{"component": "clause", "props": {"groups": [{"samples": [{"hash": "kEDBpgOHYp8", "uri": "/contracts/kEDBpgOHYp8#system-access-control", "label": "General Terms and Conditions for Cloud Services", "score": 31.873840332, "published": true}, {"hash": "aXtGWx6BMb3", "uri": "/contracts/aXtGWx6BMb3#system-access-control", "label": "Personal Data Processing Agreement", "score": 30.5306529999, "published": true}, {"hash": "bRcMNNEuTqu", "uri": "/contracts/bRcMNNEuTqu#system-access-control", "label": "Personal Data Processing Agreement", "score": 30.4950675964, "published": true}], "snippet_links": [{"key": "data-processing-systems", "type": "clause", "offset": [0, 23]}, {"key": "the-cloud-service", "type": "clause", "offset": [40, 57]}, {"key": "without-authorization", "type": "clause", "offset": [92, 113]}], "size": 89, "snippet": "Data processing systems used to provide the Cloud Service must be prevented from being used without authorization.", "hash": "06da22aa51a7453a0f239a33b9698102", "id": 1}, {"samples": [{"hash": "jizNxH25ju7", "uri": "/contracts/jizNxH25ju7#system-access-control", "label": "Standard Agreement", "score": 27.4328136444, "published": true}, {"hash": "43oLBqyN0I7", "uri": "/contracts/43oLBqyN0I7#system-access-control", "label": "Standard Agreement", "score": 26.0286560059, "published": true}, {"hash": "fNSExZ0Wew", "uri": "/contracts/fNSExZ0Wew#system-access-control", "label": "Information Exchange Agreement", "score": 25.9364891052, "published": true}], "snippet_links": [{"key": "automated-audit-trail", "type": "definition", "offset": [0, 21]}], "size": 11, "snippet": "Automated Audit Trail", "hash": "bbab5f82a877d6e23f24ecbc89a4623c", "id": 5}, {"samples": [{"hash": "43oLBqyN0I7", "uri": "/contracts/43oLBqyN0I7#system-access-control", "label": "Standard Agreement", "score": 26.0286560059, "published": true}, {"hash": "fNSExZ0Wew", "uri": "/contracts/fNSExZ0Wew#system-access-control", "label": "Information Exchange Agreement", "score": 25.9364891052, "published": true}, {"hash": "jNalQ1of1Td", "uri": "/contracts/jNalQ1of1Td#system-access-control", "label": "Medi Cal County Inmate Program Agreement", "score": 22.5331954956, "published": true}], "snippet_links": [{"key": "upon-hiring", "type": "clause", "offset": [55, 66]}, {"key": "access-to", "type": "definition", "offset": [86, 95]}, {"key": "provided-information", "type": "definition", "offset": [100, 120]}, {"key": "in-accordance-with", "type": "definition", "offset": [248, 266]}, {"key": "applicable-agency", "type": "definition", "offset": [271, 288]}, {"key": "state-agencies", "type": "definition", "offset": [363, 377]}, {"key": "number-of", "type": "clause", "offset": [435, 444]}, {"key": "state-agency", "type": "clause", "offset": [688, 700]}, {"key": "to-issue", "type": "clause", "offset": [759, 767]}, {"key": "biometric-identifiers", "type": "definition", "offset": [785, 806]}, {"key": "personal-identity-verification", "type": "clause", "offset": [811, 841]}, {"key": "to-individuals", "type": "clause", "offset": [860, 874]}, {"key": "authority-to", "type": "definition", "offset": [1044, 1056]}, {"key": "other-individuals", "type": "clause", "offset": [1071, 1088]}, {"key": "grant-access", "type": "clause", "offset": [1166, 1178]}, {"key": "based-on", "type": "definition", "offset": [1207, 1215]}, {"key": "separation-of-duties", "type": "clause", "offset": [1251, 1271]}, {"key": "grant-employees", "type": "clause", "offset": [1309, 1324]}, {"key": "access-privileges", "type": "clause", "offset": [1349, 1366]}, {"key": "the-organization", "type": "clause", "offset": [1379, 1395]}, {"key": "business-needs", "type": "clause", "offset": [1398, 1412]}, {"key": "system-access", "type": "definition", "offset": [1499, 1512]}, {"key": "to-determine", "type": "clause", "offset": [1513, 1525]}, {"key": "types-of-access", "type": "clause", "offset": [1549, 1564]}, {"key": "subject-to", "type": "definition", "offset": [1632, 1642]}, {"key": "action-by-the", "type": "clause", "offset": [1669, 1682]}, {"key": "reduction-in-pay", "type": "definition", "offset": [1695, 1711]}, {"key": "disciplinary-action", "type": "definition", "offset": [1713, 1732]}, {"key": "termination-of-employment", "type": "definition", "offset": [1734, 1759]}, {"key": "in-advance", "type": "clause", "offset": [1839, 1849]}, {"key": "adverse-action", "type": "definition", "offset": [1857, 1871]}, {"key": "employee-will", "type": "clause", "offset": [1912, 1925]}, {"key": "unauthorized-activities", "type": "clause", "offset": [1934, 1957]}, {"key": "remote-access", "type": "definition", "offset": [2033, 2046]}, {"key": "internet-access", "type": "definition", "offset": [2055, 2070]}, {"key": "comply-with-applicable", "type": "clause", "offset": [2071, 2093]}, {"key": "security-policy-and-standards", "type": "clause", "offset": [2112, 2141]}, {"key": "access-control-policy", "type": "clause", "offset": [2166, 2187]}, {"key": "in-place", "type": "clause", "offset": [2215, 2223]}, {"key": "the-term", "type": "clause", "offset": [2510, 2518]}, {"key": "the-system", "type": "clause", "offset": [2893, 2903]}, {"key": "authorized-transaction", "type": "definition", "offset": [2927, 2949]}, {"key": "consistent-with", "type": "definition", "offset": [3136, 3151]}, {"key": "business-process", "type": "definition", "offset": [3167, 3183]}, {"key": "principle-of-least-privilege", "type": "definition", "offset": [3330, 3358]}, {"key": "compensating-control", "type": "definition", "offset": [3380, 3400]}, {"key": "review-of", "type": "clause", "offset": [3455, 3464]}, {"key": "all-transactions", "type": "clause", "offset": [3465, 3481]}, {"key": "left-blank-intentionally", "type": "clause", "offset": [3553, 3577]}], "size": 6, "snippet": "(Access Control (AC) Family, NIST SP 800-53 rev. 4)\n1. Upon hiring or before granting access to SSA-provided information, EIEPs should verify the identities of any employees, contractors, and agents who will have access to SSA-provided information in accordance with the applicable agency or state\u2019s \u201cpersonnel identity verification policy.\u201d\n2. SSA requires that state agencies have a logical control feature that designates a maximum number of unsuccessful login attempts for agency workstations and devices that store or process SSA-provided information, in accordance with NIST guidelines. SSA recommends no fewer than three (3) and no greater than five (5)..\n3. SSA requires that the state agency designate specific official(s) or functional component(s) to issue PINs, passwords, biometric identifiers, or Personal Identity Verification (PIV) credentials to individuals who will access SSA-provided information. SSA also requires that the state agency prohibit any functional component(s) or official(s) from issuing credentials or access authority to themselves or other individuals within their job- function or category of access.\n4. SSA requires that EIEPs grant access to SSA-provided information based on least privilege, need-to-know, and separation of duties. State agencies should not routinely grant employees, contractors, or agents access privileges that exceed the organization\u2019s business needs. SSA also requires that EIEPs periodically review employees, contractors, and agent\u2019s system access to determine if the same levels and types of access remain applicable.\n5. If an EIEP employee, contractor, or agent is subject to an adverse administrative action by the EIEP (e.g., reduction in pay, disciplinary action, termination of employment), SSA recommends the EIEP remove his or her access to SSA-provided information in advance of the adverse action to reduce the possibility that will the employee will perform unauthorized activities that involve SSA- provided information.\n6. SSA requires that work-at-home, remote access, and/or Internet access comply with applicable Federal and state security policy and standards. Furthermore, the EIEPs access control policy must define the safeguards in place to adequately protect SSA-provided information for work-at-home, remote access, and/or Internet access.\n7. SSA requires EIEPs to design their system with logical control(s) that prevent unauthorized browsing of SSA-provided information. SSA refers to this setup as a Permission Module. The term \u201cPermission Module\u201d supports a business rule and systematic control that prevents users from browsing a system that contains SSA-provided information. It also supports the principle of referential integrity. It should prevent non-business related or unofficial access to SSA-provided information. Before a user or process requests SSA-provided information for verification, the system should verify it is an authorized transaction. Some organizations use the term \u201creferential integrity\u201d to describe the verification step. A properly configured Permission Module should prevent a user from performing any actions not consistent with a need-to-know business process. If a logical permission module configuration is not possible, the state agency must enforce its Access Control List (ACL) in accordance with the principle of least privilege. The only acceptable compensating control for a system that lacks a permission module is a 100% review of all transactions that involve SSA-provided information. (THE REST OF THIS PAGE HAS BEEN LEFT BLANK INTENTIONALLY)", "hash": "b472685413fb19790195c1aba65aaec3", "id": 10}, {"samples": [{"hash": "5scs28ehptK", "uri": "/contracts/5scs28ehptK#system-access-control", "label": "Personal Data Processing Agreement", "score": 29.5306529999, "published": true}, {"hash": "kfbWLu92lcn", "uri": "/contracts/kfbWLu92lcn#system-access-control", "label": "Personal Data Processing Agreement", "score": 29.4950675964, "published": true}, {"hash": "jXHgk7cPWaG", "uri": "/contracts/jXHgk7cPWaG#system-access-control", "label": "Personal Data Processing Agreement", "score": 29.4950675964, "published": true}], "snippet_links": [{"key": "access-to", "type": "definition", "offset": [53, 62]}, {"key": "processing-personal-data", "type": "clause", "offset": [110, 134]}, {"key": "according-to", "type": "definition", "offset": [185, 197]}, {"key": "security-policy", "type": "definition", "offset": [206, 221]}, {"key": "personnel-access", "type": "clause", "offset": [229, 245]}, {"key": "unique-identifier", "type": "clause", "offset": [267, 284]}, {"key": "to-provide", "type": "clause", "offset": [324, 334]}, {"key": "no-rights", "type": "clause", "offset": [340, 349]}, {"key": "without-authorization", "type": "clause", "offset": [362, 383]}, {"key": "in-case", "type": "clause", "offset": [388, 395]}, {"key": "personnel-leaves", "type": "clause", "offset": [396, 412]}, {"key": "access-rights", "type": "clause", "offset": [431, 444]}, {"key": "established-a", "type": "definition", "offset": [468, 481]}, {"key": "password-policy", "type": "clause", "offset": [482, 497]}, {"key": "on-a-regular-basis", "type": "definition", "offset": [618, 636]}, {"key": "user-ids", "type": "definition", "offset": [687, 695]}, {"key": "minimum-requirements", "type": "clause", "offset": [764, 784]}, {"key": "in-the-case", "type": "clause", "offset": [819, 830]}, {"key": "the-system", "type": "clause", "offset": [852, 862]}, {"key": "six-months", "type": "definition", "offset": [894, 904]}, {"key": "requirements-for", "type": "clause", "offset": [928, 944]}, {"key": "company-network", "type": "definition", "offset": [1022, 1037]}, {"key": "public-network", "type": "definition", "offset": [1060, 1074]}, {"key": "antivirus-software", "type": "definition", "offset": [1111, 1129]}, {"key": "access-points", "type": "clause", "offset": [1133, 1146]}, {"key": "to-the-company", "type": "definition", "offset": [1147, 1161]}, {"key": "for-e", "type": "clause", "offset": [1171, 1176]}, {"key": "management-processes", "type": "clause", "offset": [1263, 1283]}, {"key": "security-updates", "type": "definition", "offset": [1303, 1319]}, {"key": "periodic-basis", "type": "definition", "offset": [1337, 1351]}, {"key": "remote-access", "type": "definition", "offset": [1360, 1373]}, {"key": "critical-infrastructure", "type": "definition", "offset": [1405, 1428]}], "size": 29, "snippet": "Multiple authorization levels are used when granting access to sensitive systems, including those storing and processing Personal Data. Authorizations are managed via defined processes according to the SAP Security Policy. \u2022 All personnel access SAP\u2019s systems with a unique identifier (user ID). \u2022 SAP has policies designed to provide that no rights are granted without authorization and in case personnel leaves the company their access rights are revoked. \u2022 SAP has established a password policy that prohibits the sharing of passwords, governs responses to password disclosure, and requires passwords to be changed on a regular basis and default passwords to be altered. Personalized user IDs are assigned for authentication. All passwords must fulfill defined minimum requirements and are stored in encrypted form. In the case of domain passwords, the system forces a password change every six months in compliance with the requirements for complex passwords. Each computer has a password-protected screensaver. \u2022 The company network is protected from the public network by firewalls. \u2022 SAP uses up\u2013to-date antivirus software at access points to the company network (for e-mail accounts), as well as on all file servers and all workstations. \u2022 Security patch management processes to deploy relevant security updates on a regular and periodic basis. \u2022 Full remote access to SAP\u2019s corporate network and critical infrastructure is protected by authentication.", "hash": "26dd7e8e9dc6d260f3092d1d42f3bfba", "id": 3}, {"samples": [{"hash": "bAfFwCXTPny", "uri": "/contracts/bAfFwCXTPny#system-access-control", "label": "Personal Data Processing Agreement", "score": 30.4950675964, "published": true}, {"hash": "9NJ7jW2g30F", "uri": "/contracts/9NJ7jW2g30F#system-access-control", "label": "Personal Data Processing Agreement", "score": 30.4622192383, "published": true}, {"hash": "9XqbiVi6mlG", "uri": "/contracts/9XqbiVi6mlG#system-access-control", "label": "Personal Data Processing Agreement", "score": 30.3390369415, "published": true}], "snippet_links": [], "size": 7, "snippet": "Kendali Akses Sistem.", "hash": "31ae0069171dfe76fece1c4ba3db0bab", "id": 9}, {"samples": [{"hash": "bw3Yq8AwGOO", "uri": "/contracts/bw3Yq8AwGOO#system-access-control", "label": "Personal Data Processing Agreement", "score": 30.5653781891, "published": true}, {"hash": "hJNIpwdVRBV", "uri": "/contracts/hJNIpwdVRBV#system-access-control", "label": "Personal Data Processing Agreement", "score": 30.4942073822, "published": true}, {"hash": "5yVAHumNQa", "uri": "/contracts/5yVAHumNQa#system-access-control", "label": "Personal Data Processing Agreement", "score": 30.2249279022, "published": true}], "snippet_links": [{"key": "data-processing-systems", "type": "clause", "offset": [0, 23]}, {"key": "provide-the", "type": "clause", "offset": [32, 43]}, {"key": "without-authorization", "type": "clause", "offset": [90, 111]}], "size": 38, "snippet": "Data processing systems used to provide the SAP Service must be prevented from being used without authorization.", "hash": "c724b5f96d2f421bc06fe60abc39f549", "id": 2}, {"samples": [{"hash": "kfbWLu92lcn", "uri": "/contracts/kfbWLu92lcn#system-access-control", "label": "Personal Data Processing Agreement", "score": 29.4950675964, "published": true}, {"hash": "jXHgk7cPWaG", "uri": "/contracts/jXHgk7cPWaG#system-access-control", "label": "Personal Data Processing Agreement", "score": 29.4950675964, "published": true}, {"hash": "jT3Ps0MCn9v", "uri": "/contracts/jT3Ps0MCn9v#system-access-control", "label": "Personal Data Processing Agreement", "score": 29.4950675964, "published": true}], "snippet_links": [{"key": "data-processing-systems", "type": "clause", "offset": [0, 23]}, {"key": "the-cloud-service", "type": "clause", "offset": [40, 57]}, {"key": "without-authorization", "type": "clause", "offset": [92, 113]}, {"key": "access-to", "type": "definition", "offset": [170, 179]}, {"key": "processing-personal-data", "type": "clause", "offset": [227, 251]}, {"key": "according-to", "type": "definition", "offset": [302, 314]}, {"key": "security-policy", "type": "definition", "offset": [323, 338]}, {"key": "personnel-access", "type": "clause", "offset": [345, 361]}, {"key": "unique-identifier", "type": "clause", "offset": [383, 400]}, {"key": "in-place", "type": "clause", "offset": [433, 441]}, {"key": "authorization-changes", "type": "clause", "offset": [460, 481]}, {"key": "in-accordance-with", "type": "definition", "offset": [503, 521]}, {"key": "for-example", "type": "clause", "offset": [547, 558]}, {"key": "no-rights", "type": "clause", "offset": [560, 569]}, {"key": "in-case", "type": "clause", "offset": [606, 613]}, {"key": "personnel-leaves", "type": "clause", "offset": [614, 630]}, {"key": "access-rights", "type": "clause", "offset": [650, 663]}, {"key": "established-a", "type": "definition", "offset": [687, 700]}, {"key": "password-policy", "type": "clause", "offset": [701, 716]}, {"key": "on-a-regular-basis", "type": "definition", "offset": [837, 855]}, {"key": "user-ids", "type": "definition", "offset": [906, 914]}, {"key": "minimum-requirements", "type": "clause", "offset": [983, 1003]}, {"key": "in-the-case", "type": "clause", "offset": [1038, 1049]}, {"key": "the-system", "type": "clause", "offset": [1071, 1081]}, {"key": "six-months", "type": "definition", "offset": [1113, 1123]}, {"key": "requirements-for", "type": "clause", "offset": [1147, 1163]}, {"key": "company-network", "type": "definition", "offset": [1241, 1256]}, {"key": "public-network", "type": "definition", "offset": [1279, 1293]}, {"key": "antivirus-software", "type": "definition", "offset": [1330, 1348]}, {"key": "access-points", "type": "clause", "offset": [1352, 1365]}, {"key": "to-the-company", "type": "definition", "offset": [1366, 1380]}, {"key": "security-patch-management", "type": "definition", "offset": [1467, 1492]}, {"key": "security-updates", "type": "definition", "offset": [1563, 1579]}, {"key": "remote-access", "type": "definition", "offset": [1586, 1599]}, {"key": "critical-infrastructure", "type": "definition", "offset": [1631, 1654]}, {"key": "strong-authentication", "type": "definition", "offset": [1671, 1692]}], "size": 24, "snippet": "Data processing systems used to provide the Cloud Service must be prevented from being used without authorization. \u2022 Multiple authorization levels are used when granting access to sensitive systems, including those storing and processing Personal Data. Authorizations are managed via defined processes according to the SAP Security Policy \u2022 All personnel access SAP\u2019s systems with a unique identifier (user ID). \u2022 SAP has procedures in place so that requested authorization changes are implemented only in accordance with the SAP Security Policy (for example, no rights are granted without authorization). In case personnel leaves the company, their access rights are revoked. \u2022 SAP has established a password policy that prohibits the sharing of passwords, governs responses to password disclosure, and requires passwords to be changed on a regular basis and default passwords to be altered. Personalized user IDs are assigned for authentication. All passwords must fulfill defined minimum requirements and are stored in encrypted form. In the case of domain passwords, the system forces a password change every six months in compliance with the requirements for complex passwords. Each computer has a password-protected screensaver. \u2022 The company network is protected from the public network by firewalls. \u2022 SAP uses up\u2013to-date antivirus software at access points to the company network (for e-mail accounts), as well as on all file servers and all workstations. \u2022 Security patch management is implemented to provide regular and periodic deployment of relevant security updates. Full remote access to SAP\u2019s corporate network and critical infrastructure is protected by strong authentication.", "hash": "033cb332fb19e037d9be3785c5603b11", "id": 4}, {"samples": [{"hash": "7phbHdFrUwt", "uri": "/contracts/7phbHdFrUwt#system-access-control", "label": "Personal Data Processing Agreement", "score": 29.3390369415, "published": true}, {"hash": "kpnGbHN6h4U", "uri": "/contracts/kpnGbHN6h4U#system-access-control", "label": "Personal Data Processing Agreement", "score": 27.4420413971, "published": true}], "snippet_links": [{"key": "data-processing-systems", "type": "clause", "offset": [0, 23]}, {"key": "the-cloud-service", "type": "clause", "offset": [40, 57]}, {"key": "without-authorization", "type": "clause", "offset": [92, 113]}, {"key": "access-to", "type": "definition", "offset": [239, 248]}, {"key": "processing-personal-data", "type": "clause", "offset": [296, 320]}, {"key": "according-to", "type": "definition", "offset": [371, 383]}, {"key": "security-policy", "type": "definition", "offset": [392, 407]}, {"key": "personnel-access", "type": "clause", "offset": [526, 542]}, {"key": "unique-identifier", "type": "clause", "offset": [564, 581]}, {"key": "in-place", "type": "clause", "offset": [665, 673]}, {"key": "authorization-changes", "type": "clause", "offset": [695, 716]}, {"key": "in-accordance-with", "type": "definition", "offset": [738, 756]}, {"key": "for-example", "type": "clause", "offset": [782, 793]}, {"key": "no-rights", "type": "clause", "offset": [795, 804]}, {"key": "in-case", "type": "clause", "offset": [841, 848]}, {"key": "personnel-leaves", "type": "clause", "offset": [849, 865]}, {"key": "access-rights", "type": "clause", "offset": [885, 898]}, {"key": "established-a", "type": "definition", "offset": [1042, 1055]}, {"key": "password-policy", "type": "clause", "offset": [1056, 1071]}, {"key": "on-a-regular-basis", "type": "definition", "offset": [1192, 1210]}, {"key": "user-ids", "type": "definition", "offset": [1261, 1269]}, {"key": "minimum-requirements", "type": "clause", "offset": [1338, 1358]}, {"key": "in-the-case", "type": "clause", "offset": [1393, 1404]}, {"key": "the-system", "type": "clause", "offset": [1426, 1436]}, {"key": "six-months", "type": "definition", "offset": [1468, 1478]}, {"key": "requirements-for", "type": "clause", "offset": [1502, 1518]}, {"key": "company-network", "type": "definition", "offset": [1875, 1890]}, {"key": "public-network", "type": "definition", "offset": [1913, 1927]}, {"key": "antivirus-software", "type": "definition", "offset": [2009, 2027]}, {"key": "access-points", "type": "clause", "offset": [2031, 2044]}, {"key": "to-the-company", "type": "definition", "offset": [2045, 2059]}, {"key": "security-patch-management", "type": "definition", "offset": [2248, 2273]}, {"key": "security-updates", "type": "definition", "offset": [2344, 2360]}, {"key": "remote-access", "type": "definition", "offset": [2367, 2380]}, {"key": "critical-infrastructure", "type": "definition", "offset": [2412, 2435]}, {"key": "strong-authentication", "type": "definition", "offset": [2452, 2473]}], "size": 11, "snippet": "Data processing systems used to provide the Cloud Service must be prevented from being used without authorization. // \u30b7\u30b9\u30c6\u30e0\u30a2\u30af\u30bb\u30b9\u5236\u5fa1 \u300c\u30af\u30e9\u30a6\u30c9\u30b5\u30fc\u30d3\u30b9\u300d\u306e\u63d0\u4f9b\u306e\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u308b\u30c7\u30fc\u30bf\u51e6\u7406\u30b7\u30b9\u30c6\u30e0\u3067\u306f\u3001\u6a29\u9650\u306e\u306a\u3044\u4f7f\u7528\u3092\u9632\u6b62\u3057\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002 \u2022 Multiple authorization levels are used when granting access to sensitive systems, including those storing and processing Personal Data. Authorizations are managed via defined processes according to the SAP Security Policy // \u6a5f\u5bc6\u306b\u95a2\u3059\u308b\u30b7\u30b9\u30c6\u30e0\uff08\u300c\u500b\u4eba\u30c7\u30fc\u30bf\u300d\u306e\u683c\u7d0d\u53ca\u3073\u51e6\u7406\u3092\u884c\u3046\u30b7\u30b9\u30c6\u30e0\u3092\u542b\u3080\uff09\u306b\u5bfe\u3057\u3066\u30a2\u30af\u30bb\u30b9\u6a29\u3092\u4ed8\u4e0e\u3059\u308b\u969b\u306f\u3001\u8907\u6570\u306e\u6a29\u9650\u4ed8\u4e0e\u30ec\u30d9\u30eb\u304c\u7528\u3044\u3089\u308c\u308b\u3002\u6a29\u9650\u306f\u3001\u300cSAP \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc\u300d\u306b\u5f93\u3063\u305f\u660e\u78ba\u306a\u30d7\u30ed\u30bb\u30b9\u3067\u7ba1\u7406\u3055\u308c\u308b\u3002 \u2022 All personnel access SAP\u2019s systems with a unique identifier (user ID). // \u3059\u3079\u3066\u306e\u8077\u54e1\u306f\u3001\u56fa\u6709\u306e\u8b58\u5225\u60c5\u5831\uff08\u30e6\u30fc\u30b6\u30fc ID\uff09\u3092\u4f7f\u7528\u3057\u3066\u3001SAP \u306e\u30b7\u30b9\u30c6\u30e0\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3002 \u2022 SAP has procedures in place to so that requested authorization changes are implemented only in accordance with the SAP Security Policy (for example, no rights are granted without authorization). In case personnel leaves the company, their access rights are revoked. // SAP \u3067\u306f\u3001\u8981\u8acb\u3055\u308c\u305f\u6a29\u9650\u306e\u5909\u66f4\u304c\u3001\u300cSAP \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc\u300d\u306b\u5f93\u3063\u3066\u306e\u307f\u5b9f\u884c\u3055\u308c\u308b\u3088\u3046\u306b\u3059\u308b\u624b\u7d9a\u304d\u304c\u5c0e\u5165\u3055\u308c\u3066\u3044\u308b \uff08\u305f\u3068\u3048\u3070\u3001\u627f\u8a8d\u306a\u3057\u306b\u3044\u304b\u306a\u308b\u6a29\u5229\u3082\u4ed8\u4e0e\u3055\u308c\u306a\u3044\u306a\u3069\uff09\u3002\u8077\u54e1\u304c\u9000\u8077\u3059\u308b\u5834\u5408\u3001\u305d\u306e\u30a2\u30af\u30bb\u30b9\u6a29\u306f\u53d6\u308a\u6d88\u3055\u308c\u308b\u3002 \u2022 SAP has established a password policy that prohibits the sharing of passwords, governs responses to password disclosure, and requires passwords to be changed on a regular basis and default passwords to be altered. Personalized user IDs are assigned for authentication. All passwords must fulfill defined minimum requirements and are stored in encrypted form. In the case of domain passwords, the system forces a password change every six months in compliance with the requirements for complex passwords. Each computer has a password-protected screensaver. // SAP \u3067\u306f\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u5171\u6709\u3092\u7981\u3058\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u958b\u793a\u306b\u5bfe\u3059\u308b\u5bfe\u5fdc\u3092\u5b9a\u3081\u308b\u3068\u3068\u3082\u306b\u3001\u5b9a\u671f\u7684\u306b\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5909\u66f4\u3057\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u306f\u5909\u66f4\u3059\u308b\u3053\u3068\u3092\u8981\u6c42\u3059\u308b\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u30dd\u30ea\u30b7\u30fc\u3092\u5b9a\u3081\u3066\u3044\u308b\u3002\u500b\u4eba\u5c02\u7528\u306e\u30e6\u30fc\u30b6\u30fc ID \u304c\u3001\u8a8d\u8a3c\u306e\u305f\u3081\u306b\u5272\u308a\u5f53\u3066\u3089\u308c\u308b\u3002\u3059\u3079\u3066\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u306f\u5b9a\u3081\u3089\u308c\u305f\u6700\u5c0f\u8981\u4ef6\u3092\u6e80\u305f\u3057\u3066\u3044\u306a\u3051\u308c\u3070\u306a\u3089\u305a\u3001\u6697\u53f7\u5316\u3055\u308c\u305f\u5f62\u5f0f\u3067\u4fdd\u5b58\u3055\u308c\u308b\u3002\u30c9\u30e1\u30a4\u30f3\u30d1\u30b9\u30ef\u30fc\u30c9\u306b\u3064\u3044\u3066\u306f\u3001\u30b7\u30b9\u30c6\u30e0\u306b\u3088\u308a\u30016 \u30ab\u6708\u3054\u3068\u306b\u3001\u8907\u96d1\u306a\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u8981\u4ef6\u306b\u5f93\u3063\u305f\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u5909\u66f4\u304c\u7fa9\u52d9\u4ed8\u3051\u3089\u308c\u308b\u3002\u5404\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30fc\u306b\u306f\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u3067\u4fdd\u8b77\u3055\u308c\u305f\u30b9\u30af\u30ea\u30fc\u30f3\u30bb\u30fc\u30d0\u30fc\u304c\u5099\u3048\u3089\u308c\u3066\u3044\u308b\u3002 \u2022 The company network is protected from the public network by firewalls. // \u4f1a\u793e\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306f\u3001\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u306b\u3088\u308a\u3001\u516c\u5171\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u304b\u3089\u4fdd\u8b77\u3055\u308c\u3066\u3044\u308b\u3002 \u2022 SAP uses up\u2013to-date antivirus software at access points to the company network (for e-mail accounts), as well as on all file servers and all workstations. // SAP \u306f\u3001\u4f1a\u793e\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u5bfe\u3059\u308b\u30a2\u30af\u30bb\u30b9\u30dd\u30a4\u30f3\u30c8\uff08\u96fb\u5b50\u30e1\u30fc\u30eb\u30a2\u30ab\u30a6\u30f3\u30c8\u7528\uff09\u306b\u52a0\u3048\u3066\u3001\u3059\u3079\u3066\u306e\u30d5\u30a1\u30a4\u30eb\u30b5\u30fc\u30d0\u30fc\u53ca\u3073\u3059\u3079\u3066\u306e\u30ef\u30fc\u30af\u30b9\u30c6\u30fc\u30b7\u30e7\u30f3\u3067\u3001\u6700\u65b0\u306e\u30a2\u30f3\u30c1\u30a6\u30a3\u30eb\u30b9\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u3002 \u2022 Security patch management is implemented to provide regular and periodic deployment of relevant security updates. Full remote access to SAP\u2019s corporate network and critical infrastructure is protected by strong authentication. // \u95a2\u9023\u3059\u308b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u306e\u5b9a\u671f\u7684\u306a\u30c7\u30d7\u30ed\u30a4\u30e1\u30f3\u30c8\u3092\u5b9f\u65bd\u3059\u308b\u305f\u3081\u306b\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30d1\u30c3\u30c1\u7ba1\u7406\u304c\u5c0e\u5165\u3055\u308c\u3066\u3044\u308b\u3002SAP \u306e\u4f01\u696d\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u53ca\u3073\u91cd\u8981\u306a\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u30fc\u3078\u306e\u30d5\u30eb\u30ea\u30e2\u30fc\u30c8\u30a2\u30af\u30bb\u30b9\u306f\u3001\u5f37\u529b\u306a\u8a8d\u8a3c\u306b\u3088\u3063\u3066\u4fdd\u8b77\u3055\u308c\u3066\u3044\u308b\u3002", "hash": "3efffed75a75b7c48fdfc27a93644121", "id": 6}, {"samples": [{"hash": "jKkgHs175n", "uri": "/contracts/jKkgHs175n#system-access-control", "label": "Data Processing Agreement", "score": 21.9212875366, "published": true}, {"hash": "iKU7j7aKEvO", "uri": "/contracts/iKU7j7aKEvO#system-access-control", "label": "Data Processing Agreement", "score": 21.7885017395, "published": true}, {"hash": "1cUBlaqpGYy", "uri": "/contracts/1cUBlaqpGYy#system-access-control", "label": "Data Processing Agreement", "score": 21.4106769562, "published": true}], "snippet_links": [{"key": "other-controls", "type": "clause", "offset": [25, 39]}, {"key": "services-ordered", "type": "clause", "offset": [88, 104]}, {"key": "management-processes", "type": "clause", "offset": [223, 243]}, {"key": "for-cloud-services", "type": "clause", "offset": [286, 304]}, {"key": "by-oracle", "type": "clause", "offset": [364, 373]}, {"key": "data-centers", "type": "clause", "offset": [441, 453]}, {"key": "intrusion-detection-systems", "type": "clause", "offset": [510, 537]}], "size": 8, "snippet": "The following may, among other controls, be applied depending upon the particular Cloud Services ordered: authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and logging of access on several levels. For Cloud Services hosted @Oracle: (i) log-ins to Cloud Services Environments by Oracle employees and Subprocessors are logged; (ii) logical access to the data centers is restricted and protected by firewall/VLAN; and (iii) intrusion detection systems, centralized logging and alerting, and firewalls are used.", "hash": "84887dedfc9ef367609bafa35400993d", "id": 7}, {"samples": [{"hash": "icHnNgGOE88", "uri": "/contracts/icHnNgGOE88#system-access-control", "label": "Data Processing Agreement", "score": 30.3674259186, "published": true}, {"hash": "joQwadtGPzZ", "uri": "/contracts/joQwadtGPzZ#system-access-control", "label": "Data Processing Agreement", "score": 23.1273097992, "published": true}], "snippet_links": [{"key": "data-processing-systems", "type": "clause", "offset": [96, 119]}, {"key": "to-provide-services", "type": "clause", "offset": [125, 144]}, {"key": "the-platform", "type": "definition", "offset": [148, 160]}, {"key": "data-center-facilities", "type": "clause", "offset": [202, 224]}, {"key": "host-software", "type": "definition", "offset": [261, 274]}, {"key": "based-on", "type": "definition", "offset": [278, 286]}, {"key": "access-rights", "type": "clause", "offset": [300, 313]}, {"key": "to-ensure", "type": "clause", "offset": [345, 354]}, {"key": "users-and-administrators", "type": "clause", "offset": [397, 421]}, {"key": "system-components", "type": "clause", "offset": [429, 446]}, {"key": "the-concept", "type": "clause", "offset": [451, 462]}, {"key": "least-privilege", "type": "definition", "offset": [466, 481]}, {"key": "user-accounts", "type": "definition", "offset": [579, 592]}, {"key": "access-privileges", "type": "clause", "offset": [734, 751]}, {"key": "on-a-regular-basis", "type": "definition", "offset": [765, 783]}, {"key": "appropriate-personnel", "type": "clause", "offset": [787, 808]}, {"key": "access-to-systems", "type": "clause", "offset": [813, 830]}, {"key": "employee-record", "type": "clause", "offset": [879, 894]}, {"key": "first-time", "type": "definition", "offset": [930, 940]}, {"key": "user-passwords", "type": "clause", "offset": [1033, 1047]}, {"key": "in-place", "type": "clause", "offset": [1185, 1193]}, {"key": "user-terminal", "type": "definition", "offset": [1220, 1233]}, {"key": "user-identification-and-password", "type": "clause", "offset": [1253, 1285]}, {"key": "restrict-access", "type": "clause", "offset": [1463, 1478]}, {"key": "computing-environment", "type": "definition", "offset": [1486, 1507]}, {"key": "configuration-files", "type": "clause", "offset": [1576, 1595]}], "size": 8, "snippet": "The following measures are implemented to protect against the unauthorized access to and use of data processing systems used to provide Services on the Platform:\na) User and administrator access to the data center facilities, servers, networking equipment, and host software is based on a role based access rights model. A unique ID is assigned to ensure proper user-authentication management for users and administrators on all system components.\nb) The concept of least privilege is employed, allowing only the necessary access for users to accomplish their job function. When user accounts are created, user accounts are created to have minimal access. Access above these least privileges requires appropriate authorization.\nc) IT access privileges are reviewed on a regular basis by appropriate personnel.\nd) Access to systems is revoked within a reasonable timeframe of the employee record being terminated (deactivated).\ne) First time passwords/passphrases are set to a unique value and changed immediately after first use.\nf) User passwords/passphrases are changed at least every 90 days and only allow complex passwords.\ng) Time stamped logging of security relevant actions is in place.\nh) Automatic time-out of user terminal if left idle, with user identification and password required to reopen.\ni) Assets (e.g. laptops) are configured with anti-virus software that includes e-mail filtering and malware detection.\nj) Firewall devices are configured to restrict access to the computing environment and enforce boundaries of computing clusters.\nk) Firewall policies (configuration files) are pushed to firewall devices on a regular basis.", "hash": "c229a8b197f1769eda94fb668830497a", "id": 8}], "next_curs": "Cl4SWGoVc35sYXdpbnNpZGVyY29udHJhY3RzcjoLEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2Ih5zeXN0ZW0tYWNjZXNzLWNvbnRyb2wjMDAwMDAwMGEMogECZW4YACAA", "clause": {"size": 280, "title": "System Access Control", "parents": [["definitions", "Definitions"], ["technical-and-organizational-measures", "TECHNICAL AND ORGANIZATIONAL MEASURES"], ["data-integrity-control", "Data Integrity Control"], ["physical-access-control", "Physical Access Control"], ["miscellaneous", "Miscellaneous"]], "children": [], "id": "system-access-control", "related": [["data-access-control", "Data Access Control", "Data Access Control"], ["access-control", "Access Control", "Access Control"], ["system-access", "System Access", "System Access"], ["physical-access-control", "Physical Access Control", "Physical Access Control"], ["system-upgrade-facilities-and-system-deliverability-upgrades", "System Upgrade Facilities and System Deliverability Upgrades", "System Upgrade Facilities and System Deliverability Upgrades"]], "related_snippets": [], "updated": "2025-07-23T06:00:56+00:00", "also_ask": ["What minimum technical and procedural safeguards must be specified for robust system access control?", "How can parties negotiate audit and monitoring rights to ensure ongoing compliance?", "What are the most common legal pitfalls or ambiguities in system access control clauses?", "How do system access control requirements differ across key jurisdictions or regulatory regimes?", "What standards do courts use to assess the adequacy and enforceability of system access control provisions?"], "drafting_tip": "Specify user roles, restrict access levels, and require authentication protocols to protect sensitive data and prevent unauthorized system use.", "explanation": "The System Access Control clause defines the rules and requirements for granting, managing, and restricting access to a particular system or network. Typically, it outlines who is authorized to access the system, the procedures for assigning user credentials, and the security measures in place to prevent unauthorized entry, such as password policies or multi-factor authentication. This clause is essential for protecting sensitive data and ensuring that only approved individuals can interact with critical systems, thereby reducing the risk of data breaches and maintaining operational security."}, "json": true, "cursor": ""}}