Common use of Information Security Plan Clause in Contracts

Information Security Plan. (1) Contractor acknowledges that the Department is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as the Department’s internal security program for information and systems protection. (2) Contractor shall develop, implement, and maintain a comprehensive Information Security Plan that contains administrative, technical, and physical safeguards designed to ensure the privacy, security, integrity, availability, and confidentiality of the Confidential Information. Contractor must provide evidence to the Department of one or more of the following for the plan: a. Certification in, or compliance with, generally accepted information risk management security control frameworks, standards or guidelines such as: i. ISO/IEC 27000-series; ii. NIST800-53; iii. CIS Critical Security Controls for Effective Cyber Defense; or iv. HIPAA Security Rule - 45 CFR Part 160 and Subparts A and C of Part 164; and b. Compliance with any state or federal regulations by which the person or entity who owns or licenses such information may be regulated; or c. At a minimum, include the elements listed in the Information Security Plan Requirements set forth below. (3) Upon the Department’s request, Contractor shall submit one of the following documents to the Department: a. Independent attestation of certification; b. Information Security Plan scope statement; c. Information Security Plan statement of applicability; or d. SOC 2, Type 2 audit and letter of attestation indicating Contractor’s receipt of management’s assertion of control compliance from Contractor’s subcontractors as described in Section 6 Audit Provision. The Department reserves the right to require the Contractor to provide more than one of the above documents. If Contractor is unable to produce one of the above documents, Contractor may satisfy the requirement by providing the assurances in Section 28.0(h) below. (4) Annually, or upon a significant change in risk posture, Contractor will review its Information Security Plan and update and revise it as needed. If at any time there are any material reductions to Contractor’s Information Security Plan, Contractor will notify the Department within two weeks of the completion of the review and prior to implementation. In such instances, the Department will require an explanation of the

Information Security Plan. (1) Contractor acknowledges that the Department is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as the Department’s internal security program for information and systems protection. (2) Contractor shall develop, implement, and maintain a comprehensive Information Security Plan that contains administrative, technical, and physical safeguards designed to ensure the privacy, security, integrity, availability, and confidentiality of the Confidential Information. Contractor must provide evidence to the Department of one or more of the following for the plan: a. Certification in, or compliance with, generally accepted information risk management security control frameworks, standards or guidelines such as: i. ISO/IEC 27000-series; ii. NIST800-53; iii. CIS Critical Security Controls for Effective Cyber Defense; or iv. HIPAA Security Rule - 45 CFR Part 160 and Subparts A and C of Part 164; and b. Compliance with any state or federal regulations by which the person or entity who owns or licenses such information may be regulated; or c. At a minimum, include the elements listed in the Information Security Plan Requirements set forth below. (3) Upon the Department’s request, Contractor shall submit one of the following documents to the Department: a. Independent attestation of certification; b. Information Security Plan scope statement; c. Information Security Plan statement of applicability; or d. SOC 2, Type 2 audit and letter of attestation indicating Contractor’s receipt of management’s assertion of control compliance from Contractor’s subcontractors as described in Section 6 Audit Provision. The Department reserves the right to require the Contractor to provide more than one of the above documents. If Contractor is unable to produce one of the above documents, Contractor may satisfy the requirement by providing the assurances in Section 28.0(h) below. (4) Annually, or upon a significant change in risk posture, Contractor will review its Information Security Plan and update and revise it as needed. If at any time there are any material reductions to Contractor’s Information Security Plan, Contractor will notify the Department within two weeks of the completion of the review and prior to implementation. In such instances, the Department will require an explanation of thethe reductions. At the Department’s request, Contractor will make modifications to its Information Security Plan or to the procedures and practices thereunder to conform to the Department’s security requirements as defined herein.

Information Security Plan. (1) Contractor acknowledges that the Department is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as the Department’s internal security program for information and systems protection. (2) . Contractor shall develop, implement, and maintain a comprehensive Information Security Plan that contains administrative, technical, and physical safeguards designed to ensure the privacy, security, integrity, availability, and confidentiality of the Confidential Information. Contractor must provide evidence to the Department of one or more of the following for the plan: a. : Certification in, or compliance with, generally accepted information risk management security control frameworks, standards or guidelines such as: i. : ISO/IEC 27000-series; ii. ; NIST800-53; iii. ; CIS Critical Security Controls for Effective Cyber Defense; or iv. or HIPAA Security Rule - 45 CFR Part 160 and Subparts A and C of Part 164; and b. and Compliance with any state or federal regulations by which the person or entity who owns or licenses such information may be regulated; or c. or At a minimum, include the elements listed in the Information Security Plan Requirements set forth below. (3) . Upon the Department’s request, Contractor shall submit one of the following documents to the Department: a. : Independent attestation of certification; b. ; Information Security Plan scope statement; c. ; Information Security Plan statement of applicability; or d. or SOC 2, Type 2 audit and letter of attestation indicating Contractor’s receipt of management’s assertion of control compliance from Contractor’s subcontractors as described in Section 6 Audit Provision. The Department reserves the right to require the Contractor to provide more than one of the above documents. If Contractor is unable to produce one of the above documents, Contractor may satisfy the requirement by providing the assurances in Section 28.0(h) below. (4) . Annually, or upon a significant change in risk posture, Contractor will review its Information Security Plan and update and revise it as needed. If at any time there are any material reductions to Contractor’s Information Security Plan, Contractor will notify the Department within two weeks of the completion of the review and prior to implementation. In such instances, the Department will require an explanation of thethe reductions. At the Department’s request, Contractor will make modifications to its Information Security Plan or to the procedures and practices thereunder to conform to the Department’s security requirements as defined herein.

Information Security Plan. (1) Contractor acknowledges that the Department is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as the Department’s internal security program for information and systems protection. (2) Contractor shall develop, implement, and maintain a comprehensive Information Security Plan that contains administrative, technical, and physical safeguards designed to ensure the privacy, security, integrity, availability, and confidentiality of the Confidential Information. Contractor must provide evidence to the Department of one or more of the following for the plan: a. Certification in, or compliance with, generally accepted information risk management security control frameworks, standards or guidelines such as: i. ISO/IEC 27000-series; ii. NIST800-53; iii. CIS Critical Security Controls for Effective Cyber Defense; or iv. HIPAA Security Rule - 45 CFR Part 160 and Subparts A and C of Part 164; and b. Compliance with any state or federal regulations by which the person or entity who owns or licenses such information may be regulated; oror RFP ETI0050 Insurance Administration System c. At a minimum, include the elements listed in the Information Security Plan Requirements set forth below. (3) Upon the Department’s request, Contractor shall submit one of the following documents to the Department: a. Independent attestation of certification; b. Information Security Plan scope statement; c. Information Security Plan statement of applicability; or d. SOC 2, Type 2 audit and letter of attestation indicating Contractor’s receipt of management’s assertion of control compliance from Contractor’s subcontractors as described in Section 6 Audit Provision. The Department reserves the right to require the Contractor to provide more than one of the above documents. If Contractor is unable to produce one of the above documents, Contractor may satisfy the requirement by providing the assurances in Section 28.0(h) below. (4) Annually, or upon a significant change in risk posture, Contractor will review its Information Security Plan and update and revise it as needed. If at any time there are any material reductions to Contractor’s Information Security Plan, Contractor will notify the Department within two weeks of the completion of the review and prior to implementation. In such instances, the Department will require an explanation of thethe reductions. Should Contractor diminish security controls, Contractor will notify the Department. Should the Department determine that the respective control change does not comply with this current agreement, Contractor will, at the Department’s request, make modifications to its Information Security Plan or to the procedures and practices which impact the services rendered to the Department