, "published": true}], "size": 1, "snippet": "Box will maintain throughout the Term of the Agreement an information security management program (the \u201cISMP\u201d) designed to protect and secure Content from unauthorized access or use. The ISMP will be documented and updated based on changes in applicable legal and regulatory requirements related to privacy and data security practices and industry standards.", "snippet_links": [{"key": "the-term-of-the-agreement", "type": "clause", "offset": [29, 54]}, {"key": "unauthorized-access-or-use", "type": "definition", "offset": [155, 181]}, {"key": "based-on", "type": "clause", "offset": [223, 231]}, {"key": "changes-in", "type": "clause", "offset": [232, 242]}, {"key": "legal-and-regulatory-requirements", "type": "clause", "offset": [254, 287]}, {"key": "related-to", "type": "clause", "offset": [288, 298]}, {"key": "security-practices", "type": "clause", "offset": [316, 334]}, {"key": "industry-standards", "type": "definition", "offset": [339, 357]}], "hash": "1ff0b6487d9f70926b046196facdbe85", "id": 7}, {"samples": [{"hash": "YXwXiQOnsF", "uri": "/contracts/YXwXiQOnsF#information-security-management-program", "label": "Master Subscription Agreement", "score": 33.9586096975, "published": true}], "size": 1, "snippet": "a. FloQast maintains a comprehensive information security management program \u037e\u035e/^) tDhaWt c\u035fontains administrative, technical, and physical safeguards that are appropriate for:\ni. d\u015a\u011e \u0190\u015d\u01cc\u011e\u0355 \u0190\u0110\u017d\u0189\u011e \u0102\u0176\u011a \u019a\u01c7\u0189\u011e \u017d\u0128 &\u016f\u017dY\u0102\u0190\u019a\u035b\u0190 \u010f\u01b5\u0190\u015d\u0176\u011e\u0190\u0190\u0356\nii. The amount of resources available to FloQast;\niii. The type of information that FloQast will store and process; and\niv. The need for security and protection from unauthorized disclosure or access to such Customer Data. The ISMP is documented and updated based on changes in legal and regulatory requirements related to privacy and data security practices and industry standards applicable to the Services.\nb. \u016f\u017dY\u0102\u0190\u019a\u035b\u0190 /^DW \u015d\u0190 \u011a\u011e\u0190\u015d\u0150\u0176\u011e\u011a \u019a\u017d\u0357\ni. Protect the integrity, availability, resilience, confidentiality, and security of all Customer Data; ii. W\u018c\u017d\u019a\u011e\u0110\u019a \u0102\u0150\u0102\u015d\u0176\u0190\u019a \u019a\u015a\u011e \u01b5\u0176\u0102\u01b5\u019a\u015a\u017d\u018c\u015d\u01cc\u011e\u011a \u011a\u015d\u0190\u0110\u016f\u017d\u0190\u01b5\u018c\u011e \u017d\u018c \u0102\u0110\u0110\u011e\u0190\u0190 \u017d", "snippet_links": [{"key": "physical-safeguards", "type": "definition", "offset": [131, 150]}, {"key": "available-to", "type": "definition", "offset": [256, 268]}, {"key": "type-of-information", "type": "clause", "offset": [287, 306]}, {"key": "protection-from", "type": "clause", "offset": [378, 393]}, {"key": "unauthorized-disclosure", "type": "clause", "offset": [394, 417]}, {"key": "access-to", "type": "definition", "offset": [421, 430]}, {"key": "customer-data", "type": "clause", "offset": [436, 449]}, {"key": "based-on", "type": "clause", "offset": [486, 494]}, {"key": "changes-in", "type": "clause", "offset": [495, 505]}, {"key": "legal-and-regulatory-requirements", "type": "clause", "offset": [506, 539]}, {"key": "related-to", "type": "clause", "offset": [540, 550]}, {"key": "security-practices", "type": "clause", "offset": [568, 586]}, {"key": "to-the-services", "type": "clause", "offset": [621, 636]}, {"key": "security-of", "type": "clause", "offset": [744, 755]}], "hash": "1e786fff96f77afa059e72f1128ec0e6", "id": 8}, {"samples": [{"hash": "8sSKMJRVRMg", "uri": "/contracts/8sSKMJRVRMg#information-security-management-program", "label": "Master Services Agreement (Triple-S Management Corp)", "score": 26.8548939083, "published": true}], "size": 1, "snippet": "An Information Security Management Program (ISMP) shall be formally established, implemented, operated and maintained. [Core-15(b)] The ISMP shall be reviewed and updated at least annually considering the needs of the organization and changes on existing business requirements, technologies, threats and risk facing the organization. [Core-15(b)] TSM Senior Management support for the ISMP shall be demonstrated through signed acceptance or approval by management of the program. [Core-15(b)] The ISMP shall include the relevant security domains for proper management of the program as required by HITRUST. [Core-15(b)] Personnel assigned with formal responsibilities in the ISMP must be competent in information security tasks. [Core-15(b)]", "snippet_links": [{"key": "organization-and", "type": "clause", "offset": [218, 234]}, {"key": "business-requirements", "type": "clause", "offset": [255, 276]}, {"key": "management-support", "type": "clause", "offset": [358, 376]}, {"key": "management-of-the-program", "type": "clause", "offset": [453, 478]}, {"key": "relevant-security", "type": "definition", "offset": [520, 537]}, {"key": "as-required-by", "type": "clause", "offset": [583, 597]}, {"key": "personnel-assigned", "type": "clause", "offset": [620, 638]}], "hash": "3e8b78145e52cbdedda531336f397e5b", "id": 9}, {"samples": [{"hash": "apGZzsS32Jg", "uri": "/contracts/apGZzsS32Jg#information-security-management-program", "label": "Contract for Workforce Management Systems and Related Products, Services and Solutions", "score": 34.1670115557, "published": true}], "size": 1, "snippet": "Kronos shall maintain a documented, approved and implemented information security management program in accordance with generally accepted industry standard practices that include reasonable administrative, technical, and physical safeguards to protect assets and Customer Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The information security management program will address the following areas: risk management, security policy, organization of information security, human resources security, asset management, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition, development, and maintenance, supplier management, information security incident management, information security aspects of business continuity management, and compliance.", "snippet_links": [{"key": "in-accordance-with", "type": "definition", "offset": [101, 119]}, {"key": "generally-accepted", "type": "clause", "offset": [120, 138]}, {"key": "industry-standard-practices", "type": "definition", "offset": [139, 166]}, {"key": "physical-safeguards", "type": "definition", "offset": [222, 241]}, {"key": "customer-data", "type": "clause", "offset": [264, 277]}, {"key": "unauthorized-access", "type": "clause", "offset": [297, 316]}, {"key": "the-information", "type": "clause", "offset": [359, 374]}, {"key": "risk-management", "type": "clause", "offset": [437, 452]}, {"key": "security-policy", "type": "definition", "offset": [454, 469]}, {"key": "organization-of-information-security", "type": "clause", "offset": [471, 507]}, {"key": "human-resources-security", "type": "clause", "offset": [509, 533]}, {"key": "asset-management", "type": "definition", "offset": [535, 551]}, {"key": "access-control", "type": "clause", "offset": [553, 567]}, {"key": "physical-and-environmental-security", "type": "definition", "offset": [583, 618]}, {"key": "operations-security", "type": "definition", "offset": [620, 639]}, {"key": "communications-security", "type": "clause", "offset": [641, 664]}, {"key": "and-maintenance", "type": "clause", "offset": [699, 714]}, {"key": "supplier-management", "type": "clause", "offset": [716, 735]}, {"key": "information-security-incident-management", "type": "clause", "offset": [737, 777]}, {"key": "information-security-aspects-of-business-continuity-management", "type": "clause", "offset": [779, 841]}, {"key": "and-compliance", "type": "clause", "offset": [843, 857]}], "hash": "f705c90e37a9a9b6eef4de379e25f49f", "id": 10}], "next_curs": "CnASamoVc35sYXdpbnNpZGVyY29udHJhY3RzckwLEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2IjBpbmZvcm1hdGlvbi1zZWN1cml0eS1tYW5hZ2VtZW50LXByb2dyYW0jMDAwMDAwMGEMogECZW4YACAA", "clause": {"children": [], "parents": [["notices", "Notices"], ["general-provisions", "GENERAL PROVISIONS"], ["supplier-attestation", "Supplier Attestation"], ["payment-and-payment-milestone-conditions", "Payment and Payment Milestone Conditions"], ["invoices", "Invoices"]], "size": 17, "title": "Information Security Management Program", "id": "information-security-management-program", "related": [["information-security-program", "Information Security Program", "Information Security Program"], ["security-management", "Security Management", "Security Management"], ["information-management", "Information Management", "Information Management"], ["information-security", "Information Security", "Information Security"], ["patch-management", "Patch Management", "Patch Management"]], "related_snippets": [], "updated": "2025-07-07T12:37:53+00:00", "also_ask": ["What minimum security standards should be mandated in the Information Security Management Program?", "How can we ensure the clause is enforceable and not merely aspirational in court?", "What are the most common negotiation pitfalls or pushbacks regarding this clause?", "How does this clause compare to industry-standard information security requirements (e.g., ISO 27001, NIST)?", "What are the most critical risks if the program is inadequately defined or monitored?"], "drafting_tip": "Specify security standards, assign responsibility, and require regular audits to ensure clarity of obligations, accountability, and ongoing compliance.", "explanation": "The Information Security Management Program clause establishes the requirement for an organization to implement and maintain a structured set of policies, procedures, and controls to protect sensitive information. Typically, this involves designating responsible personnel, conducting regular risk assessments, and ensuring compliance with relevant security standards or regulations. The core function of this clause is to safeguard data from unauthorized access, breaches, or misuse, thereby reducing the risk of information security incidents and ensuring the organization's ongoing compliance and trustworthiness."}, "json": true, "cursor": ""}}