Communications and Operations Management a. Network Penetration Testing - DST shall, on approximately an annual basis, contract with an independent third party to conduct a network penetration test on its network having access to or holding or containing Fund Data. DST shall have a process to review and evaluate high risk findings resulting from this testing.
Communications and Operations Management a. Network Penetration Testing - Transfer Agent shall, on approximately an annual basis, contract with an independent third party to conduct a network penetration test on its network having access to or holding or containing Fund Data. Transfer Agent shall have a process to review and evaluate high risk findings resulting from this testing.
Communications and Operations Management. The IT organization manages changes to the corporate infrastructure, systems and applications through a centralized change management program, which may include, testing, business impact analysis and management approval, where appropriate. Incident response procedures exist for security and data protection incidents, which may include incident analysis, containment, response, remediation, reporting and the return to normal operations. To protect against malicious use of assets and malicious software, additional controls may be implemented, based on risk. Such controls may include, but are not limited to, information security practices and standards; restricted access; designated development and test environments; virus detection on servers, desktops and notebooks; virus email attachment scanning; system compliance scans; intrusion prevention monitoring and response; logging and alerting on key events; information handling procedures based on data type, e-commerce application and network security; and system and application vulnerability scanning.
Communications and Operations Management. C.5 USBFS must implement and maintain controls to prevent and detect unauthorized access, intrusions, computer viruses and other malware on its Information Systems. At a minimum these must include: • Client and server-side antivirus programs that includes the latest antivirus definitions; • A process that would install for production, within 30 days, any critical patches or security updates; • Hardening and configuration requirements meeting industry best practices, and the information security Common Control Framework (CCF), which supports information security compliance efforts at U.S. Bank, N.A. (the “Bank”) by simplifying communication of compliance requirements across numerous external authorities. The information security CCF is a set of 181 harmonized controls that represent the Bank’s information security obligations under FFIEC, PCI, NIST 800-53 rev. 3 and SOX. These controls serve as a foundational component of information security policy by providing the minimum set of external information security obligations that the Bank is required to implement to meet all legal, regulatory and contractual obligations. In addition, CCF establishes the evidence requirements control owners must maintain and produce to demonstrate a CCF control is in place.
Communications and Operations Management a. Network Penetration Testing - State Street will, on approximately an annual basis but in no event less frequently than every eighteen (18) months, contract with an independent third party to conduct a network penetration test on its network having access to or holding or containing Client Data. If penetration testing reveals material deficiencies or vulnerabilities, the findings will be risk rated consistent with industry standards and timeframes will be defined for remediating vulnerabilities (other than medium or low risk vulnerabilities) consistent with industry standards and taking into account any mitigation efforts taken by State Street with respect to such vulnerabilities
Communications and Operations Management. (a) Protections Against Malicious Code. OneStream will implement detection, prevention, and recovery controls designed to protect against Malicious Code, including, but not limited to:
Communications and Operations Management. Protections Against Malicious Code. Service Provider will implement detection, prevention, and recovery controls to protect against malicious software, which is no less than current industry best practice and perform appropriate employee training on the prevention and detection of malicious software. Back-ups. Service Provider will perform appropriate back-ups of Service Provider Information Processing Systems and media containing City Data every business day with end-of-month copy stored for 1-year in order ensuring services and service levels described in this Document. Service Provider maintains a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain Sensitive Information and Internal Information. Media Handling. Service Provider will protect against unauthorized access or misuse of City Data contained on media. Media and Information Disposal. Service Provider will securely and safely dispose of media containing Sensitive Information: Maintaining a secured disposal log that provides an audit trail of disposal activities.
Communications and Operations Management. 8.1. All technology teams will maintain internal libraries of standard operating procedures that cover the installation, configuration. maintenance, and administration of the Agent systems. networks , and business applications.
Communications and Operations Management. Operational policy The processor maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to personal data. Data recovery procedures Backups are made continuously of all critical data and software, and everything is stored in the cloud by approved cloud vendors (sub-processors): - On an ongoing basis, to a specific point in time within 35 days for all Zensai- services, data processor maintains a full backup of personal data from which personal data can be recovered; - Monitoring of data recovery procedures are in place to timely detect and correct errors in the backup process; - In case of a disruption recovery, procedures are defined in an internal process for incident management; - The processor has specific procedures in place for governing access to copies of personal data. The processor ensures backups are not corrupt and can be used to restore data; - The processor reviews data recovery procedures at least every six months, except for data recovery procedures for Azure Government Services, which are reviewed every twelve months; and - The processor logs data restoration efforts, including the person responsible, the description of the restored data and, where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.
Communications and Operations Management. The operation of systems and applications that support the Lative Services are subject to documented operating procedures. • The operations team maintains hardened standard server configurations. Systems are deployed and configured in a uniform manner using configuration management systems. • Lative maintains change control programs for development, operations, and Information Technology teams. • Separate environments are maintained to allow for the testing of changes. • The organization maintains documented backup procedures. Full backups are performed daily for all production databases. Customer Content backups are transferred to an offsite location and stored encrypted for at least 30 days. • All systems and network devices are synchronized to a reliable/ and accurate time source via the “Network Time Protocol” (NTP) • All servers are configured to log authorized access, privileged operations (administrator actions), and unauthorized access attempts. All servers are logging executed commands via the sudo utility. • Log files are transmitted to and stored in a separate log server to protect against modification or loss. • All event-alerting tools escalate into pager notifications for the 24x7 incident response teams, providing Operations, Network Engineering, and the Security teams, as needed.
