Common use of Other Specifications Clause in Contracts

Other Specifications. (If applicable) Except to the extent otherwise expressly set out in this SOW, this SOW is governed by the terms and conditions of the Agreement. Any defined terms not otherwise defined in this SOW shall have the meanings set out in the Agreement. This SOW may be modified or amended only in writing signed by both parties. The parties to this SOW acknowledge having read this SOW and agree to be bound by its terms. American International Group UK Limited [Name of Agency Entity] By: By: Name: Name: Title: Title: Date: Date: Written information security program A comprehensive information security program written in one or more readily accessible parts that: (1) contains technical, physical, organizational, administrative and procedural controls to ensure the security, confidentiality, integrity and availability of Information and Service Provider Systems; (2) protects against anticipated hazards or threats and unauthorized access, use, alteration, loss, theft, or destruction of, or damage to, Information; (3) controls and regularly monitors and assesses identified privacy and information security risks; (4) addresses access, retention, destruction, transfer and transport of Information; (5) provides for disciplinary action in the event of its violation; and (6) for which a member of the Board or the most senior management level of Service Provider is accountable. Designated security manager or officer Designate an individual to manage and coordinate Service Provider’s written security program and Security who is sufficiently trained, qualified and experienced to be able to fulfill those functions and any other functions that might reasonably be expected to be carried out by the individual as a security manager or officer. Access controls (1) Physical and logical access controls and monitoring, secure user authentication protocols, secure access control methods, and network protection; and (2) Preventing terminated Staff of Service Provider and Staff whose role has changed such that they no longer require access to carry out their role or function from accessing Information, Service Provider Systems and Customer Systems by immediately terminating their physical and electronic access to such Information and systems. Access controls -- Secure User Authentication With respect to Service Provider Systems and Information: (1) maintain secure control over user IDs, passwords and other authentication identifiers; (2) maintain a secure method for selecting and assigning passwords and using authentication technologies such as biometrics or token devices; (3) restrict access to only active users/accounts; (4) block user access after multiple unsuccessful attempts (no more than 5) to login or otherwise gain access; (5) assign unique user identifications plus passwords, which are not vendor supplied default passwords; (6) require Staff to: change passwords at regular intervals (at a minimum every 90 days and for administrative or other privileged-access accounts at a minimum of every 30 days) and whenever there is any indication of possible system or password compromise; and refrain from re-using or cycling old passwords; and (7) require passwords be at least 8 characters long and be comprised of unique/not easy to guess characters using alphanumeric and special characters. Risk Assessment and Mitigation Periodic and regular information security risk assessment and monitoring of Service Provider's information security program, Security and Service Provider Systems, at least annually and whenever there is a material change in Service Provider's business or technology practices that may impact the security, confidentiality, integrity or availability of Information, including: (1) identifying and assessing reasonably foreseeable internal and external threats and risks to the security, confidentiality, integrity and availability of Information; (2) assessing the likelihood of, and potential damage that can be caused by, identified threats and risks; (3) regularly testing, monitoring and evaluating the sufficiency and effectiveness of Security and Security Breach response actions, and documenting same; (4) assessing adequacy of Service Provider’s Staff training concerning, and compliance with, Service Provider's information security program; (5) designing, implementing, adjusting and upgrading Security in order to limit identified threats and risks, and address material changes in Privacy and Security Laws, technology, business and sensitivity of Information; (6) assessing whether such information security program is operating in a manner reasonably calculated to prevent unauthorized access or use of Information; and (7) detecting, preventing and responding to attacks, intrusions and other system failures. Risk assessments shall be conducted by independent third parties or Service Provider personnel independent of those that develop or maintain Service Provider's information security program. Personnel Training and Education Regular and periodic training of Service Provider’s Staff concerning: (1) Security and data privacy, including without limitation, applicable Privacy and Security Laws; (2) implementing Service Provider's information security program; (3) the importance of personal information security; and (4) the risk of financial crime. Intrusion detection and response policies, standards and procedures Maintain policies, standards and procedures for detecting, monitoring and responding to actual or reasonably suspected intrusions and Security Breaches, and encouraging reporting actual or reasonably suspected Security Breaches, including: (1) training Service Provider’s personnel with access to Information to recognize actual or potential Security Breaches and to escalate and notify the senior management of the foregoing; (2) mandatory post-incident review of events and actions taken concerning security of Information; and (3) policies and standards concerning reporting to Regulators and law enforcement agencies.