Common use of Security Compliance Clause in Contracts

Security Compliance. Supplier shall comply with all provisions of the then-current Commonwealth security policies, standards, and guidelines published by VITA and which may be found at: ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/policy--governance/itrm-policies-standards/, or any successor URL(s), as are pertinent to Supplier's operation. Further, Supplier shall comply with all applicable provisions of ELECT's then-current security procedures as are pertinent to Supplier's operation and that have been provided to Supplier by ELECT. Supplier shall also comply with all applicable federal, state, and local laws and regulations. Any unauthorized release of any Confidential Information, or Commonwealth proprietary or personal information, by the Supplier or Supplier Personnel constitutes a breach of Supplier’s obligations under the Contract. Supplier shall notify ELECT within 24 hours of discovery of, or when Supplier should have discovered, any breach of “unencrypted” and “unredacted” personal information, as those terms are defined in Code § 18.2-186.6, and other confidential or personal identifying information provided to the Supplier by ELECT. To the extent permitted by law, Supplier shall provide ELECT the opportunity to participate in the investigation of the breach and to exercise control over reporting the unauthorized disclosure. Supplier shall ensure performance of an audit of Supplier’s environment at least annually to provide assurance of “Controls Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” in accordance with the then-current standards set forth by the American Institute of CPAs. Supplier shall indemnify, defend, and hold the Commonwealth, ELECT, their officers, directors, employees and agents harmless from and against any and all Claims, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, ELECT, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this section. ELECT reserves the right to review Supplier's information security program prior to the commencement of Licensed Services and at least once annually during the Contract Term. During the performance of the Licensed Services, and on an annual basis, ELECT will be entitled, at its own expense, to perform, or to have performed, an on-site audit of Supplier's information security program. In lieu of an on-site audit, upon request by ELECT, Supplier shall implement any reasonably required safeguards as identified by any program audit.

Security Compliance. Supplier shall comply with all provisions of the then-current Commonwealth security policiesprocedures, standards, and guidelines published by VITA and which may be found at: ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/policy--governance/itrm-itrm- policies-standards/, standards/ or any successor URL(s), as are pertinent to Supplier's operation. Further, Supplier shall comply with all applicable provisions of ELECT's VDOT’s then-current security procedures as are pertinent to Supplier's operation and that have been provided to Supplier by ELECTVDOT. Supplier shall also comply with all applicable federal, state, and local laws and regulations. Any unauthorized release of any Confidential Information, or Commonwealth proprietary or personal information, by the Supplier or Supplier Personnel constitutes a breach of Supplier’s obligations under the Contract. Supplier shall notify ELECT VDOT within 24 hours of discovery of, or when Supplier should have discovered, any breach of “unencrypted” and “unredacted” personal information, as those terms are defined in Code § 18.2-186.6, and other confidential or personal identifying information provided to the Supplier by ELECTVDOT. To the extent permitted by law, Supplier shall provide ELECT VDOT the opportunity to participate in the investigation of the breach and to exercise control over reporting the unauthorized disclosure. Supplier shall ensure performance of an audit of Supplier’s environment at least annually to provide assurance of “Controls Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” in accordance with the then-current standards set forth by the American Institute of CPAs. Supplier shall indemnify, defend, and hold the Commonwealth, ELECTVITA, their officers, directors, employees and agents harmless from and against any and all Claims, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, ELECTVITA, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this section. ELECT VDOT reserves the right to review Supplier's information security program prior to the commencement of Licensed Services and at least once annually during the Contract TermTerm of this Contract. During the performance of the Licensed Services, and on an annual basis, ELECT VDOT will be entitled, at its own expense, to perform, or to have performed, an on-site audit of Supplier's information security program. In lieu of an on-site audit, upon request by ELECTVDOT, Supplier shall implement any reasonably required safeguards as identified by any program audit.

Security Compliance. Supplier shall comply with all provisions of the then-current Commonwealth security policiesprocedures, standards, and guidelines published by VITA and which may be found at: ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/policy--/it-governance/itrm-policies-policies- standards/, or any successor URL(s), as are pertinent to Supplier's operation. Further, Supplier shall comply with all applicable provisions of ELECTthe relevant Authorized User's then-current security procedures as are pertinent to Supplier's operation and that have been provided to Supplier by ELECTthe Authorized User. Supplier shall also comply with all applicable federal, state, and local laws and regulations. Any unauthorized release of any Confidential Information, or Commonwealth proprietary or personal information, by the Supplier or Supplier Personnel constitutes a breach of Supplier’s obligations under the Contract. Supplier shall notify ELECT VITA and any affected Authorized User within 24 hours of discovery of, or when Supplier should have discovered, any breach of “unencrypted” and “unredacted” personal information, as those terms are defined in Code § 18.2-186.6, and other confidential or personal identifying information provided to the Supplier by ELECTVITA or an Authorized User. To the extent permitted by law, Supplier shall provide ELECT VITA and any affected Authorized User the opportunity to participate in the investigation of the breach and to exercise control over reporting the unauthorized disclosure. Supplier shall ensure performance of an audit of Supplier’s environment at least annually to provide assurance of “Controls Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” in accordance with the then-current standards set forth by the American Institute of CPAs. Supplier shall indemnify, defend, and hold the Commonwealth, ELECT, their officers, directors, employees and agents harmless from and against any and all Claims, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, ELECT, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this section. ELECT reserves the right to review Supplier's information security program prior to the commencement of Licensed Services and at least once annually during the Contract Term. During the performance of the Licensed Services, and on an annual basis, ELECT will be entitled, at its own expense, to perform, or to have performed, an on-site audit of Supplier's information security program. In lieu of an on-site audit, upon request by ELECT, Supplier shall implement any reasonably required safeguards as identified by any program audit.

Security Compliance. Supplier shall comply with all provisions of the then-current Commonwealth security policies, standards, and guidelines published by VITA and which may be found at: ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/policy--governance/itrm-policies-standards/, or any successor URL(s), as are pertinent to Supplier's operation. Further, Supplier shall comply with all applicable provisions of ELECTthe relevant Agency's then-current security procedures as are pertinent to Supplier's operation and that have been provided to Supplier by ELECTAgency. Supplier shall also comply with all applicable federal, state, and local laws and regulations. Any unauthorized release of any Confidential Information, or Commonwealth proprietary or personal information, by the Supplier or Supplier Personnel constitutes a breach of Supplier’s obligations under the Contract. Supplier shall notify ELECT VITA and Agency within 24 hours of discovery of, or when Supplier should have discovered, any breach of “unencrypted” and “unredacted” personal information, as those terms are defined in Code § 18.2-186.6, and other confidential or personal identifying information provided to the Supplier by ELECTAgency. To the extent permitted by law, Supplier shall provide ELECT VITA and Agency the opportunity to participate in the investigation of the breach and to exercise control over reporting the unauthorized disclosure. Supplier shall ensure performance of an audit of Supplier’s environment at least annually to provide assurance of “Controls Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” in accordance with the then-current standards set forth by the American Institute of CPAs. Supplier shall indemnify, defend, and hold the Commonwealth, ELECTAgency, their officers, directors, employees and agents harmless from and against any and all Claims, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, ELECTAgency, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this section. ELECT reserves the right to review Supplier's information security program prior to the commencement of Licensed Services and at least once annually during the Contract Term. During the performance of the Licensed Services, and on an annual basis, ELECT will be entitled, at its own expense, to perform, or to have performed, an on-site audit of Supplier's information security program. In lieu of an on-site audit, upon request by ELECT, Supplier shall implement any reasonably required safeguards as identified by any program audit.