Common use of Information Security Protocols Clause in Contracts

Information Security Protocols. Aon uses a layered approach to information security. Aon will use commercially reasonable efforts to maintain the security, integrity and availability of all Customer Data to which it has access, including but not limited to commercially reasonable efforts reflecting changing technological approaches, to comply with the following measures: (a) HIPPA Security Rule; (b) ISO 27001; (c) maintain a documented Information Security Program which includes annual risk assessment and management procedures; (d) maintain the principle of least privilege; (e) classify and handle all Customer data as confidential and apply the necessary security and controls to support HIPAA/HITECH Act compliance; (f) maintain commercially customary physical security and access controls for its data center(s); (g) maintain commercially customary network security controls including firewall and intrusion prevention solutions; (h) maintain commercially customary redundancy at the demark, network and system layers; (i) maintain commercially customary monitoring solutions to continually manage health and capacity of the IT infrastructure components; (j) provide data encryption in a commercially customary manner of all data transmissions; (k) require a minimum of 128-bit SSL encryption for application access and use; (l) maintain and update anti-virus program; (m) require individual user accounts and passwords for any access; (n) maintain strong password requirements for all Aon-managed accounts; (o) maintain generally acceptable user account management processes and procedures; (p) maintain industry accepted data protection program; (q) maintain whole disk encryption for all laptops; (r) deploy software security patches in accordance with generally accepted industry best practices; (s) maintain and periodically test (at least annually) a commercially customary disaster recovery plan that provides adequate system backup, technology replacement, and alternate (backup-site) site capabilities; (t) follow commercially customary hardening procedures for system/device builds; (u) conduct ongoing vulnerability management through the use of commercially customary tools; (v) conduct periodic (at least annually) third party vulnerability assessments; (w) follow Open Web Application Security Project (OWASP) methodologies, guidelines and techniques for application development; (x) follow commercially customary change and release management practices for hardware and software changes; (y) follow commercially customary asset sanitization procedures to ensure decommissioned equipment is free of any and all Customer Data; (z) maintain Customer Data security using commercially customary database and application controls; (aa) notify Customer of any unauthorized access to Customer Data immediately upon discovery; and (bb) maintain at least one certification or attestation covered in Section 8.3 above or replacement standard on security practices from a nationally or globally recognized provider of such reports.

Information Security Protocols. Aon Ventiv uses a layered approach to information security. Aon Ventiv will use commercially reasonable efforts to maintain the security, integrity and availability of all Customer Data to which it has access, including but not limited to commercially reasonable efforts reflecting changing technological approaches, to comply with the following measures: (a) HIPPA Security Rule; (b) ISO 27001; (c) maintain a documented Information Security Program which includes annual risk assessment and management procedures; (d) maintain the principle of least privilege; (e) classify and handle all Customer data as confidential and apply the necessary security and controls to support HIPAA/HITECH Act compliance; (f) maintain commercially customary physical security and access controls for its data center(s); (g) maintain commercially customary network security controls including firewall and intrusion prevention solutions; (h) maintain commercially customary redundancy at the demark, network and system layers; (i) maintain commercially customary monitoring solutions to continually manage health and capacity of the IT infrastructure components; (j) provide data encryption in a commercially customary manner of all data transmissions; (k) require a minimum of 128-bit SSL encryption for application access and use; (l) maintain and update anti-virus program; (m) require individual user accounts and passwords for any access; (n) maintain strong password requirements for all AonVentiv-managed accounts; (o) maintain generally acceptable user account management processes and procedures; (p) maintain industry accepted data protection program; (q) maintain whole disk encryption for all laptops; (r) deploy software security patches in accordance with generally accepted industry best practices; (s) maintain and periodically test (at least annually) a commercially customary disaster recovery plan that provides adequate system backup, technology replacement, and alternate (backup-site) site capabilities; (t) follow commercially customary hardening procedures for system/device builds; (u) conduct ongoing vulnerability management through the use of commercially customary tools; (v) conduct periodic (at least annually) third party vulnerability assessments; (w) follow Open Web Application Security Project (OWASP) methodologies, guidelines and techniques for application development; (x) follow commercially customary change and release management practices for hardware and software changes; (y) follow commercially customary asset sanitization procedures to ensure decommissioned equipment is free of any and all Customer Data; (z) maintain Customer Data security using commercially customary database and application controls; (aa) notify Customer of any unauthorized access to Customer Data immediately upon discovery; and (bb) maintain at least one certification or attestation covered in Section 8.3 7.3 above or replacement standard on security practices from a nationally or globally recognized provider of such reports.