Common use of IT Operations Security Policy Clause in Contracts

IT Operations Security Policy. Written standards for operational security for any facilities where the County data, staff or systems shall exist. These documents must include, but not be limited to, physical security, network security, logical security, systems/platform security, wireless access, remote access, and data protections.  Data Management Security Policy. Policy for the safeguarding and management of all data provided by the County or accessed by vendor as part of implementation and ongoing maintenance. This policy must, at a minimum, include check-in, check-out, copy control, audit logs and separation of duties.  Security Incident Notification and Management Process. A detailed document that outlines the contact names and order and escalation of events that will occur in the case of a security breach concerning the County staff, data, or systems. This document must be updated immediately upon any change. The vendor shall be held liable to the time-tables and protections outlined in the document. In addition to developing, maintaining, and enforcing the above named policies, the vendor must:  Bear the cost of compliance for any required changes to security infrastructure, policies and procedures to comply with existing regulations, unless such change is unique to the County.  Comply with reasonable requests by the County for audits of security measures, including those related to identification and password administration.  Comply with reasonable requests by the County for onsite physical inspections of the location from which the vendor provides services.  Provide the County with any annual audit summaries and certifications, including but not limited to HIPAA, ISO or SOX audits, as applicable.  Designate a single point of contact to facilitate all IT security activities related to services provided to the County, with the allowance of appropriate backups. Such contact(s) must be available on a 7/24/365 basis. 13 Business Continuity / Disaster Recovery Plans Application Service Providers must have a viable risk management strategy that is formally documented in a Business Continuity Plan (BCP) and/or a Disaster Recovery Plan (DRP). This BCP/DRP plan(s) must identify recovery strategies within the application service areas, outline specific recovery methods and goals, and provide the mutually agreed upon recovery time and point objectives.

IT Operations Security Policy. Written standards for operational security for any facilities where the County data, staff or systems shall exist. These documents must include, but not be limited to, physical security, network security, logical security, systems/platform security, wireless access, remote access, and data protections.  Data Management Security Policy. Policy for the safeguarding and management of all data provided by the County or accessed by vendor as part of implementation and ongoing maintenance. This policy must, at a minimum, include check-in, check-out, copy control, audit logs and separation of duties.  Security Incident Notification and Management Process. A detailed document that outlines the contact names and order and escalation of events that will occur in the case of a security breach concerning the County staff, data, or systems. This document must be updated immediately upon any change. The vendor shall be held liable to the time-tables and protections outlined in the document. In addition to developing, maintaining, and enforcing the above named policies, the vendor must:  Bear the cost of compliance for any required changes to security infrastructure, policies and procedures to comply with existing regulations, unless such change is unique to the County.  Comply with reasonable requests by the County for audits of security measures, including those related to identification and password administration.  Comply with reasonable requests by the County for onsite physical inspections of the location from which the vendor provides services.  Provide the County with any annual audit summaries and certifications, including but not limited to HIPAA, HITRUST, ISO or SOX SOC audits, as applicable.  Designate a single point of contact to facilitate all IT security activities related to services provided to the County, with the allowance of appropriate backups. Such contact(s) must be available on a 7/24/365 basis. 13 14 Business Continuity / Disaster Recovery Plans Application Service Providers must have a viable risk management strategy that is formally documented in a Business Continuity Plan (BCP) and/or a Disaster Recovery Plan (DRP). This BCP/DRP plan(s) must identify recovery strategies within the application service areas, outline specific recovery methods and goals, and provide the mutually agreed upon recovery time and point objectives.

IT Operations Security Policy. Written standards for operational security for any facilities where the County data, staff or systems shall exist. These documents must include, but not be limited to, physical security, network security, logical security, systems/platform security, wireless access, remote access, and data protections.  ▪ Data Management Security Policy. Policy for the safeguarding and management of all data provided by the County or accessed by vendor as part of implementation and ongoing maintenance. This policy must, at a minimum, include check-in, check-out, copy control, audit logs and separation of duties.  ▪ Security Incident Notification and Management Process. A detailed document that outlines the contact names and order and escalation of events that will occur in the case of a security breach concerning the County staff, data, or systems. This document must be updated immediately upon any change. The vendor shall be held liable to the time-tables and protections outlined in the document. In addition to developing, maintaining, and enforcing the above named policies, the vendor must:  ▪ Bear the cost of compliance for any required changes to security infrastructure, policies and procedures to comply with existing regulations, unless such change is unique to the County.  ▪ Comply with reasonable requests by the County for audits of security measures, including those related to identification and password administration.  ▪ Comply with reasonable requests by the County for onsite physical inspections of the location from which the vendor provides services.  ▪ Provide the County with any annual audit summaries and certifications, including but not limited to HIPAA, ISO or SOX audits, as applicable.  ▪ Designate a single point of contact to facilitate all IT security activities related to services provided to the County, with the allowance of appropriate backups. Such contact(s) must be available on a 7/24/365 basis. 13 Business Continuity / Disaster Recovery Plans Application Service Providers must have a viable risk management strategy that is formally documented in a Business Continuity Plan (BCP) and/or a Disaster Recovery Plan (DRP). This BCP/DRP plan(s) must identify recovery strategies within the application service areas, outline specific recovery methods and goals, and provide the mutually agreed upon recovery time and point objectives.

IT Operations Security Policy. Written standards for operational security for any facilities where the County data, staff or systems shall exist. These documents must include, but not be limited to, physical security, network security, logical security, systems/platform security, wireless access, remote access, and data protections.  ▪ Data Management Security Policy. Policy for the safeguarding and management of all data provided by the County or accessed by vendor as part of implementation and ongoing maintenance. This policy must, at a minimum, include check-in, check-out, copy control, audit logs and separation of duties.  ▪ Security Incident Notification and Management Process. A detailed document that outlines the contact names and order and escalation of events that will occur in the case of a security breach concerning the County staff, data, or systems. This document must be updated immediately upon any change. The vendor shall be held liable to the time-tables and protections outlined in the document. In addition to developing, maintaining, and enforcing the above named policies, the vendor must:  ▪ Bear the cost of compliance for any required changes to security infrastructure, policies and procedures to comply with existing regulations, unless such change is unique to the County.  DocuSign Envelope ID: 32AC7F38-40B4-4FD7-9103-57D01A9AA5C7 ▪ Comply with reasonable requests by the County for audits of security measures, including those related to identification and password administration.  ▪ Comply with reasonable requests by the County for onsite physical inspections of the location from which the vendor provides services.  ▪ Provide the County with any annual audit summaries and certifications, including but not limited to HIPAA, ISO or SOX audits, as applicable.  ▪ Designate a single point of contact to facilitate all IT security activities related to services provided to the County, with the allowance of appropriate backups. Such contact(s) must be available on a 7/24/365 basis. 13 Business Continuity / Disaster Recovery Plans Application Service Providers must have a viable risk management strategy that is formally documented in a Business Continuity Plan (BCP) and/or a Disaster Recovery Plan (DRP). This BCP/DRP plan(s) must identify recovery strategies within the application service areas, outline specific recovery methods and goals, and provide the mutually agreed upon recovery time and point objectives.