Common use of Data and Network Security Clause in Contracts

Data and Network Security. 11.7.1 Contractor is responsible for providing network security and security for such of its facilities where its servers or other network equipment are located. Contractor shall also comply with its own then- current security policies and procedures, and its security policies and procedures shall comply with laws and regulations applicable to Contractor. 11.7.2 If, during the course of this Agreement, Contractor is creating, hosting, maintaining, processing or transmitting any State Confidential Information on or through any Contractor computer networks, data centers, labs, supporting environments, Web servers or other information technology resources (collectively “Contractor Computer Systems”), or is otherwise using any Contractor Computer Systems in connection with this Agreement, then with respect to all such Contractor Computer Systems, Contractor will, in accordance with industry best practices or higher standards that are in all cases no less than reasonable: (a) Limit physical and electronic access to Contractor’s employees and essential third-party contractors, on a need-to-access basis, who have signed a written agreement that is at least as protective of the confidentiality and security of State Confidential Information as those provided in this Agreement; (b) Implement and maintain technical access controls that, at a minimum, require unique identification and authentication of all users, restrict access to all data, software, or other file-system objects exclusively to those users who need such access to perform their job responsibilities, and limit administrator-level control to only authorized IT personnel; (c) Implement and maintain transmission controls that, at a minimum, allow only the data protocols required for the function and management of each solution to be used or transmitted and insure the confidentiality, availability, and integrity of all transmissions; (d) Implement and maintain firewall technology and intrusion detection software configured to minimize or eliminate hacking and other threats; (e) Implement and maintain protection against viruses, worms, Trojan horses, spyware, and other malicious code; (f) Perform routine reviews of logs files and system records for suspicious activity; (g) Perform regular reviews of relevant security notifications and alerts (e.g., notifications of bugs, attacks, and patches), and apply such patches and fixes as appropriate; (h) Implement and maintain disaster recovery, backup, and other contingency plans; and (i) Conduct regular security audits, reviews, and tests and systematically retain log files, system records, test plans, and other security documentation. 11.7.3 Contractor shall notify State immediately upon discovery or notification of any actual, potential or threatened Security Breach. Contractor agrees to take action immediately, at its own expense, to identify and eradicate (or to equip State to identify and eradicate) any further Security Breach and carry out any recovery necessary to remedy any impact of such Security Breach. Contractor’s actions will include at a minimum: (a) Confirming the attack; (b) Denying access from the source of the attack; (c) Investigating and evaluating the extent of the damage, if any; (d) Backing-up the affected systems and those suspected to be affected; (e) Strengthening defenses everywhere, not just the suspected path that the attacker used, if possible; (f) Contacting Contractor’s internet service provider and, subject to State’s prior written approval, any law enforcement agency to work with Contractor’s security team; and (g) Producing an incident report within twenty-four (24) hours detailing Contractor’s findings and distributing the report to State.