Information Security Plan. Contractor is required to maintain an Information Security Plan sufficient to protect the sensitive and/or confidential CSU data to which they have access. Requirements for the Information Security Plan are described in Rider A.
Information Security Plan. (1) Contractor acknowledges that the Department is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as the Department’s internal security program for information and systems protection.
(2) Contractor shall develop, implement, and maintain a comprehensive Information Security Plan that contains administrative, technical, and physical safeguards designed to ensure the privacy, security, integrity, availability, and confidentiality of the Confidential Information. Contractor must provide evidence to the Department of one or more of the following for the plan:
a. Certification in, or compliance with, generally accepted information risk management security control frameworks, standards or guidelines such as:
i. ISO/IEC 27000-series;
ii. NIST800-53;
iii. CIS Critical Security Controls for Effective Cyber Defense; or
iv. HIPAA Security Rule - 45 CFR Part 160 and Subparts A and C of Part 164; and
b. Compliance with any state or federal regulations by which the person or entity who owns or licenses such information may be regulated; or
c. At a minimum, include the elements listed in the Information Security Plan Requirements set forth below.
(3) Upon the Department’s request, Contractor shall submit one of the following documents to the Department:
a. Independent attestation of certification;
b. Information Security Plan scope statement;
c. Information Security Plan statement of applicability; or
d. SOC 2, Type 2 audit and letter of attestation indicating Contractor’s receipt of management’s assertion of control compliance from Contractor’s subcontractors as described in Section 6 Audit Provision. The Department reserves the right to require the Contractor to provide more than one of the above documents. If Contractor is unable to produce one of the above documents, Contractor may satisfy the requirement by providing the assurances in Section 28.0(h) below.
(4) Annually, or upon a significant change in risk posture, Contractor will review its Information Security Plan and update and revise it as needed. If at any time there are any material reductions to Contractor’s Information Security Plan, Contractor will notify the Department within two weeks of the completion of the review and prior to implementation. In such instances, the Department will require an explanation of the
Information Security Plan. Supplier acknowledges that UC is required to comply with information security standards for the protection of Protected Information as required by law, regulation and regulatory guidance, as well as UC’s internal security program for information and systems protection.
Information Security Plan. (1) Contractor acknowledges that ETF is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as ETF’s internal security program for information and systems protection.
(2) Contractor will establish, maintain and comply with an information security plan (Information Security Plan), which will contain, at a minimum, such elements as those set forth in this Agreement.
(3) Contractor’s Information Security Plan will be designed to:
a. Ensure the privacy, security, integrity, availability, and confidentiality of Confidential Information;
b. Protect against any anticipated threats or hazards to the security or integrity of such information;
c. Protect against unauthorized access to or use of such information that could result in harm or inconvenience to the person that is the subject of such information;
d. Reduce risks associated with Contractor having access to ETF Information Resources; and
e. Comply with all applicable legal and regulatory requirements for data protection.
(4) On at least an annual basis, Contractor will review its Information Security Plan, update and revise it as needed, and make available to ETF upon request. At ETF’s request, Contractor will make modifications to its Information Security Plan or to the procedures and practices thereunder to conform to ETF’s security requirements as they exist from time to time. If there are any significant modifications to Contractor’s Information Security Plan, Contractor will notify ETF within a reasonable period of time, not to exceed two weeks. Any significant modification
Information Security Plan. Contractor shall implement and maintain a written information security program (“WISP”) that contains physical, administrative and technical safeguards necessary to ensure the confidentiality, integrity and availability of District Information, including such physical, administrative and technical safeguards as are necessary to ensure that District Information disclosed between Contractor and District is not used or disclosed by Contractor, or by any of Contractor’s subcontractors, affiliates, agents or third parties, except as provided in the Agreement.
Information Security Plan. Domestic Communications Companies shall develop, document, implement, and maintain an information security plan to:
(i) maintain appropriately secure facilities (e.g., offices) within the United States for the handling and storage of any Classified, Sensitive or Controlled Unclassified Information;
(ii) take appropriate measures to prevent unauthorized access to data or facilities that might contain Classified, Sensitive, or Controlled Unclassified Information;
(iii) assign U.S. citizens to positions for which screening is contemplated pursuant to Section 3.12;
(iv) Upon request from the DOJ, FBI, DOD or DHS, provide the name, social security number and date of birth of each person who regularly handles or deals with Sensitive Information;
(v) require that personnel handling Classified Information shall have been granted appropriate security clearances pursuant to Executive Order 12968;
(vi) provide that the points of contact described in Section 3.8 of this Agreement shall have sufficient authority over any of Domestic Communications Companies' employees who may handle Classified, Sensitive, or Controlled Unclassified Information to maintain the confidentiality and security of such information in accordance with applicable U.S. legal authority and the terms of this Agreement;
(vii) ensure that the disclosure of or access to Classified, Sensitive, or Controlled Unclassified Information is limited to those who have the appropriate security clearances and authority;
(viii) establish a formal incident response capability with reference to OMB Circular A-130 and NIST Special Publications 800-3, 800-18 and 800-47; and
(ix) identify the types of positions that require screening pursuant to Section 3.12, the required rigor of such screening by type of position, and the criteria by which Domestic Communications Companies will accept or reject screened persons ("Screened Personnel").
Information Security Plan. This section requires the contractor to develop or maintain an information security plan adequate to protect the CSUF ASC data. The CSUF ASC will select one of the two sub- sections to use in their contract. Section 3(a) is to be used for contracts which the CSUF ASC identifies as “high risk” due to the size of the contract, the critical nature of the service or function, and/or the nature of the CSUF ASC Information Assets affected. Section 3(b) is to be used for contracts which the CSUF ASC does not identify as “high risk”.
(a) Contractor acknowledges that the CSUF ASC is required to comply with information security standards for the protection of Protected Data Information required by law, regulation and regulatory guidance, as well as the CSUF ASC’s internal security policy for information and systems protection. Within 30 days of the effective date of the Agreement, and subject to the review and approval of the CSUF ASC, Contractor shall establish, maintain and comply with an information security plan (“Information Security Plan”), which shall contain such elements that the CSUF ASC may require after consultation with Contractor. On at least an annual basis, Contractor shall review, update and revise its Information Security Plan, subject to the CSUF ASC’s review and approval. Contractor’s Information Security Plan shall be designed to: • Ensure the security, integrity and confidentiality of the CSUF ASC Protected Data; • Protect against any anticipated threats or hazards to the security or integrity of such information; • Protect against unauthorized access to, or use of, such information that could result in substantial harm or inconvenience to the person that is the subject of such information; • Protect against unauthorized changes to, or use of, CSUF ASC Protected Data; • Comply with all applicable CSUF ASC policies, legal, and regulatory requirements for data protection; and • Include business continuity and disaster recovery plans. Contractor’s Information Security Plan shall include a written response program addressing the appropriate remedial measures it shall undertake in the event that there is an information security breach. Contractor shall cause all Subcontractors and other persons and entities whose services are part of the Services which Contractor delivers to the CSUF ASC, or who hold CSUF ASC Protected Data, to implement an Information Security Program and Plan substantially equivalent to Contractor’s. The parties expressly agree th...
Information Security Plan. Contractor acknowledges that the Department is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as the Department’s internal security program for information and systems protection. Contractor shall develop, implement, and maintain a comprehensive Information Security Plan that contains administrative, technical, and physical safeguards designed to ensure the privacy, security, integrity, availability, and confidentiality of the Confidential Information. Annually, if the Contractor is required to provide an independent service auditor’s report, such as a SOC 2, Type 2 audit report, Contractor will furnish the Department’s designated staff person as directed with a copy of Contractor’s required report. Annually, or upon a significant change in risk posture, Contractor will review its Information Security Plan and update and revise it as needed. If at any time there are any material reductions to Contractor’s Information Security Plan, Contractor will notify the Department within two weeks of the completion of the review and prior to implementation. In such instances, the Department will require an explanation of the reductions. At the Department’s request, Contractor will make modifications to its Information Security Plan or to the procedures and practices thereunder to conform to the Department’s security requirements as defined herein. Annually, or upon change in Subservice Organizations, Contractor will demonstrate oversight of Subservice Organizations involved in the delivery of Services under the Contract. To demonstrate oversight, the Contractor shall submit one of the following documents to the Department: Policy and procedure regarding monitoring the compliance of Subservice Organizations handling of Department data; Documentation showing oversight of Contractor’s Subservice Organizations' security posture through annual reviews of Contractor’s vendors’ independent service auditor’s reports; annual corrective action plans; or annual reviews of information technology controls; or Letter of attestation assuming the Contractors’ liability for its Subservice Organizations.
Information Security Plan. The contractor shall submit, within 30 days of contract award, an Information Security Plan that describes the information security rules, procedures, and processes to ensure sensitive, confidential, or personal data are protected and secure.
Information Security Plan. Vendor is required to maintain an Information Security Plan sufficient to protect the sensitive and/or confidential CSU data to which they have access.
