Common use of Data and System Access Controls Clause in Contracts

Data and System Access Controls. Vendor will maintain and enforce policies and controls that include, without limitation, role based permissions for access to University Data (using a principle of minimization), restrictions on copying or removing data from an authorized network or system, strong password protocols (i.e. complexity requirements, mandatory changes, restrictions on sharing, etc.), and multi-factor authentication or equivalent protections for any remote access to Vendor’s network or systems. Vendor will trace approved access to ensure proper usage and accountability, and the Vendor will make such information available to the University for review, upon the University’s request and not later than five (5) business days after the request is made in writing. Availability Control. Vendor will take industry-standard steps to ensure that University Data is available when requested by University. Additionally, Vendor must take steps to protect against accidental destruction or loss of University Data, including, without limitation, anti-virus software; firewalls; network segmentation; user of content filter/proxies; interruption-free power supply; threat detection and prevention; regular generation of and testing of back-ups; hard disk mirroring where required; fire safety system; water protection systems where appropriate; business continuity and emergency plans; and air-conditioned server rooms.