Common use of Organization control Clause in Contracts

Organization control. The Supplier shall take reasonable steps to arrange the internal organization in such a way that it meets the specific requirements of data protection and implement and maintain the following measures: 6.1. Maintain a written information security policy that is approved annually by Supplier management team and published and communicated to all Supplier employees and relevant third parties. 6.2. Maintain a dedicated security and compliance function to design, maintain and operate security in support of its “trust platform” in line with industry standards. This function shall focus on system integrity, risk acceptance, risk analysis and assessment, risk evaluation, risk management and treatment statements of applicability and vendor management. 6.3. Undergo regular independent 3rd party security reviews and provide audit reports such as SSAE16 or ISAE3402. 6.4. Maintain data protection, security awareness and compliance program, procedures and tools which address information security threats and best practices; as well as information security policies, procedures, and controls in place to protect Data. 6.5. Maintain, and provide Avaya access to, upon request, reporting policies, procedures, and tools which provide relevant documentation and reporting on the implementation, effectiveness, and, if necessary, remediation, of the appropriate safeguards related to the processing of Data. 6.6. Maintain a written data classification and handling policy and an inventory of records with classification with physical and electronic location provided. 6.7. Ensure that consequences for policy violations are established, communicated, and acted upon.