Common use of Compliance with Security Standards Clause in Contracts

Compliance with Security Standards. Vendor shall, upon request of NYC Health + Hospitals, provide evidence of on-going compliance with industry standard security controls related to: 5.1 Access Control, including identity and access management policies, practices, and technologies that support and ensure authorization, secure authentication, role-based access, auditable access, and timely access termination, as well as Vendor policies and procedures related to access control and identity management. For the solution delivered to the System, Vendor will additionally ensure standard federation or integration protocols are used for Active Directory (AD) authentication. 5.2 Asset management, including Vendor’s policies and procedures for “bring your own device” and personal device management procedures, and for data inventory, data flow, data classification, data labeling, and data handling (including disposal). 5.3 Business continuity and disaster recovery, including Vendor’s policies and procedures regarding data availability, data backup, data recovery, data retention and disaster recovery service levels, physical and environmental security to ensure that data center utilities are in optimal condition, secure, safeguarded against risks, monitored, maintained, redundant, and regularly tested. The policies and procedures shall ensure that the Vendor: 5.3.1 operates a mirror system at a hardened data center facility in the United States that is geographically remote from the primary system on which the subscription services are hosted (the “Secondary Backup Facility”). 5.3.2 conducts periodic backup of NYC Health + Hospitals data and stores such backup data in the Secondary Backup Facility. 5.4 Data protection, including Vendor’s policies and procedures that ensure that: 5.4.1 applications and programming applications and interfaces are designed, developed, deployed, and tested in accordance with leading industry standards and adhere to applicable legal, statutory, or regulatory compliance obligations; 5.4.2 data input and output integrity routines (i.e., reconciliation and edit checks) have been implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse, including encryption, penetration testing, vulnerability management, malicious code execution and data management solutions employed to ensure controlled access to data, to secure data while at rest, in transit and in use; 5.4.3 baseline security configurations are implemented along with documentation that demonstrates annual testing of same; 5.4.4 physical and logical architecture and configuration safeguards against unauthorized access of, intentional, or unintentional alteration of information technology resources; and 5.4.5 data can be provided in a structured and unstructured format in accordance with industry standards. 5.5 Incident management, including Vendor’s policies and procedures for incident management, including evidence of forensic procedures that support the ability to provide evidence to support discovery of potential legal action after a security incident. 5.6 Information security management, including documentation that demonstrates Vendor’s implementation of an information security management program and a control framework that is reviewed at least annually. 5.7 Vendor’s risk management and compliance policies and procedures, including audit plans, effectiveness of implemented security operations, and supported via independent audits that are performed at least annually. 5.8 Vendor’s service delivery program, including information technology governance and service management model that meet industry standards, as well as change control and configuration management policies and procedures that meet industry standards. 5.9 Vendor’s personnel security controls, including acceptable use policy, personnel screening and separation practices, sanction policy for Vendor Employees who have violated security policies and procedures, and a personnel security awareness training program.

Compliance with Security Standards. Vendor shall, upon request of NYC Health + Hospitals, provide evidence of on-going compliance with industry standard security controls related to: 5.1 Access Controlcontrol, including identity and access management policies, practices, and technologies that support and ensure authorization, secure authentication, role-based access, auditable access, and timely access termination, as well as Vendor Vendor’s policies and procedures related to access control and identity management. For the solution delivered to the System, Vendor will additionally ensure standard federation or integration protocols are used for Active Directory (AD) authentication. 5.2 Asset management, including Vendor’s policies and procedures for “bring your own device” and personal device management procedures, and for data inventory, data flow, data classification, data labeling, and data handling (including disposal). 5.3 Business continuity and disaster recovery, including Vendor’s policies and procedures regarding data availability, data backup, data recovery, data retention and disaster recovery service levels, physical and environmental security to ensure that data center utilities are in optimal condition, secure, safeguarded against risks, monitored, maintained, redundant, and regularly tested. The policies and procedures shall ensure that the Vendor: 5.3.1 operates a mirror system at a hardened data center facility in the United States that is geographically remote from the primary system on which the subscription services are hosted (the “Secondary Backup Facility”). 5.3.2 conducts periodic backup of NYC Health + Hospitals data and stores such backup data in the Secondary Backup Facility. 5.4 Data protection, including Vendor’s policies and procedures that ensure that: 5.4.1 applications and programming applications and interfaces are designed, developed, deployed, and tested in accordance with leading industry standards and adhere to applicable legal, statutory, or regulatory compliance obligations; 5.4.2 data input and output integrity routines (i.e., reconciliation and edit checks) have been implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse, including encryption, penetration testing, vulnerability management, malicious code execution and data management solutions employed to ensure controlled access to data, to secure data while at rest, in transit and in use; 5.4.3 baseline security configurations are implemented along with documentation that demonstrates annual testing of same; 5.4.4 physical and logical architecture and configuration safeguards against unauthorized access of, intentional, or unintentional alteration of information technology resources; and 5.4.5 data can be provided in a structured and unstructured format in accordance with industry standards. 5.5 Incident management, including Vendor’s policies and procedures for incident management, including evidence of forensic procedures that support the ability to provide evidence to support discovery of potential legal action after a security incident. 5.6 Information security management, including documentation that demonstrates Vendor’s implementation of an information security management program and a control framework that is reviewed at least annually. 5.7 Vendor’s risk management and compliance policies and procedures, including audit plans, effectiveness of implemented security operations, and supported via independent audits that are performed at least annually. 5.8 Vendor’s service delivery program, including information technology governance and service management model that meet industry standards, as well as change control and configuration management policies and procedures that meet industry standards. 5.9 Vendor’s personnel security controls, including acceptable use policy, personnel screening and separation practices, sanction policy for Vendor Employees who have violated security policies and procedures, and a personnel security awareness training program.

Compliance with Security Standards. Vendor shall, upon request of NYC Health + Hospitals, provide evidence of on-going compliance with industry standard security controls related to: 5.1 Access Control, including identity and access management policies, practices, and technologies that support and ensure authorization, secure authentication, role-based access, auditable access, and timely access termination, as well as Vendor policies and procedures related to access control and identity management. For the solution delivered to the System, Vendor will additionally ensure standard federation or integration protocols are used for Active Directory (AD) authentication. 5.2 Asset management, including Vendor’s policies and procedures for “bring your own device” and personal device management procedures, and for data inventory, data flow, data classification, data labeling, and data handling (including disposal). 5.3 Business continuity and disaster recovery, including Vendor’s policies and procedures regarding data availability, data backup, data recovery, data retention and disaster recovery service levels, physical and environmental security to ensure that data center utilities are in optimal condition, secure, safeguarded against risks, monitored, maintained, redundant, and regularly tested. The policies and procedures shall ensure that the Vendor: 5.3.1 operates a mirror system at a ata hardened data center facility in the United States that is geographically remote from the primary system on which the subscription services are hosted (the “Secondary Backup Facility”). 5.3.2 conducts periodic backup of NYC Health + Hospitals data and stores such backup data in the Secondary Backup Facility. 5.4 Data protection, including Vendor’s policies and procedures that ensure that: 5.4.1 applications and programming applications and interfaces are designed, developed, deployed, and tested in accordance with leading industry standards and adhere to applicable legal, statutory, or regulatory compliance obligations; 5.4.2 data input and output integrity routines (i.e., reconciliation and edit checks) have been implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse, including encryption, penetration testing, vulnerability management, malicious code execution and data management solutions employed to ensure controlled access to data, to secure data while at rest, in transit and in use; 5.4.3 baseline security configurations are implemented along with documentation that demonstrates annual testing of same; 5.4.4 physical and logical architecture and configuration safeguards against unauthorized againstunauthorized access of, intentional, or unintentional alteration of information technology resources; and 5.4.5 data can be provided in a structured and unstructured format in accordance with industry standards. 5.5 Incident management, including Vendor’s policies and procedures for incident management, including evidence of forensic procedures that support the ability to provide evidence to support discovery of potential legal action after a security incident. 5.6 Information security management, including documentation that demonstrates Vendor’s implementation of an information security management program and a control framework that is reviewed at least annuallyleastannually. 5.7 Vendor’s risk management and compliance policies and procedures, including audit plans, effectiveness of implemented security operations, and supported via independent audits independentaudits that are performed at least annuallyleastannually. 5.8 Vendor’s service delivery program, including information technology governance and service management model that meet industry standards, as well as change control and configuration management policies managementpolicies and procedures that meet thatmeet industry standards. 5.9 Vendor’s personnel security controls, including acceptable use policy, personnel screening personnelscreening and separation practices, sanction policy for Vendor Employees who have violated security policies and procedures, and a personnel security awareness training program.