Common use of Patching Clause in Contracts

Patching. The Contractor must patch all Systems regularly in line with security best practices and ensure that current software, operating systems and application patching levels are maintained. The Contractor must ensure that all Systems have all patches installed on a regular schedule, within the time frame recommended by the manufacturer unless the Province otherwise consents in writing. The Contractor must ensure that vulnerabilities are remedied and patches installed on an accelerated basis for zero-day, critical and high vulnerabilities. For zero-day vulnerabilities, the Contractor must implement appropriate mitigation measures promptly on notification of the zero-day vulnerability. The Contractor must remediate zero-day, high and critical vulnerabilities through patching, decommission, or compensating controls. The Contractor must patch high vulnerabilities within 30 days or less of discovery and patch medium vulnerabilities within 90 days or less of discovery. Vulnerability Scanning The Contractor must ensure that a vulnerability scan is completed on components of all Systems: with any identified vulnerabilities remedied, before being placed into production; and on a regular schedule, set at a minimum of one scan per quarter, unless the Province otherwise consents in writing. Web application vulnerability scanning The Contractor must ensure that a vulnerability scan is completed on any web applications used for Tenancy or in any other Systems: and on any major changes to such web applications, with any identified vulnerabilities remedied, before being placed into production; and on a regular schedule, set at a minimum of one scan per quarter, unless the Province otherwise consents in writing. Antivirus and malware scanning The Contractor must ensure that all Systems servers: have antivirus and malware protection configured, active and enabled at all times; have antivirus and malware definitions updated at least once a day; and are configured to undergo a full anti-virus scan for latent infections (to detect infections missed by the real-time agent) at least once a week. DISPOSALS Asset disposal The Contractor must ensure that all disposals of assets used in providing or relating to the Services are done in a secure manner that ensures that Protected Information cannot be recovered. Asset management The Contractor must have asset management and disposal Policies that are followed, and reviewed and updated regularly in line with security best practices, and that address hardware, software and other critical business assets. The Contractor must keep an asset management inventory that includes the name of the System, location, purpose, owner, and criticality, with assets added to inventory on commission and removed on decommission. Information destruction and disposal Unless this Agreement otherwise specifies, the Contractor must retain all records containing Protected Information in the Contractor’s possession until instructed by the Province in writing to dispose or deliver them as instructed. The Contractor must securely erase: records that contain Protected Information and Tenancy Security Event Logs when instructed in writing by the Province; and any backup, transitory and extra copies of records that contain Protected Information or Tenancy Security Event Logs when no longer needed in relation to this Agreement. The Contractor must ensure that Protected Information and Tenancy Security Event Logs on magnetic media are securely wiped by overwriting using procedures and adequate media wiping solutions, degaussing, or other method in line with security best practices for disposal of media. NOTICES, INCIDENTS AND INVESTIGATIONS Notice of demands for disclosure In addition to any obligation the Contractor may have to notify or assist the Province under applicable law or this Agreement, including the Privacy Protection Schedule if attached, if the Contractor is required (including under an enactment or a subpoena, warrant, order, demand or other request from a court, government agency or other legal authority) to produce, provide access to or otherwise disclose any Protected Information, the Contractor must, unless prohibited by applicable law, immediately notify and provide reasonable assistance to the Province so the Province may seek a protective order or other remedy to prevent or limit the disclosure. E-discovery and legal holds The Contractor must fully co-operate with the Province to enable the Province to comply with e-discovery and legal hold obligations. Incidents In addition to any obligation the Contractor may have under applicable law, including the Freedom of Information and Protection of Privacy Act, or this Agreement, if, during or after the Term, the Contractor discovers a suspected or actual unwanted or unexpected event or series of events that threaten the privacy or security of Protected Information (including its unauthorized access, collection, use, disclosure, alteration, storage or disposal) or Tenancy, whether accidental or deliberate, the Contractor must: immediately report the particulars of such incident to, and follow the instructions of, the Province, confirming any oral report with a notice in writing to the Province as soon as reasonably practicable (if unable to contact the Province’s contract manager or other designated contact for this Agreement, the Contractor must follow the procedure for reporting and managing information incidents on the Province’s website at xxxxx://xxx0.xxx.xx.xx/gov/content/governments/services-for-government/information-management-technology/information-security/information-incidents; and make every reasonable effort to recover the records containing Protected Information and contain and remediate such incident, following such reasonable instructions as the Province may give. Investigations support and security investigations The Contractor must: conduct security investigations in the case of incidents (including any security breach or compromise) affecting Devices, Facilities, Systems, Tenancy or Protected Information, collecting evidence, undertaking forensic activities and taking such other actions as needed; provide the Province with any related investigation reports, which the Contractor may sanitize first; upon the Province’s request, provide the Province with any logs relating to such investigation reports as validation/confirmation of such investigation, which the Contractor may sanitize first; and maintain a chain of custody in all such security investigations it undertakes. Upon the Province’s request, the Contractor must: provide investigative support to the Province to enable the Province to conduct its own security investigations into incidents (including security breaches or compromises) affecting the Tenancy or Protected Information; provide the Province with timely access via an on-line, real-time GUI (Graphic User Interface) facility to any Tenancy Security Event Logs and to other Security Event Logs for Systems (the latter of which the Contractor may sanitize first to mask or remove, for example, data pertaining to the Contractor’s customers) to assist the Province in conducting the Province’s security investigations, or in case of technical limitations, other method acceptable to the Province (for example, on-site visits to enable direct access to those Security Event Logs). The Contractor must work with and support the Province if the Province needs assistance in legal proceedings in relation to security investigations related to Protected Information or Tenancy.

Appears in 14 contracts

Samples: Financial Review and Assurance Services Agreement, General Service Agreement, Financial Review and Assurance Services Agreement

AutoNDA by SimpleDocs
Time is Money Join Law Insider Premium to draft better contracts faster.