Common use of Information Security Policy Clause in Contracts

Information Security Policy. 1.1 The Collaborator Institution shall implement and maintain a written information security policy that specifies the technical, administrative and physical security standards it shall apply to protect the Materials it processes in accordance with this MTA. 1.2 The information security policy shall mandate the use of appropriate technical and organisational security measures in the Collaborator Institution to protect the Materials against unauthorised and unlawful processing and against damage or destruction. The information security policy shall detail the security measures set out in this Annex 2 as a minimum. It shall further describe the measures to be taken in the event of an actual or suspected Data Security Incident. 1.3 The Collaborator Institution shall appoint a duly skilled individual with responsibility for ensuring the security of the Materials processed by the Collaborator Institution in its organisation and for reviewing, maintaining and updating the Collaborator Institution’s information security policy. The information security policy shall set out measures for the Collaborator Institution’s internal IT and IT security governance and management. 1.4 The information security policy shall also set out that: 1.4.1 the Materials shall be stored throughout their existence in an environment suited to its format and sensitivity, to ensure its preservation from physical harm or degradation and its security from unauthorised access; 1.4.2 appropriate controls are implemented to ensure confidentiality, integrity and availability of data, including but not limited to anti-virus software and role-based access controls; 1.4.3 servers, client devices and applications used for storing, accessing and analysing Materials are deployed with operating systems, firmware, and software within vendor supported versions and where exceptions are documented with adequate mitigations described and auditable; and 1.4.4 encryption is in place in transit and at rest (in accordance with clause 6.1 below).

Information Security Policy. 1.1 The Collaborator Applicant Institution shall implement and maintain a written information security policy that specifies the technical, administrative and physical security standards it shall apply to protect the Materials it processes in accordance with this MTA. 1.2 The information security policy shall mandate the use of appropriate technical and organisational security measures in the Collaborator Applicant Institution to protect the Materials against unauthorised and unlawful processing and against damage or destruction. The information security policy shall detail the security measures set out in this Annex 2 as a minimum. It shall further describe the measures to be taken in the event of an actual or suspected Data Security Incident. 1.3 The Collaborator Applicant Institution shall appoint a duly skilled individual with responsibility for ensuring the security of the Materials processed by the Collaborator Applicant Institution in its organisation and for reviewing, maintaining and updating the Collaborator Applicant Institution’s information security policy. The information security policy shall set out measures for the Collaborator Applicant Institution’s internal IT and IT security governance and management. 1.4 The information security policy shall also set out that: 1.4.1 the Materials shall be stored throughout their existence in an environment suited to its format and sensitivity, to ensure its preservation from physical harm or degradation and its security from unauthorised access; 1.4.2 appropriate controls are implemented to ensure confidentiality, integrity and availability of data, including but not limited to anti-virus software and role-based access controls; 1.4.3 servers, client devices and applications used for storing, accessing and analysing Materials are deployed with operating systems, firmware, and software within vendor supported versions and where exceptions are documented with adequate mitigations described and auditable; and 1.4.4 encryption is in place in transit and at rest (in accordance with clause 6.1 below).