Common use of Information Security Plan Clause in Contracts

Information Security Plan. 3(a) Contractor acknowledges that the CSU is required to comply with information security standards for the protection of CSU Protected Data Information required by law, regulation and regulatory guidance, as well as the CSU’s internal security policy for information and systems protection. Within 30 days of the Effective Date of the Agreement, Contractor shall establish, maintain and comply with an information security plan (“Information Security Plan”), which shall contain such elements that are materially similar to elements the CSU may require after consultation with Contractor. On at least an annual basis, Contractor shall review, update and revise its Information Security Plan Contractor’s Information Security Plan shall be designed to: • Ensure the security, integrity and confidentiality of the CSU Protected Data; • Protect against any anticipated threats or hazards to the security or integrity of such information; • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to the person that is the subject of such information; • Protect against unauthorized changes to or use of CSU Protected Data; and • Comply with all applicable legal and regulatory requirements for data protection. • Include business continuity and disaster recovery plans. Contractor’s Information Security Plan shall include a written response program addressing the appropriate remedial measures it shall undertake in the event that there is an information security breach. Contractor shall cause all Subcontractors and other persons and entities whose services are part of the Services which Contractor delivers to the CSU or who hold CSU Protected Data, to implement an information security program and plan substantially equivalent to Contractor’s. The parties expressly agree that Contractor’s security procedures shall require that any CSU Protected Level 1 Data transmitted or stored by Contractor only be transmitted or stored in an encrypted form. In addition, Contractor represents and warrants that in performing the Services, it will comply with all applicable privacy and data protection laws and regulations of the United States including, as applicable, the provisions in the ▇▇▇▇▇-▇▇▇▇▇-▇▇▇▇▇▇ Act, 15 U.S.C. Section 6801 et seq., the Family Education Rights and Privacy Act (“FERPA”), 20 USC Section 1232(g) et seq., and of any other applicable non-U.S. jurisdiction, including the European Union Directives, and that it will use best efforts, consistent with Federal Trade Commission and other applicable guidance, to protect CSU’s Protected Information from identity theft, fraud and unauthorized use. Failure by Contractor to comply with any provision of this Section shall constitute a default subject to Paragraph 14 of the CSU General Provisions for Service Acquisitions.

Information Security Plan. This section requires the contractor to develop or maintain an information security plan adequate to protect the CSUF ASC data. The CSUF ASC will select one of the two sub- sections to use in their contract. Section 3(a) is to be used for contracts which the CSUF ASC identifies as “high risk” due to the size of the contract, the critical nature of the service or function, and/or the nature of the CSUF ASC Information Assets affected. Section 3(b) is to be used for contracts which the CSUF ASC does not identify as “high risk”. (a) Contractor acknowledges that the CSU CSUF ASC is required to comply with information security standards for the protection of CSU Protected Data Information required by law, regulation and regulatory guidance, as well as the CSUCSUF ASC’s internal security policy for information and systems protection. Within 30 days of the Effective Date effective date of the Agreement, and subject to the review and approval of the CSUF ASC, Contractor shall establish, maintain and comply with an information security plan (“Information Security Plan”), which shall contain such elements that are materially similar to elements the CSU CSUF ASC may require after consultation with Contractor. On at least an annual basis, Contractor shall review, update and revise its Information Security Plan Plan, subject to the CSUF ASC’s review and approval. Contractor’s Information Security Plan shall be designed to: • Ensure the security, integrity and confidentiality of the CSU CSUF ASC Protected Data; • Protect against any anticipated threats or hazards to the security or integrity of such information; • Protect against unauthorized access to to, or use of of, such information that could result in substantial harm or inconvenience to the person that is the subject of such information; • Protect against unauthorized changes to to, or use of CSU of, CSUF ASC Protected Data; and • Comply with all applicable legal CSUF ASC policies, legal, and regulatory requirements for data protection. ; and • Include business continuity and disaster recovery plans. Contractor’s Information Security Plan shall include a written response program addressing the appropriate remedial measures it shall undertake in the event that there is an information security breach. Contractor shall cause all Subcontractors and other persons and entities whose services are part of the Services which Contractor delivers to the CSU CSUF ASC, or who hold CSU CSUF ASC Protected Data, to implement an information security program Information Security Program and plan Plan substantially equivalent to Contractor’s. The parties expressly agree that Contractor’s security procedures shall require that any CSU Protected Level 1 Data be transmitted or stored by Contractor only be transmitted or stored in an encrypted formform approved by the CSUF ASC. In addition, Contractor represents and warrants that in performing the Services, it will comply with all applicable privacy and data protection laws and regulations of the United States including, as applicable, the provisions in the ▇▇▇▇▇-▇▇▇▇▇-▇▇▇▇▇▇ Act, 15 U.S.C. Section 6801 et seq., the Family Education Rights and Privacy Act (“FERPA”), 20 USC Section 1232(g) et seq., and of any other applicable non-U.S. jurisdictionjurisdiction laws and regulations, including the European Union Directives, and that it will use best efforts, consistent with Federal Trade Commission guidelines, and any other applicable guidance, to protect CSUCSUF ASC’s Protected Information from identity theft, fraud and unauthorized use. Failure by Contractor to comply with any provision of this Section shall constitute a default subject to Paragraph 14 of the CSU General Provisions for Service Acquisitions.

Information Security Plan. 3(a) Contractor acknowledges that the CSU is required to comply with information security standards for the protection of CSU Protected Data Information required by law, regulation and regulatory guidance, as well as the CSU’s internal security policy for information and systems protection. Within 30 days of the Effective Date of the AgreementAgreement and subject to the review and approval of the CSU, Contractor shall establish, maintain and comply with an information security plan (“Information Security Plan”), which shall contain such elements that are materially similar to elements the CSU may require after consultation with Contractor. On at least an annual basis, Contractor shall review, update and revise its Information Security Plan, subject to the CSU’s review and approval. At the CSU’s request, Contractor shall make modifications to its Information Security Plan or to the procedures and practices thereunder to conform to the CSU’s security requirements as they exist from time to time. Contractor’s Information Security Plan shall be designed to: • Ensure the security, integrity and confidentiality of the CSU Protected Data; • Protect against any anticipated threats or hazards to the security or integrity of such information; • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to the person that is the subject of such information; • Protect against unauthorized changes to or use of CSU Protected Data; and • Comply with all applicable CSU policies legal and regulatory requirements for data protection. • Include business continuity and disaster recovery plans. CSU Information Security Requirements Supplemental Provisions - CSU General Provisions for Information Technology Acquisitions 4 Revised 08/11/20 Contractor’s Information Security Plan shall include a written response program addressing the appropriate remedial measures it shall undertake in the event that there is an information security breach. Contractor shall cause all Subcontractors and other persons and entities whose services are part of the Services which Contractor delivers to the CSU or who hold CSU Protected Data, to implement an information security program and plan substantially equivalent to Contractor’s. The parties expressly agree that Contractor’s security procedures shall require that any CSU Protected Level 1 Data transmitted or stored by Contractor only be transmitted or stored in an encrypted formform approved by the CSU. In addition, Contractor represents and warrants that in performing the Services, it will comply with all applicable privacy and data protection laws and regulations of the United States including, as applicable, the provisions in the ▇▇▇▇▇-▇▇▇▇▇-▇▇▇▇▇▇ Act, 15 U.S.C. Section 6801 et seq., the Family Education Rights and Privacy Act (“FERPA”), 20 USC Section 1232(g) et seq., and of any other applicable non-U.S. jurisdiction, including the European Union Directives, and that it will use best efforts, consistent with Federal Trade Commission and other applicable guidance, to protect CSU’s Protected Information from identity theft, fraud and unauthorized use. Failure by Contractor to comply with any provision of this Section shall constitute a default subject to Paragraph 14 of the CSU General Provisions for Service Information Technology Acquisitions.