Common use of IT Security Compliance and Training Clause in Contracts

IT Security Compliance and Training. The vendor must ensure that all vendor employees comply with security policies and procedures and take all reasonable measures to reduce the opportunity for unauthorized access, transmission, modification or misuse of the County’s data by vendor employees. The vendor must ensure that all vendor employees are trained on security measures and practices. The vendor will be responsible for any costs related to such training. At a minimum, the vendor is expected to: ▪ Ensure that a formal disciplinary process is defined and followed for vendor employees who violate established security policies and procedures. ▪ Proactively manage and administer access rights to any equipment, software and systems used to provide services to the County. ▪ Define, maintain and monitor access controls, ranging from physical access to logical security access, including a monthly review of vendor employees’ access to systems used to provide services to the County. The vendor shall monitor facilities, systems and equipment to protect against unauthorized access. At a minimum, the vendor is expected to: ▪ Monitor access to systems; investigate apparent security violations; and notify the County of suspected violations, including routine reporting on hacking attempts, penetrations and responses. ▪ Maintain data access control and auditing software and provide adequate logging, monitoring, and investigation of unusual or suspicious activity. ▪ Initiate immediate corrective actions to minimize and prevent the reoccurrence of attempted or actual security violations. ▪ Document details related to attempted or actual security violations and provide documentation to the County. ▪ Provide necessary documentation and evidence to the County in connection with any legal action or investigation.

IT Security Compliance and Training. The vendor must ensure that all vendor employees comply with security policies and procedures and take all reasonable measures to reduce the opportunity for unauthorized access, transmission, modification or misuse of the County’s data by vendor employees. The vendor must ensure that all vendor employees are trained on security measures and practices. The vendor will be responsible for any costs related to such training. At a minimum, the vendor is expected to: ▪ • Ensure that a formal disciplinary process is defined and followed for vendor employees who violate established security policies and procedures. ▪ • Proactively manage and administer access rights to any equipment, software and systems used to provide services to the County. ▪ • Define, maintain and monitor access controls, ranging from physical access to logical security access, including a monthly review of vendor employees’ access to systems used to provide services to the County. The vendor shall monitor facilities, systems and equipment to protect against unauthorized access. At a minimum, the vendor is expected to: ▪ • Monitor access to systems; investigate apparent security violations; and notify the County of suspected violations, including routine reporting on hacking attempts, penetrations and responses. ▪ • Maintain data access control and auditing software and provide adequate logging, monitoring, and investigation of unusual or suspicious activity. ▪ • Initiate immediate corrective actions to minimize and prevent the reoccurrence of attempted or actual security violations. ▪ • Document details related to attempted or actual security violations and provide documentation to the County. ▪ • Provide necessary documentation and evidence to the County in connection with any legal action or investigation.

IT Security Compliance and Training. The vendor must ensure that all vendor employees comply with security policies and procedures and take all reasonable measures to reduce the opportunity for unauthorized access, transmission, modification or misuse of the County’s data by vendor employees. The vendor must ensure that all vendor employees are trained on security measures and practices. The vendor will be responsible for any costs related to such training. At a minimum, the vendor is expected to: ▪ Ensure that a formal disciplinary process is defined and followed for vendor employees who violate established security policies and procedures. ▪ Proactively manage and administer access rights to any equipment, software and systems used to provide services to the County. ▪ Define, maintain and monitor access controls, ranging from physical access to logical security access, including a monthly review of vendor employees’ access to systems used to provide services to the County. The vendor shall monitor facilities, systems and equipment to protect against unauthorized access. At a minimum, the vendor is expected to: ▪ Monitor access to systems; investigate apparent security violations; and notify the County of suspected violations, including routine reporting on hacking attempts, penetrations and responses. ▪ Maintain data access control and auditing software and provide adequate logging, monitoring, and investigation of unusual or suspicious activity. ▪ Initiate immediate corrective actions to minimize and prevent the reoccurrence of attempted or actual security violations. ▪ Document details related to attempted or actual security violations and provide County of Orange Page 50 of 53 MA-042-19011809 Health Care Agency File Folder No. C018820 documentation to the County. ▪ Provide necessary documentation and evidence to the County in connection with any legal action or investigation.

IT Security Compliance and Training. The vendor must ensure that all vendor employees comply with security policies and procedures and take all reasonable measures to reduce the opportunity for unauthorized access, transmission, modification or misuse of the County’s data by vendor employees. The vendor must ensure that all vendor employees are trained on security measures and practices. The vendor will be responsible for any costs related to such training. At a minimum, the vendor is expected to: ▪ Ensure that a formal disciplinary process is defined and followed for vendor employees who violate established security policies and procedures. ▪ Proactively manage and administer access rights to any equipment, software and systems used to provide services to the County. ▪ Define, maintain and monitor access controls, ranging from physical access to logical security access, including a monthly review of vendor employees’ access to systems used to provide services to the County. The vendor shall monitor facilities, systems and equipment to protect against unauthorized access. At a minimum, the vendor is expected to: ▪ Monitor access to systems; investigate apparent security violations; and notify the County of suspected violations, including routine reporting on hacking attempts, penetrations and responses. ▪ Maintain data access control and auditing software and provide adequate logging, monitoring, and investigation of unusual or suspicious activity. ▪ Initiate immediate corrective actions to minimize and prevent the reoccurrence of attempted or actual security violations. ▪ Document details related to attempted or actual security violations and provide documentation to the County. ▪ Provide necessary documentation and evidence to the County in connection with any legal action or investigation. Security Testing Recommendations The vendor should perform a series of steps to verify the security of applications, some of which are noted below. This section will not be validated by the County, but reflects best practices that the vendor should consider and follow.