Common use of INFORMATION SECURITY ARCHITECTURE Clause in Contracts

INFORMATION SECURITY ARCHITECTURE. a. This section III.6 applies to the extent that Vendor Group owns, supports, or is otherwise responsible for host(s), network(s), environment(s), or technology products (including hardware or software) which may contain University Data. b. Vendor represents and warrants that the design and architecture of Vendor Group’s systems (including but not limited to applications and infrastructure) shall be informed by the principle of defense-depth; controls at multiple layers designed to protect the confidentiality, integrity and availability of data. c. Vendor shall cause Vendor Group to make appropriate personnel vetting/background checks, have appropriate separation of duties, and undertake other such workflow controls over personnel activities as necessary to safeguard University Data. d. Vendor shall cause Vendor Group to follow change management procedures designed to keep Vendor Group’s systems current on security patches, and prevent unintended or unauthorized system configuration changes that could expose system vulnerability or lead to a Data Breach. e. To the extent that the Work involves software that was developed, in whole or part, by any of Vendor Group, then Vendor represents and warrants that such portion of the Work was developed within a software development life cycle (SDLC) process that includes security and quality assurance roles and control process intended to eliminate existing and potential security vulnerabilities. f. Vendor Group shall have appropriate technical perimeter hardening. Vendor Group shall monitor its system and perimeter configurations and network traffic for vulnerabilities, indicators of activities by threat actors, and/or the presence of Malicious Code. g. Vendor Group shall have access, authorization, and authentication technology appropriate for protecting University Data from unauthorized access or modification, and capable of accounting for access to University Data. The overall access control model of Vendor Group systems shall follow the principal of least privileges. h. Vendor Group shall safeguard University Data with encryption controls over University Data both stored and in transit. Vendor Group shall discontinue use of encryption methods and communication protocols which become obsolete or have become compromised. i. Vendor Group shall maintain a process for backup and restoration of data. Vendor represents and warrants that within the context of the Work, the appropriate members within Vendor Group are included in and familiar with a business continuity and disaster recovery plan. j. Vendor Group facilities will have adequate physical protections, commensurate with leading industry practice for similar Work. k. Vendor shall, at its own expense, conduct an information security and privacy risk assessment, no less than annually, in order to demonstrate, substantiate, and assure that the security and privacy standards and practices of Vendor meet or exceed the requirements set out in this DSPA. Upon written request, Vendor shall furnish University with an executive summary of the findings of the most recent risk assessment. i. University reserves the right to conduct or commission additional tests, relevant to the Work, in order to supplement Vendor’s assessment. Vendor shall cause Vendor Group to cooperate with such effort. ii. If the findings of the risk assessment identifies either: a potentially significant risk exposure to University Data, or other issue indicating that security and privacy standards and practices of Vendor do not meet the requirements set out in this DSPA, then Vendor shall notify University to communicate the issues, nature of the risks, and the corrective active plan (including the nature of the remediation, and the time frame to execute the corrective actions).

INFORMATION SECURITY ARCHITECTURE. a. This section III.6 applies to the extent that Vendor Contractor Group owns, supports, or is otherwise responsible for host(s), network(s), environment(s), or technology products (including hardware the Work involves services wherein Contractor has care, custody or software) which may contain control of University Data. For avoidance of doubt, this section shall apply when Contractor Group provides cloud-hosted infrastructure, platform, or application as a service. b. Vendor Contractor represents and warrants that the design and architecture of Vendor Contractor Group’s systems (including but not limited to applications and infrastructure) shall be informed by the principle of defense-depth; controls at multiple layers designed to protect the confidentiality, integrity and availability of data. c. Vendor Contractor shall cause Vendor Contractor Group to make appropriate personnel vetting/background checks, have appropriate separation of duties, and undertake other such workflow controls over personnel activities as necessary to safeguard University Data. d. Vendor Contractor shall cause Vendor Contractor Group to follow change management procedures designed to keep Vendor Contractor Group’s systems current on security patches, patches and prevent unintended or unauthorized system configuration changes that could expose system vulnerability or lead to a Data BreachIncident. e. To the extent that the Work involves software that was developed, in whole or part, by any of Vendor Contractor Group, then Vendor Contractor represents and warrants that such portion of the Work was developed within a software development life cycle (SDLC) process that includes security and quality assurance roles and control process intended to eliminate existing and potential security vulnerabilities. f. Vendor Contractor Group shall have appropriate technical perimeter hardening. Vendor Contractor Group shall monitor its system and perimeter configurations and network traffic for vulnerabilities, indicators of activities by threat actors, and/or the presence of Malicious Code. g. Vendor Contractor Group shall have access, authorization, and authentication technology appropriate for protecting University Data from unauthorized access or modification, and capable of accounting for access to University Data. The overall access control model of Vendor Contractor Group systems shall follow the principal of least privileges. h. Vendor Contractor Group shall safeguard University Data with encryption controls over University Data both stored and in transit. Vendor Contractor Group shall discontinue use of encryption methods and communication protocols which become obsolete or have become compromised. i. Vendor Contractor Group shall maintain a process for backup and restoration of data. Vendor Contractor represents and warrants that within the context of the Work, the appropriate members within Vendor Contractor Group are included in and familiar with a business continuity and disaster recovery plan. j. Vendor Contractor Group facilities will have adequate physical protections, commensurate with leading industry practice for similar Work. k. Vendor Contractor shall, at its own expense, conduct an information security and privacy risk assessment, no less than annually, in order to demonstrate, substantiate, and assure that the security and privacy standards and practices of Vendor Contractor meet or exceed the requirements set out in this DSPAunder these IT Special Terms and Conditions. Upon written request, Vendor Contractor shall furnish University with an executive summary of the findings of the most recent risk assessment. i. University reserves the right to conduct or commission additional tests, relevant to the Work, in order to supplement VendorContractor’s assessment. Vendor Contractor shall cause Vendor Contractor Group to cooperate with such effort. ii. If the findings of the risk assessment identifies either: a potentially significant risk exposure to University Data, or other issue indicating that security and privacy standards and practices of Vendor Contractor do not meet the requirements set out in this DSPAunder these IT Special Terms and Conditions, then Vendor Contractor shall notify University to communicate the issues, nature of the risks, and the corrective active plan (including the nature of the remediation, and the time frame to execute the corrective actions).

INFORMATION SECURITY ARCHITECTURE. a. This section III.6 applies to the extent that Vendor Contractor Group owns, supports, or is otherwise responsible for host(s), network(s), environment(s), or technology products (including hardware the Work involves services wherein Contractor has care, custody or software) which may contain control of University Data. For avoidance of doubt, this section shall apply when Contractor Group provides cloud-hosted infrastructure, platform, or application as a service. b. Vendor Contractor represents and warrants that the design and architecture of Vendor Contractor Group’s systems (including but not limited to applications and infrastructure) shall be informed by the principle of defense-depth; controls at multiple layers designed to protect the confidentiality, integrity and availability of data. c. Vendor Contractor shall cause Vendor Contractor Group to make appropriate personnel vetting/background checks, have appropriate separation of duties, and undertake other such workflow controls over personnel activities as necessary to safeguard University Data. d. Vendor Contractor shall cause Vendor Contractor Group to follow change management procedures designed to keep Vendor Contractor Group’s systems current on security patches, patches and prevent unintended or unauthorized system configuration changes that could expose system vulnerability or lead to a Data Breach. e. To the extent that the Work involves software that was developed, in whole or part, by any of Vendor Contractor Group, then Vendor Contractor represents and warrants that such portion of the Work was developed within a software development life cycle (SDLC) process that includes security and quality assurance roles and control process intended to eliminate existing and potential security vulnerabilities. f. Vendor Contractor Group shall have appropriate technical perimeter hardening. Vendor Contractor Group shall monitor its system and perimeter configurations and network traffic for vulnerabilities, indicators of activities by threat actors, and/or the presence of Malicious Code. g. Vendor Contractor Group shall have access, authorization, and authentication technology appropriate for protecting University Data from unauthorized access or modification, and capable of accounting for access to University Data. The overall access control model of Vendor Contractor Group systems shall follow the principal of least privileges. h. Vendor Contractor Group shall safeguard University Data with encryption controls over University Data both stored and in transit. Vendor Contractor Group shall discontinue use of encryption methods and communication protocols which become obsolete or have become compromised. i. Vendor Contractor Group shall maintain a process for backup and restoration of data. Vendor Contractor represents and warrants that within the context of the Work, the appropriate members within Vendor Contractor Group are included in and familiar with a business continuity and disaster recovery plan. j. Vendor Contractor Group facilities will have adequate physical protections, commensurate with leading industry practice for similar Work. k. Vendor Contractor shall, at its own expense, conduct an information security and privacy risk assessment, no less than annually, in order to demonstrate, substantiate, and assure that the security and privacy standards and practices of Vendor Contractor meet or exceed the requirements set out in this DSPAunder these IT Special Terms and Conditions. Upon written request, Vendor Contractor shall furnish University with an executive summary of the findings of the most recent risk assessment. i. University reserves the right to conduct or commission additional tests, relevant to the Work, in order to supplement VendorContractor’s assessment. Vendor Contractor shall cause Vendor Contractor Group to cooperate with such effort. ii. If the findings of the risk assessment identifies either: a potentially significant risk exposure to University Data, or other issue indicating that security and privacy standards and practices of Vendor Contractor do not meet the requirements set out in this DSPAunder these IT Special Terms and Conditions, then Vendor Contractor shall notify University to communicate the issues, nature of the risks, and the corrective active plan (including the nature of the remediation, and the time frame to execute the corrective actions).

INFORMATION SECURITY ARCHITECTURE. a. This section III.6 applies to the extent that Vendor Contractor Group owns, supports, or is otherwise responsible for host(s), network(s), environment(s), or technology products (including hardware the Work involves services wherein Contractor has care, custody, or software) which may contain control of University Data. For avoidance of doubt, this section shall apply when Contractor Group provides cloud-hosted infrastructure, platform, or application as a service. b. Vendor Contractor represents and warrants that the design and architecture of Vendor Contractor Group’s systems (including but not limited to applications and infrastructure) shall be informed by the principle of defense-depth; controls at multiple layers designed to protect the confidentiality, integrity integrity, and availability of data. c. Vendor Contractor shall cause Vendor Contractor Group to make appropriate personnel vetting/background checks, have appropriate separation of duties, and undertake other such workflow controls over personnel activities as necessary to safeguard University Data. d. Vendor Contractor shall cause Vendor Contractor Group to follow change management procedures designed to keep Vendor Contractor Group’s systems current on security patches, patches and prevent unintended or unauthorized system configuration changes that could expose system vulnerability or lead to a Data Breachan Incident. e. To the extent that the Work involves software that was developed, in whole or part, by any of Vendor Contractor Group, then Vendor Contractor represents and warrants that such portion of the Work was developed within a software development life cycle (SDLC) Software Development Life Cycle process that includes security and quality assurance roles and control process intended to eliminate existing and potential security vulnerabilities. f. Vendor Contractor Group shall have appropriate technical network segmentation and perimeter hardening. Vendor Contractor Group shall monitor its system and perimeter configurations and network traffic for vulnerabilities, indicators of activities activity or compromise by threat actors, and/or the presence of Malicious Code. g. Vendor Contractor Group shall have access, authorization, and authentication technology appropriate for protecting University Data from unauthorized access or modification, and capable of accounting for access to University Data. The overall access control model of Vendor Contractor Group systems shall follow the principal principle of least privileges. h. Vendor Contractor Group shall safeguard University Data with encryption controls over University Data both stored at rest and in transit. Vendor Contractor Group shall discontinue use of encryption methods and communication protocols which become obsolete or have become compromised. i. Vendor Contractor Group shall maintain a process for backup and restoration of data. Vendor Contractor represents and warrants that within the context of the Work, the appropriate members within Vendor Contractor Group are included in and familiar with a business continuity and disaster recovery plan. j. Vendor Contractor Group facilities will have adequate physical protections, commensurate with leading industry practice for similar Work. k. Vendor shallContractor shall maintain a process for regularly testing, at its own expense, conduct an information security and privacy risk assessment, no less than annually, in order to demonstrate, substantiateassessing, and assure evaluating the effectiveness of technical, physical, and administrative measures that the security and privacy standards and practices of Vendor meet or exceed the requirements set out in this DSPAunder these IT Security Terms and Conditions. Upon written request, Vendor Contractor shall furnish University with an executive summary of the findings of the most recent risk assessment. i. University reserves the right to conduct or commission additional tests, relevant to the Work, in order to supplement VendorContractor’s assessment. Vendor Contractor shall cause Vendor Contractor Group to cooperate with such effort. ii. If the findings of the risk a s assessment identifies either: a potentially significant risk exposure to University Data, or other issue indicating that security and privacy standards and practices of Vendor Contractor do not meet the requirements set out in this DSPAunder these IT Security Terms and Conditions, then Vendor Contractor shall notify University to communicate the issues, nature of the risks, and the corrective active action plan (including the nature of the remediation, and the time frame to execute the corrective actions).

INFORMATION SECURITY ARCHITECTURE. a. This section III.6 applies to the extent that Vendor Contractor Group owns, supports, or is otherwise responsible for host(s), network(s), environment(s), or technology products (including hardware the Work involves services wherein Contractor has care, custody, or software) which may contain control of University Data. For avoidance of doubt, this section shall apply when Contractor Group provides cloud-hosted infrastructure, platform, or application as a service. b. Vendor Contractor represents and warrants that the design and architecture of Vendor Contractor Group’s systems (including but not limited to applications and infrastructure) shall be informed by the principle of defense-depth; controls at multiple layers designed to protect the confidentiality, integrity integrity, and availability of data. c. Vendor Contractor shall cause Vendor Contractor Group to make appropriate personnel vetting/background checks, have appropriate separation of duties, and undertake other such workflow controls over personnel activities as necessary to safeguard University Data. d. Vendor Contractor shall cause Vendor Contractor Group to follow change management procedures designed to keep Vendor Contractor Group’s systems current on security patches, patches and prevent unintended or unauthorized system configuration changes that could expose system vulnerability or lead to a Data BreachIncident. e. To the extent that the Work involves software that was developed, in whole or part, by any of Vendor Contractor Group, then Vendor Contractor represents and warrants that such portion of the Work was developed within a software development life cycle (SDLC) Software Development Life Cycle process that includes security and quality assurance roles and control process intended to eliminate existing and potential security vulnerabilities. f. Vendor Contractor Group shall have appropriate technical network segmentation and perimeter hardening. Vendor Contractor Group shall monitor its system and perimeter configurations and network traffic for vulnerabilities, indicators of activities activity or compromise by threat actors, and/or the presence of Malicious Code. g. Vendor Contractor Group shall have access, authorization, and authentication technology appropriate for protecting University Data from unauthorized access or modification, and capable of accounting for access to University Data. The overall access control model of Vendor Contractor Group systems shall follow the principal of least privileges. h. Vendor Contractor Group shall safeguard University Data with encryption controls over University Data both stored at rest and in transit. Vendor Contractor Group shall discontinue use of encryption methods and communication protocols which become obsolete or have become compromisedbecomecompromised. i. Vendor Contractor Group shall maintain a process for backup and restoration of data. Vendor Contractor represents and warrants that within the context of the Work, the appropriate members within Vendor Contractor Group are included in and familiar with a business continuity and disaster recovery plan. j. Vendor Contractor Group facilities will have adequate physical protections, commensurate with leading industry practice for similar Work. k. Vendor shallContractor shall maintain a process for regularly testing, at its own expense, conduct an information security and privacy risk assessment, no less than annually, in order to demonstrate, substantiateassessing, and assure evaluating the effectiveness of technical, physical, and administrative measures that the security and privacy standards and practices of Vendor meet or exceed the requirements set out in this DSPAunder these IT Security Terms and Conditions. Upon written request, Vendor Contractor shall furnish University with an executive summary of the findings of the most recent risk assessment. i. University reserves the right to conduct or commission additional tests, relevant to the Work, in order to supplement VendorContractor’s assessment. Vendor Contractor shall cause Vendor Contractor Group to cooperate with such effort. ii. If the findings of the risk an assessment identifies either: a potentially significant risk exposure to University Data, or other issue indicating that security and privacy standards and practices of Vendor Contractor do not meet the requirements set out in this DSPAunder these IT Security Terms and Conditions, then Vendor Contractor shall notify University to communicate the issues, nature of the risks, and the corrective active plan (including the nature of the remediation, and the time frame to execute the corrective actions).

INFORMATION SECURITY ARCHITECTURE. a. This section III.6 applies to the extent that Vendor Contractor Group owns, supports, or is otherwise responsible for host(s), network(s), environment(s), or technology products (including hardware the Work involves services wherein Contractor has care, custody, or software) which may contain control of University Data. For avoidance of doubt, this section shall apply when Contractor Group provides cloud-hosted infrastructure, platform, or application as a service. b. Vendor Contractor represents and warrants that the design and architecture of Vendor Contractor Group’s systems (including but not limited to applications and infrastructure) shall be informed by the principle of defense-depth; controls at multiple layers designed to protect the confidentiality, integrity integrity, and availability of data. c. Vendor Contractor shall cause Vendor Contractor Group to make appropriate personnel vetting/background checks, have appropriate separation of duties, and undertake other such workflow controls over personnel activities as necessary to safeguard University Data. d. Vendor Contractor shall cause Vendor Contractor Group to follow change management procedures designed to keep Vendor Contractor Group’s systems current on security patches, patches and prevent unintended or unauthorized system configuration changes that could expose system vulnerability or lead to a Data BreachIncident. e. To the extent that the Work involves software that was developed, in whole or part, by any of Vendor Contractor Group, then Vendor Contractor represents and warrants that such portion of the Work was developed within a software development life cycle (SDLC) Software Development Life Cycle process that includes security and quality assurance roles and control process intended to eliminate existing and potential security vulnerabilities. f. Vendor Contractor Group shall have appropriate technical network segmentation and perimeter hardening. Vendor Contractor Group shall monitor its system and perimeter configurations and network traffic for vulnerabilities, indicators of activities activity or compromise by threat actors, and/or the presence of Malicious Code. g. Vendor Contractor Group shall have access, authorization, and authentication technology appropriate for protecting University Data from unauthorized access or modification, and capable of capableof accounting for access to University Data. The overall access control model of Vendor Contractor Group systems shall follow the principal of least privileges. h. Vendor Contractor Group shall safeguard University Data with encryption controls over University Data both stored at rest and in transit. Vendor Contractor Group shall discontinue use of encryption methods and communication protocols which become obsolete or have become compromised. i. Vendor Contractor Group shall maintain a process for backup and restoration of data. Vendor Contractor represents and warrants that within the context of the Work, the appropriate members within Vendor Contractor Group are included in and familiar with a business continuity and disaster recovery plan. j. Vendor Contractor Group facilities will have adequate physical protections, commensurate with leading industry practice for similar Work. k. Vendor shallContractor shall maintain a process for regularly testing, at its own expense, conduct an information security and privacy risk assessment, no less than annually, in order to demonstrate, substantiateassessing, and assure evaluating the effectiveness of technical, physical, and administrative measures that the security and privacy standards and practices of Vendor meet or exceed the requirements set out in this DSPAunder these IT Security Terms and Conditions. Upon written request, Vendor Contractor shall furnish University with an executive summary of the findings of the most recent risk assessment. i. University reserves the right to conduct or commission additional tests, relevant to the Work, in order to supplement VendorContractor’s assessment. Vendor Contractor shall cause Vendor Contractor Group to cooperate with such effort. ii. If the findings of the risk an assessment identifies either: a potentially significant risk exposure to University Data, or other issue indicating that security and privacy standards and practices of Vendor Contractor do not meet the requirements set out in this DSPAunder these IT Security Terms and Conditions, then Vendor Contractor shall notify University to communicate the issues, nature of the risks, and the corrective active plan (including the nature of the remediation, and the time frame to execute the corrective actions).