Common use of Electronic Security Requirements Clause in Contracts

Electronic Security Requirements. a. The Requestor, by this agreement, certifies it has an information security program in place that follow current industry design and best practices, including, but not limited to those published by The National Institute of Standards & Technology (NIST), the SANS (SysAdmin, Audit, Network, Security (SANS) Institute), and other recognized bodies to prevent unauthorized electronic access to RMV data or to its database. b. For All Requestors , using any Access Method, Requestor agrees, at a minimum, to do the following: i. Have written procedures in place to insure the electronic safety, physical security and confidentiality of RMV data in accordance with paragraph 10 of this Agreement; ii. Have written procedures in place that insure RMV data is accessed only for permitted uses under the DPPA and consistent with paragraph 10 of this Agreement. c. For Requestors Who Select Web Services or SFTP Option under Paragraph 3. Requestor agrees to do the following: i. Assign a unique ID to each end user who will access RMV data. ii. Implement written password policies and procedures that follow current industry design and best practices such as: 1. those published by The National Institute of Standards & Technology (currently SP800-63b section 5); 2. the SANS (SysAdmin, Audit, Network, Security Institute) Password Construction Guidelines (currently SANS document section 4)and 3. those published by other recognized bodies such as IRS1075 (currently section 9.3.7.5). SAMPLE FOR REVIEW ONLY iii. The standards referenced in subsection ii above must be designed to prevent unauthorized access to RMV data or to its database. iv. Deactivate the unique ID immediately when the end user leaves the Requestor’s employment or when the ID has not been used for a period of 90 days. v. Maintain an electronic log of all transactions with the RMV for 5 years. The log shall contain all the transactions performed by each end user including the end user’s unique ID (if applicable), the end-user’s full name, date and time of each transaction performed and/or inquiry. vi. Respond within 3 business days to the RMV’s request to review a specific transaction or series of transactions including the end user’s name, unique ID, dates, times and reason for the transaction(s). The RMV may, but is not required, to inform the Requestor as to its reason for the request. vii. Failure to comply with subsections i-vi above may result in termination of the Agreement under the provisions of paragraph 12.

Electronic Security Requirements. a. The Requestor, by this agreement, certifies it has an information security program in place that follow current industry design and best practices, including, but not limited to those published by The National Institute of Standards & Technology (NIST), the SANS (SysAdmin, Audit, Network, Security (SANS) Institute), and other recognized bodies to prevent unauthorized electronic access to RMV data or to its database. b. For All Requestors , using any Access Method, Requestor agrees, at a minimum, agrees to do the following: i. Have written procedures in place to insure the electronic safety, physical security and confidentiality of RMV data in accordance with paragraph 10 of this Agreement; ii. Have written procedures in place that insure RMV data is accessed only for permitted uses under the DPPA and consistent with paragraph 10 of this Agreement. c. For Requestors Who Select Web Services or SFTP Option under Under Paragraph 3. Requestor agrees to do the following: i. Assign a unique ID to each end user who will access RMV data. ii. Implement written password policies and procedures that follow current industry design and best practices such as: 1. a. those published by The National Institute of Standards & Technology (currently SP800-63b section 5); 2. b. the SANS (SysAdmin, Audit, Network, Security Institute) Password Construction Guidelines (currently SANS document section 4)and 3. c. those published by other recognized bodies such as IRS1075 (currently section 9.3.7.5). SAMPLE FOR REVIEW ONLY . iii. The standards referenced in subsection ii above must be designed to prevent unauthorized access to RMV data or to its database. iv. Deactivate the unique ID immediately when the end user leaves the Requestor’s employment or when the ID has not been used for a period of 90 days. v. Maintain an electronic log of all transactions with the RMV for 5 years. The log shall contain all the transactions performed by each end user including the end user’s unique ID (if applicable), the end-user’s full name, date and time of each transaction performed and/or inquiry. vi. Respond within 3 business days to the RMV’s request to review a specific transaction or series of transactions including the end user’s name, unique ID, dates, times and reason for the transaction(s). The RMV may, but is not required, to inform the Requestor as to its reason for the request. vii. Failure to comply with subsections i-vi above may result in termination of the Agreement under the provisions of paragraph 12.

Electronic Security Requirements. a. The Requestor, by this agreement, certifies it has and its authorized end users have an information security program in place that follow current industry design and best practices, including, but not limited to those published by The National Institute of Standards & Technology (NIST), the SANS (SysAdmin, Audit, Network, Security (SANS) Institute), and other recognized bodies to prevent unauthorized electronic access to RMV data or to its database. b. For All Requestors , using any Access Method, Requestor agreesagrees that it and its authorized end users, at a minimum, to will do the following: i. Have written procedures in place to insure ensure the electronic safety, physical security and confidentiality of RMV data in accordance with paragraph 10 of this Agreement; ii. Have written procedures in place that insure ensure RMV data is accessed only for permitted uses under the DPPA and consistent with paragraph 10 of this Agreement. c. For Requestors Who Select Web Services or SFTP Option under Paragraph 3. Requestor agrees to do the following: i. Assign a unique ID to each end user who will access RMV data. ii. Implement and ensure that any authorized end users implement written password policies and procedures that follow current industry design and best practices such as: 1. those published by The National Institute of Standards & Technology (currently SP800-63b section 5); 2. the SANS (SysAdmin, Audit, Network, Security Institute) Password Construction Guidelines (currently SANS document section 4)and 4) and 3. those published by other recognized bodies such as IRS1075 (currently section 9.3.7.5). SAMPLE FOR REVIEW ONLY . iii. The standards referenced in subsection ii above must be designed to prevent unauthorized access to RMV data or to its database. iv. Deactivate the unique ID immediately when the end user leaves the Requestor’s employment or when the ID has not been used for a period of 90 days. v. Maintain an electronic log of all transactions with the RMV for 5 years. The log shall contain all the transactions performed by each end user including the end user’s unique ID (if applicable), the end-user’s full name, date and time of each transaction performed and/or inquiry. vi. Respond within 3 business days to the RMV’s request to review a specific transaction or series of transactions including the end user’s name, unique ID, dates, times and reason for the transaction(s). The RMV may, but is not required, to inform the Requestor as to its reason for the request. vii. Failure to comply with subsections i-vi above may result in termination of the Agreement under the provisions of paragraph 12.

Electronic Security Requirements. a. The Requestor, by this agreement, certifies it has an information security program in place that follow current industry design and best practices, including, but not limited to those published by The National Institute of Standards & Technology (NIST), the SANS (SysAdmin, Audit, Network, Security (SANS) Institute), and other recognized bodies to prevent unauthorized electronic access to RMV data or to its database. b. For All Requestors , using any Access Method, Requestor agrees, at a minimum, to do the following: i. Have written procedures in place to insure the electronic safety, physical security and confidentiality of RMV data in accordance with paragraph 10 of this Agreement; ii. Have written procedures in place that insure RMV data is accessed only for permitted uses under the DPPA and consistent with paragraph 10 of this Agreement. c. For Requestors Who Select Web Services or SFTP Option under Paragraph 3. Requestor agrees to do the following: i. Assign a unique ID to each end user who will access RMV data. ii. Implement written password policies and procedures that follow current industry design and best practices such as: 1. those published by The National Institute of Standards & Technology (currently SP800-63b section 5); 2. the SANS (SysAdmin, Audit, Network, Security Institute) Password Construction Guidelines (currently SANS document section 4)and 3. those published by other recognized bodies such as IRS1075 (currently section 9.3.7.5). SAMPLE FOR REVIEW ONLY . iii. The standards referenced in subsection ii above must be designed to prevent unauthorized access to RMV data or to its database. iv. Deactivate the unique ID immediately when the end user leaves the Requestor’s employment or when the ID has not been used for a period of 90 days. v. Maintain an electronic log of all transactions with the RMV for 5 years. The log shall contain all the transactions performed by each end user including the end user’s unique ID (if applicable), the end-user’s full name, date and time of each transaction performed and/or inquiry. vi. Respond within 3 business days to the RMV’s request to review a specific transaction or series of transactions including the end user’s name, unique ID, dates, times and reason for the transaction(s). The RMV may, but is not required, to inform the Requestor as to its reason for the request. vii. Failure to comply with subsections i-vi above may result in termination of the Agreement under the provisions of paragraph 12.