HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect Provider’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider shall: i. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt; ii. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.; iii. Not leave Confidential Information in any medium unsecured and unattended at any time; iv. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access; v. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time. vi. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures. vii. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement. viii. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request. ix. Assure that its systems, Products and Services include at least the following safeguards: 1. Include component and system level fault tolerance and redundancy in system design. 2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser. 3. Encrypt Confidential Information at-rest and in-transit. 4. Authentication of users at login with a 256-bit or higher encryption algorithm. 5. Secure transmission of login credentials. 6. Automatic password change routine. 7. Trace user system access via a combination of system logs and Google Analytics. 8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software. 9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised. 10. Employ an in-line intrusion protection system that inspects incoming data transmissions. 11. Prevention of hostile or unauthorized intrusion. 12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days. x. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 24 contracts
Samples: Ed Tech Services and Data Sharing Agreement, Ed Tech Services and Data Sharing Agreement, Ed Tech Services and Data Sharing Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect Provider’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Datastudent data, Provider shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request.
ix. Assure I. Ensure that its systems, Products systems and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 7 contracts
Samples: Safe Passage Services Agreement, Safe Passage Services Agreement, Safe Passage Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Proposer shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreementthe Contract.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. I. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-at rest and in-in transit.
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. Prevention of hostile or and unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the AgreementContract.
Appears in 2 contracts
Samples: Paratransit and Alternate Modes of Student Transportation Services Agreement, Paratransit and Alternate Modes of Student Transportation Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect ProviderVendor’s own confidential information. When handling Confidential Information, Information which may include include, but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.;
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.;
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.;
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.;
ix. Assure I. Ensure that its systems, Products systems and Services include at least the following safeguards, where applicable:
1. Include component and system level fault tolerance and redundancy in system design.;
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.Vendor;
3. Encrypt Confidential Information at-at rest and in-in transit.;
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.;
5. Secure transmission transmissions of login credentials.;
6. Automatic password change routine.;
7. Trace user system access via a combination of system logs and Google Analytics.;
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.;
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.;
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.;
11. Prevention of hostile or and unauthorized intrusion.; and
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery covered plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement. Also, the prior approval of the Board’s ITS Program Manager or designee for any hosting solution may be required.
Appears in 2 contracts
Samples: Services Agreement, Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect Provider’s 's own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider shall:
i. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s 's Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request.
ix. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s 's network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 2 contracts
Samples: Ed Tech Services and Data Sharing Agreement, Ed Tech Services and Data Sharing Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect ProviderVendor’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. 1. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii2. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii3. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv4. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. 5. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-screen- lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi6. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii7. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii8. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix9. Assure Ensure that its systems, Products systems and Services include at least the following safeguards:
1. a) Include component and system level fault tolerance and redundancy in system design.
2. b) Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. c) Encrypt Confidential Information at-rest and in-transit.
4. d) Authentication of users at login with a 256-bit or higher encryption algorithm.
5. e) Secure transmission of login credentials.
6. f) Automatic password change routine.
7. g) Trace user system access via a combination of system logs and Google Analytics.
8. h) Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. i) Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. j) Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. k) Prevention of hostile or unauthorized intrusion.
12. l) Backup of all Confidential Information at least once every twenty-four (24) hours. .
m) Perform content snapshots at least daily and retain for at least ninety (90) days.
x. 10. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery covered plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 2 contracts
Samples: Master Services Agreement, Master Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use use, or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Vendor shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. I. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-at rest and in-in transit.
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. Prevention of hostile or and unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 2 contracts
Samples: Services Agreement, Student Transportation Consulting Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect Provider’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider shall:
i. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request.
ix. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component Have daily backups of all data for reliable system redundancy processes and system level implement any tools to monitor all platform and fault tolerance and redundancy in system designtolerance.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissionsLimit the transmission of specific data, communications, and interactions to activities authorized by a SSO login.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Proposer shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. Password E. Password-protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreementthe Contract.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. I. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-at rest and in-in transit.
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. Prevention of hostile or and unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the AgreementContract.
Appears in 1 contract
Samples: Paratransit and Alternate Modes of Student Transportation Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use use, or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Vendor shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. I. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-at rest and in-in transit.
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. Prevention of hostile or and unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
Samples: Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Proposer shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Master Agreement.
viii. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.;
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.;
3. Encrypt Confidential Information at-at rest and in-in transit.;
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.;
5. Secure transmission of login credentials.;
6. Automatic password change routine.;
7. Trace user system access via a combination of system logs and Google Analytics.;
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.;
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.;
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.;
11. Prevention of hostile or and unauthorized intrusion.;
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. 13. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the this Master Agreement.
Appears in 1 contract
HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect Provider’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider shall:
i. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request.
ix. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password Enforce change routineof characters when new passwords are created.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct If applicable, conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content database snapshots at least daily and retain for at least ninety (90) days.
x. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use use, or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Vendor shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. I. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-at rest and in-in transit.
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. Prevention of hostile or and unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderJ. Vendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
Samples: Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider The receiving party shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect Provider’s its own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Proposer shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc. This Agreement will be posted on the CPS website.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. Password E. Password-protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-screen- lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure disclosure, and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry industry-recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of of, and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreementthe Contract.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. I. Assure that its systems, Products Products, and Services include at least the following safeguards:
1. Include component and system system-level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-at rest and in-in transit.
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system system-generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system system-level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. Prevention of hostile or and unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours.
13. Perform content snapshots at least daily and retain them for at least ninety (90) days. This Agreement will be posted on the CPS website.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the AgreementContract.
Appears in 1 contract
Samples: Paratransit and Alternate Modes of Student Transportation Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Proposer shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device This Agreement will be posted on the CPS website. containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreementthe Contract.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. I. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-at rest and in-in transit.
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. Prevention of hostile or and unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the AgreementContract.
Appears in 1 contract
Samples: Paratransit and Alternate Modes of Student Transportation Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect ProviderXxxxxxxx’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider shall:
i. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request.
ix. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Vendor shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.;
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.;
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.;
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.;
ix. I. Assure that its systems, Products systems and Services include at least the following safeguards, where applicable:
1. Include component and system level fault tolerance and redundancy in system design.;
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.Vendor;
3. Encrypt Confidential Information at-at rest and in-in transit.;
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.;
5. Secure transmission transmissions of login credentials.;
6. Automatic password change routine.;
7. Trace user system access via a combination of system logs and Google Analytics.;
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.;
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.;
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.;
11. Prevention of hostile or and unauthorized intrusion.; and
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery covered plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-cloud- based systems must be protected in the same manner as local data as described throughout the Agreement. Also, the prior approval of the Board’s ITS Program Manager or designee for any hosting solution may be required.
Appears in 1 contract
Samples: Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect Provider’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider shall:
i. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request.
ix. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. Confidential Information shall be stored, backed up, and served only on servers located in the continental United StatesStates or France at secured data centers. Provider’s network where Confidential Information may be stored shall have an in-in- line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-cloud- based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect ProviderVendor’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider Information Vendor shall:
i. 1. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii2. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv3. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. 4. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi5. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii6. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, or disposed of and disclosed within ProviderVendor’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii7. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix8. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Personally Identifiable Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. 9. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery covered plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the AgreementContract.
Appears in 1 contract
Samples: Software Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use use, or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Vendor shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
Samples: Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect Provider’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Datastudent data, Provider shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request.
ix. Assure I. Ensure that its systems, Products systems and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.. DocuSign Envelope ID: 36E2889B-5311-435A-B41D-1E938EB7F790
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
Samples: Safe Passage Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Vendor shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-screen- lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. I. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-at rest and in-in transit.
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. Prevention of hostile or and unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the this Agreement.
Appears in 1 contract
Samples: Product and Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Vendor shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.
viii. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan for a specific incident upon request.
ix. Assure that its systems, Products and Services include at least the following safeguards:
1. a. Include component and system level fault tolerance and redundancy in system design.
2. b. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. c. Encrypt Confidential Information at-at rest and in-in transit.
4. d. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. e. Secure transmission of login credentials.
6. f. Automatic password change routine.
7. g. Trace user system access via a combination of system logs and Google Analytics.
8. h. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. i. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. j. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. k. Prevention of hostile or and unauthorized intrusion.
12. l. Backup of all Confidential Information at least once every twenty-four (24) hours. .
m. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-cloud- based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
Samples: Custodial Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect Provider’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Datastudent data, Provider shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request.
ix. Assure I. Ensure that its systems, Products systems and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.. DocuSign Envelope ID: 8E206358-18B9-49EA-B938-87CAE5C44DFC
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
Samples: Safe Passage Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. 1. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Vendor shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii2. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii3. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv4. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. 5. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi6. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii7. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.
viii8. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix9. Assure that its systems, Products and Services include at least the following safeguards:
1. a. Include component and system level fault tolerance and redundancy in system design.
2. b. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. c. Encrypt Confidential Information at-at rest and in-in transit.
4. d. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. e. Secure transmission of login credentials.
6. f. Automatic password change routine.
7. g. Trace user system access via a combination of system logs and Google Analytics.
8. h. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. i. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. j. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. k. Prevention of hostile or and unauthorized intrusion.
12. l. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. 10. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the this Agreement.
Appears in 1 contract
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect ProviderVendor’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. (a) When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. (b) Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. (c) Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. (d) Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. (e) Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. (f) Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. (g) Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii. (h) Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. (i) Assure that its systems, Products and Services include at least the following safeguards:
(1. ) Include component and system level fault tolerance and redundancy in system design.
(2. ) Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
(3. ) Encrypt Confidential Information at-rest and in-transit.
(4. ) Authentication of users at login with a 256-bit or higher encryption algorithm.
(5. ) Secure transmission of login credentials.
(6. ) Automatic password change routine.
(7. ) Trace user system access via a combination of system logs and Google Analytics.
8. (8) Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
(9. ) Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
(10. ) Employ an in-line intrusion protection system that inspects incoming data transmissions.
(11. ) Prevention of hostile or unauthorized intrusion.
(12. ) Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. (j) Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
Samples: Software and Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect Provider’s own confidential information. When handling Confidential Information, Information which may include include, but is not limited to Student Data, Provider shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery DocuSign Envelope ID: 2A46F4ED-2994-46FC-9F74-AA5570F7DFC2 confirmation receipt;
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.;
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.;
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.;
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request.;
ix. Assure I. Ensure that its systems, Products systems and Services include at least the following safeguards, where applicable:
1. Include component and system level fault tolerance and redundancy in system design.;
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.Provider;
3. Encrypt Confidential Information at-at rest and in-in transit.;
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.;
5. Secure transmission transmissions of login credentials.;
6. Automatic password change routine.;
7. Trace user system access via a combination of system logs and Google Analytics.; DocuSign Envelope ID: 2A46F4ED-2994-46FC-9F74-AA5570F7DFC2
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.;
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.;
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.;
11. Prevention of hostile or and unauthorized intrusion.; and
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery covered plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-cloud- based systems must be protected in the same manner as local data as described throughout the Agreement. Also, the prior approval of the Board’s ITS Program Manager or designee for any hosting solution may be required.
Appears in 1 contract
Samples: Products and Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Vendor shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-screen- lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, and supporting enterprise IT environment complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreementthe Contract.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incidentincident involving the Board’s Confidential Information, as well as best practices policies for responding to a breach of Confidential Information security practicessecurity. Provider Vendor agrees to share an overview of its incident response information security plan upon request.
ix. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect Provider’s 's own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider shall:
i. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s 's Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request.
ix. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety sixty (90) days60)days.
x. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s 's network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use use, or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Vendor shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. I. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-at rest and in-in transit.
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic A Self Service and an Automated password change routineroutine that resets account passwords annually.
7. Trace user system access via a combination of system logs and Google Analyticsthat CPS can access upon request.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. Prevention of hostile or and unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
Samples: Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect ProviderVendor’s own confidential information. When handling Confidential Information that is personally identifiable (“Personally Identifiable Confidential Information”), which may include but is not limited to Student Datastudent data, Provider Vendor shall:
i. 1. When mailing physical copies of Personally Identifiable Confidential Information, send the Personally Identifiable Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt, except as otherwise set forth in the Scope of Services;
ii2. Not store any Personally Identifiable Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii3. Not leave Personally Identifiable Confidential Information in any medium unsecured and unattended at any time;
iv4. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Personally Identifiable Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. 5. Password protect any laptop or other electronic device that contains Personally Identifiable Confidential Information. Additionally, any laptop or other electronic device that contains Personally Identifiable Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Personally Identifiable Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi6. Secure the Personally Identifiable Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Personally Identifiable Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii7. Ensure that the manner in which Personally Identifiable Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this AgreementContract.
viii8. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Personally Identifiable Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix9. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Personally Identifiable Confidential Information at-rest and in-in- transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Personally Identifiable Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. 10. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery covered plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the AgreementContract.
Appears in 1 contract
Samples: Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect ProviderVendor’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. (a) When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. (b) Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. (c) Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. (d) Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. (e) Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. (f) Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. (g) Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii. (h) Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. (i) Assure that its systems, Products and Services include at least the following safeguards:
(1. ) Include component and system level fault tolerance and redundancy in system design.
(2. ) Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
(3. ) Encrypt Confidential Information at-rest and in-transit.
(4. ) Authentication of users at login with a 256-bit or higher encryption algorithm.
(5. ) Secure transmission of login credentials.
(6. ) Automatic password change routine.
(7. ) Trace user system access via a combination of system logs and Google Analytics.
8. (8) Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
(9. ) Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
(10. ) Employ an in-line intrusion protection system that inspects incoming data transmissions.
(11. ) Prevention of hostile or unauthorized intrusion.
(12. ) Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. (j) Confidential Information shall be stored, backed up, and served only on servers located Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
Samples: Software and Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Vendor shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;; DocuSign Envelope ID: B93E46A5-1622-4A2D-B1AC-CC045CEED495
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.;
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.;
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.;
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.;
ix. I. Assure that its systems, Products systems and Services include at least the following safeguards, where applicable:
1. Include component and system level fault tolerance and redundancy in system design.;
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.Vendor;
3. Encrypt Confidential Information at-at rest and in-in transit.;
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.;
5. Secure transmission transmissions of login credentials.;
6. Automatic password change routine.;
7. Trace user system access via a combination of system logs and Google Analytics.;
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.;
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.;
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.;
11. Prevention of hostile or and unauthorized intrusion.; and
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.. DocuSign Envelope ID: B93E46A5-1622-4A2D-B1AC-CC045CEED495
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery covered plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-cloud- based systems must be protected in the same manner as local data as described throughout the Agreement. Also, the prior approval of the Board’s ITS Program Manager or designee for any hosting solution may be required.
Appears in 1 contract
Samples: Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use use, or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Vendor shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption. DocuSign Envelope ID: A4D19029-22F0-4513-8EAB-E19E03DCDD26
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. I. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-at rest and in-in transit.
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are DocuSign Envelope ID: A4D19029-22F0-4513-8EAB-E19E03DCDD26 added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. Prevention of hostile or and unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
Samples: Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Receiving Party shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect Provider’s its own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Receiving Party shall:
i. A. When mailing physical copies of Confidential Information, send the sending Confidential Information in a tamper-proofby way of encrypted channels electronically or via mail, labeled container, with a tracking number and a delivery confirmation receipt;the Parties shall not simultaneously transmit any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc. which are not encrypted.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information Student Data or personally identifiable information of non-students shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Receiving Party shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Receiving Party shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information Student Data or personally identifiable information of non-students is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information Student Data and personally identifiable non-student data must be secured encrypted in transit using secure FTP services or https/TLS 1.0+transit. Provider Receiving Party must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderReceiving Party’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreementthe Contract.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Receiving Party will also have a written incident response plan, to include prompt notification of the Board Disclosing Party in the event of a security or privacy incident, as well as best practices for responding to a breach of information and/or Confidential Information security practicespractices as defined under the Personal Information Protection Act (PIPA) (815 ILCS 530/1 et seq.), FERPA, SOPPA, and any other applicable law. Provider Receiving Party agrees to share its incident response plan upon request.
ix. I. Assure that its systems, Products and Services systems include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-at rest and in-in transit.
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. Prevention of hostile or and unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. H. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderReceiving Party’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Receiving Party shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the AgreementContract.
Appears in 1 contract
Samples: Athletic Trainer Provider Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider Vendor shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures when handling Confidential Information that are no less protective as those used to protect ProviderVendor’s own confidential informationinformation and at least as secure as the following. When handling Confidential Information, which may include but is not limited to Student Data, Provider Vendor shall:
i. A. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;. Proposer shall not send with encrypted Confidential Information, via mail or electronically, any password or other information sufficient to allow decryption.
ii. B. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. C. Not leave Confidential Information in any medium unsecured and unattended at any time;.
iv. D. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;.
v. E. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider Vendor shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider Vendor shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. F. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider Vendor must maintain industry recognized security practices to DocuSign Envelope ID: 09D67A07-6BB4-4E44-B381-20D07A51B5FD establish secure application(s), network, and infrastructure architectures.
vii. G. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within ProviderVendor’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreementthe Contract.
viii. H. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider Vendor will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider Vendor agrees to share its incident response plan upon request.
ix. I. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-at rest and in-in transit.
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.
11. Prevention of hostile or and unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. J. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. ProviderVendor’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider Vendor shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the AgreementContract.
Appears in 1 contract
Samples: Paratransit and Alternate Modes of Student Transportation Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect Provider’s own confidential information. When handling Confidential Information (“Confidential Information, which may include but is not limited to Student Data”), Provider shall:
i. a. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. b. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. c. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. d. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. e. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. f. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized accessaccess to, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies policies, procedures, and procedures technical elements relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. g. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s Products, Services, Services and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this the Agreement.
viii. h. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request.
ix. i. Assure that its systems, Products systems and Services include at least the following safeguards, where applicable:
1. Include component and system level fault tolerance and redundancy in system design.;
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.Provider;
3. Encrypt Confidential Information at-at rest and in-in transit.;
4. Authentication of users at login logins with a 256-bit or higher encryption algorithm.;
5. Secure transmission transmissions of login credentials.;
6. Automatic password change routine.;
7. Trace user system access via a combination of system logs and Google Analytics.;
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.;
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.;
10. Employ an in-line intrusion protection prevention system that inspects incoming data transmissions.;
11. Prevention of hostile or and unauthorized intrusion.; and
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. j. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery covered plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
Samples: Services Agreement
HANDLING OF CONFIDENTIAL INFORMATION. Provider shall protect against the unauthorized access, use or disclosure of Confidential Information by employing security measures that are no less protective as those used to protect Provider’s own confidential information. When handling Confidential Information, which may include but is not limited to Student Data, Provider shall:
i. When mailing physical copies of Confidential Information, send the Confidential Information in a tamper-proof, labeled container, with a tracking number and a delivery confirmation receipt;
ii. Not store any Confidential Information on portable or removable electronic media, such as CDs, DVDs, electronic tape, flash drives, etc.;
iii. Not leave Confidential Information in any medium unsecured and unattended at any time;
iv. Keep all physical copies (paper, portable or removable electronic media, or other physical representations) of Confidential Information under lock and key, or otherwise have sufficient physical access control measures to prevent unauthorized access;
v. Password protect any laptop or other electronic device that contains Confidential Information. Additionally, any laptop or other electronic device that contains Confidential Information shall have its full hard drive encrypted with an encryption key of no less than 256 bits. Provider shall not leave any laptop or other electronic device unattended without enabling a screen-lock or otherwise blocking access to the laptop or other electronic device. Provider shall ensure that no password or other information sufficient to access a laptop or electronic device containing Confidential Information is attached to or located near the laptop or other electronic device at any time.
vi. Secure the Confidential Information stored on its systems, including but not limited to any servers, by employing adequate security measures to prevent unauthorized access, disclosure and use of that information. These measures include appropriate administrative, physical, and technical safeguards, policies and procedures relating to data access controls. All Confidential Information must be secured in transit using secure FTP services or https/TLS 1.0+. Provider must maintain industry recognized security practices to establish secure application(s), network, and infrastructure architectures.
vii. Ensure that the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed within Provider’s Products, Services, and supporting enterprise complies with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
viii. Conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the Board in the event of a security or privacy incident, as well as best practices for responding to a breach of Confidential Information security practices. Provider agrees to share its incident response plan upon request.
ix. Assure that its systems, Products and Services include at least the following safeguards:
1. Include component and system level fault tolerance and redundancy in system design.
2. Encrypt user passwords in any data storage location and obfuscate password entry fields in any entry interface controlled by the discloser.
3. Encrypt Confidential Information at-rest and in-transit.
4. Authentication of users at login with a 256-bit or higher encryption algorithm.
5. Secure transmission of login credentials.
6. Automatic password change routine.. This element will be adopted after SSO is implemented in 2021
7. Trace user system access via a combination of system logs and Google Analytics.
8. Secure (encrypt) the audit trails and system generated logs and ensure that they are stored in locations that are inaccessible to automated content discovery software.
9. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with the Board systems is not degraded or compromised.
10. Employ an in-line intrusion protection system that inspects incoming data transmissions.
11. Prevention of hostile or unauthorized intrusion.
12. Backup of all Confidential Information at least once every twenty-four (24) hours. Perform content snapshots at least daily and retain for at least ninety (90) days.
x. Confidential Information shall be stored, backed up, and served only on servers located in the continental United States. Provider’s network where Confidential Information may be stored shall have an in-line intrusion prevention system that inspects incoming data transmissions. Provider shall have a documented disaster recovery plan for the electronic systems where Confidential Information may be stored. Data stored in cloud-based systems must be protected in the same manner as local data as described throughout the Agreement.
Appears in 1 contract
