Communications and Operations Management a. Network Penetration Testing - Transfer Agent shall, on approximately an annual basis, contract with an independent third party to conduct a network penetration test on its network having access to or holding or containing Fund Data. Transfer Agent shall have a process to review and evaluate high risk findings resulting from this testing.
Communications and Operations Management a. Network Penetration Testing - DST shall, on approximately an annual basis, contract with an independent third party to conduct a network penetration test on its network having access to or holding or containing Fund Data. DST shall have a process to review and evaluate high risk findings resulting from this testing.
Communications and Operations Management. The IT organization manages changes to the corporate infrastructure, systems and applications through a centralized change management program, which may include, testing, business impact analysis and management approval, where appropriate. Incident response procedures exist for security and data protection incidents, which may include incident analysis, containment, response, remediation, reporting and the return to normal operations. To protect against malicious use of assets and malicious software, additional controls may be implemented, based on risk. Such controls may include, but are not limited to, information security practices and standards; restricted access; designated development and test environments; virus detection on servers, desktops and notebooks; virus email attachment scanning; system compliance scans; intrusion prevention monitoring and response; logging and alerting on key events; information handling procedures based on data type, e-commerce application and network security; and system and application vulnerability scanning.
Communications and Operations Management. C.5 USBFS must implement and maintain controls to prevent and detect unauthorized access, intrusions, computer viruses and other malware on its Information Systems. At a minimum these must include: • Client and server-side antivirus programs that includes the latest antivirus definitions; • A process that would install for production, within 30 days, any critical patches or security updates; • Hardening and configuration requirements meeting industry best practices, and the information security Common Control Framework (CCF), which supports information security compliance efforts at U.S. Bank, N.A. (the “Bank”) by simplifying communication of compliance requirements across numerous external authorities. The information security CCF is a set of 181 harmonized controls that represent the Bank’s information security obligations under FFIEC, PCI, NIST 800-53 rev. 3 and SOX. These controls serve as a foundational component of information security policy by providing the minimum set of external information security obligations that the Bank is required to implement to meet all legal, regulatory and contractual obligations. In addition, CCF establishes the evidence requirements control owners must maintain and produce to demonstrate a CCF control is in place.
Communications and Operations Management. Protections Against Malicious Code. Service Provider will implement detection, prevention, and recovery controls to protect against malicious software, which is no less than current industry best practice and perform appropriate employee training on the prevention and detection of malicious software. Back-ups. Service Provider will perform appropriate back-ups of Service Provider Information Processing Systems and media containing City Data every business day with end-of-month copy stored for 1-year in order ensuring services and service levels described in this Document. Service Provider maintains a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain Sensitive Information and Internal Information. Media Handling. Service Provider will protect against unauthorized access or misuse of City Data contained on media. Media and Information Disposal. Service Provider will securely and safely dispose of media containing Sensitive Information: Maintaining a secured disposal log that provides an audit trail of disposal activities.
Communications and Operations Management. 8.1. All technology teams will maintain internal libraries of standard operating procedures that cover the installation, configuration. maintenance, and administration of the Agent systems. networks , and business applications.
Communications and Operations Management. (a) Protections Against Malicious Code. OneStream will implement detection, prevention, and recovery controls designed to protect against Malicious Code, including, but not limited to:
Communications and Operations Management a. Network Penetration Testing - State Street will, on approximately an annual basis but in no event less frequently than every eighteen (18) months, contract with an independent third party to conduct a network penetration test on its network having access to or holding or containing Client Data. If penetration testing reveals material deficiencies or vulnerabilities, the findings will be risk rated consistent with industry standards and timeframes will be defined for remediating vulnerabilities (other than medium or low risk vulnerabilities) consistent with industry standards and taking into account any mitigation efforts taken by State Street with respect to such vulnerabilities
Communications and Operations Management. The IT organization manages changes to the corporate infrastructure, systems and applications through a centralized change management program, which may include, testing, business impact analysis and management approval, where appropriate. Incident response procedures exist for security and data protection incidents, which may include incident analysis, containment, response, remediation, reporting and the return to normal operations. To protect against malicious use of assets and malicious software, additional controls may be implemented, based on risk. Such controls may include, but are not limited to, information security practices and standards; restricted access; designated development and test environments; virus detection on servers, desktops and notebooks; virus email attachment scanning; system compliance scans; intrusion prevention monitoring and response; logging and alerting on key events; information handling procedures based on data type, e- commerce application and network security; and system and application vulnerability scanning. Access Controls Access to corporate systems is restricted, based on procedures to ensure appropriate approvals. To reduce the risk of misuse, intentional or otherwise, access is provided based on segregation of duties and least privileges. Remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place. Specific event logs from key devices and systems are centrally collected and reported on an exceptions basis to enable incident response and forensic investigations. System Development and Maintenance Publicly released third party vulnerabilities are reviewed for applicability in the Secureworks environment. Based on risk to Secureworks’ business and customers, there are pre-determined timeframes for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews and scanners are used in the development environment prior to production to proactively detect coding vulnerabilities based on risk. These processes enable proactive identification of vulnerabilities as well as compliance.
Communications and Operations Management. ● The operation of systems and applications that support the Service is subject to documented operating procedures. ● The System Administration team maintains standard server configurations. ● Separate environments are maintained to allow for the testing of changes. ● Third-party access to MaxMind systems is regularly audited. ● The organization maintains documented backup procedures. Full backups are performed regularly for all production databases. Data backups are transferred to an offsite location on a regular schedule and are stored encrypted. ● All systems and network devices are synchronized to a reliable and accurate time source via the “Network Time Protocol” (NTP). ● All high priority event-alerting tools escalate into notifications for MaxMind’s 24x7 incident response teams, providing the System Administration team with alerts, as needed.
