Security of Data a. Each of the parties shall:
Security of Access Code You may use one (1) or more access codes with your electronic fund transfers. The access codes issued to you are for your security purposes. Any access codes issued to you are confidential and should not be disclosed to third parties or recorded on or with the card. You are responsible for safekeeping your access codes. You agree not to disclose or otherwise make your access codes available to anyone not authorized to sign on your accounts. If you authorize anyone to use your access codes, that authority shall continue until you specifically revoke such authority by notifying the Credit Union. You understand that any joint owner you authorize to use an access code may withdraw or transfer funds from any of your accounts. If you fail to maintain the security of these access codes and the Credit Union suffers a loss, we may terminate your EFT services immediately.
Security of State Information To the extent Contractor shall have access to, processes, handles, collects, transmits, stores or otherwise deals with State Data, the Contractor represents and warrants that it has implemented and it shall maintain during the term of this Master Agreement the highest industry standard administrative, technical, and physical safeguards and controls consistent with NIST Special Publication 800-53 (version 4 or higher) and Federal Information Processing Standards Publication 200 and designed to (i) ensure the security and confidentiality of State Data; (ii) protect against any anticipated security threats or hazards to the security or integrity of the State Data; and (iii) protect against unauthorized access to or use of State Data. Such measures shall include at a minimum: (1) access controls on information systems, including controls to authenticate and permit access to State Data only to authorized individuals and controls to prevent the Contractor employees from providing State Data to unauthorized individuals who may seek to obtain this information (whether through fraudulent means or otherwise); (2) industry-standard firewall protection; (3) encryption of electronic State Data while in transit from the Contractor networks to external networks; (4) measures to store in a secure fashion all State Data which shall include multiple levels of authentication; (5) dual control procedures, segregation of duties, and pre-employment criminal background checks for employees with responsibilities for or access to State Data; (6) measures to ensure that the State Data shall not be altered or corrupted without the prior written consent of the State; (7) measures to protect against destruction, loss or damage of State Data due to potential environmental hazards, such as fire and water damage; (8) staff training to implement the information security measures; and (9) monitoring of the security of any portions of the Contractor systems that are used in the provision of the services against intrusion on a twenty-four (24) hour a day basis.
Security of Vendor Facilities All Vendor and Vendor Staff facilities in which Citizens Confidential Information is located or housed shall be maintained in a reasonably secure manner. Within such facilities, all printed materials containing Citizens Confidential Information should be kept locked in a secure office, file cabinet, or desk (except when materials are being used).
Data Encryption Contractor must encrypt all State data at rest and in transit, in compliance with FIPS Publication 140-2 or applicable law, regulation or rule, whichever is a higher standard. All encryption keys must be unique to State data. Contractor will secure and protect all encryption keys to State data. Encryption keys to State data will only be accessed by Contractor as necessary for performance of this Contract.
Web Hosting If Customer submits a Service Order(s) for web hosting services, the following terms shall also apply:
Security System The site and the Work area may be protected by limited access security systems. An initial access code number will be issued to the Contractor by the County. Thereafter, all costs for changing the access code due to changes in personnel or required substitution of contracts shall be paid by the Contractor and may be deducted from payments due or to become due to the Contractor. Furthermore, any alarms originating from the Contractor’s operations shall also be paid by the Contractor and may be deducted from payments due or to become due to the Contractor.
Infrastructure Vulnerability Scanning Supplier will scan its internal environments (e.g., servers, network devices, etc.) related to Deliverables monthly and external environments related to Deliverables weekly. Supplier will have a defined process to address any findings but will ensure that any high-risk vulnerabilities are addressed within 30 days.
Security Protocols Both parties agree to maintain security protocols that meet industry standards in the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so. Provider shall maintain all data obtained or generated pursuant to the Service Agreement in a secure digital environment and not copy, reproduce, or transmit data obtained pursuant to the Service Agreement, except as necessary to fulfill the purpose of data requests by LEA.
Security of processing (a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
