Supplier must a. Establish and maintain baseline configurations and inventories of information systems throughout the respective system development life cycles. b. Establish and enforce security configuration settings for information technology products employed in information systems. c. Identify, document and approve any deviations from established configuration settings. d. Review the information system(s) annually, at minimum, to identify unnecessary and/or insecure functions, ports, protocols, and services. e. Disable unnecessary and/or insecure functions, ports, protocols, and services. f. Develop and document an inventory of information system components, including “open source” code incorporated in, or used to derive, any deliverable provided to Verizon, which must be provided to Verizon upon request. g. Maintain policies and procedures addressing security and intellectual property requirements that apply to “open source” code incorporated in or used to derive any deliverable provided to Verizon. h. Establish policies governing the installation of software by users, enforce software installation restrictions, and monitor policy compliance.
Supplier must a. Establish an operational incident handling capability for information systems that includes reasonable preparation, detection, analysis, containment, recovery, and user response activities. b. Periodically, but no less than annually, test the incident handling capability. c. Track, document, and report incidents to appropriate Supplier personnel. d. Notify Verizon of any incident materially affecting systems supporting Verizon services or data, including, but not limited to, any loss, acquisition or use of Verizon Confidential Information without authorization, as follows: i. Supplier must provide notification via electronic mail to: XXXX@xxxxxxx.xxx as soon as practical, but no later than twenty-four (24) hours, following awareness of the security incident. ii. Upon Verizon request, Supplier must provide status updates of the incident mitigation to a point of contact designated by Verizon. iii. Supplier must cooperate with Verizon in its efforts to investigate any security incidents. iv. Upon Verizon request, Supplier must provide a written report which describes the incident, the actions taken by Supplier during the incident response and future actions to prevent a similar incident from reoccuring.
Supplier must a. Have established screening criteria for individuals with access to Verizon systems or data. b. Ensure that upon termination of employment: i. Information system and application access is disabled immediately; ii. Retrieval of all Verizon information and information system related property of the terminated employee (including, but not limited to, mobile phones, tablets, laptops, and security tokens). c. Deploy and manage a mobile device management program for all personnel who use company-issued and or personal devices in their normal course of work with Verizon that provides for technical controls designed to secure Verizon Confidential Information accessed on mobile devices. d. Upon a personnel role transfer: i. Review and confirm ongoing operational need for current logical and physical access; and ii. Make changes to logical and physical access as needed e. Prohibit and take reasonable measures to prevent the use of external personal email accounts, personal websites and social media when handling Verizon Confidential Information.
Supplier must. (i) provide to Port Authority (by assignment or otherwise) all manufacturer’s warranties provided with respect to the Goods or Work or Services (if any); and
Supplier must. (i) undertake its own identification and analysis of work health and safety risks associated with the Goods or Services;
Supplier must. (i) retain and provide such records and reports as may be required by Port Authority; and
Supplier must. (a) create, maintain and follow a documented process for limiting access to Sensitive Information to those persons who are authorized to have that access and for the purposes for which they are authorized, which process must include measures to verify the identity of those persons; and
Supplier must. (a) create, maintain and follow a documented process for maintaining the integrity of Information while possessed or accessed by Supplier; and
Supplier must. Ensure controls restrict other Supplier customers from accessing Ipsos UK assets, unless this has been specifically approved in writing by Ipsos UK Use authentication and authorization technologies for service, user and administrator level accounts. Not allow Supplier employees or subcontractors direct root access to any systems or access to the administrator user account of any system used in the services provided to Ipsos UK Ensure IT administrators are provided and using separate and unique administrator accounts that are only used for administration responsibilities. Non-administrator tasks must always be performed using non-administrator user accounts. Ensure password policies and standards exist on IT systems that access Ipsos UK assets Ensure systems that access confidential, personal or regulated information require the following password construction requirements at all times: Minimum length of 8 characters Complexity must contain at least three of the following four characters (Number, Uppercase Letter, Lowercase letter, Printable special character) When changing or rotating an account password, the reuse of any of the prior 6 passwords is not allowed Account password expiration (the requirement to change and existing account password), must occur at - or less than 90 days. Service accounts must be changed at - or less than 90 days. Failed login attempts, when exceeding 3 consecutive attempts, must lock the account. Screen saver locks must be enabled to lock access after 10 minutes of user inactivity. Supplier must ensure systems that access Ipsos UK assets &/or Ipsos UK network meet the following additional requirements at all times: Authentication credentials must be encrypted when stored or transmitted at all times Passwords for user-level accounts cannot be shared between multiple individuals Supplier must change passwords immediately whenever it is believed that an account may have been compromised. Passwords must not be communicated via email messages or other forms of electronic communications, other than one-time use passwords. Passwords for individual user accounts must never be given to or shared with someone other than the account owner A user's identity must be verified before their password is reset and email or voicemail notification must be sent to notify the user that their password was reset. First time passwords for new user accounts must be set to unique values that follow the requirements set forth in this policy and must not ...
