Mobile and Cloud Technology. 7.1 Storing Experian data on mobile devices is prohibited. Any exceptions must be obtained from Experian in writing; additional security requirements will apply. 7.2 Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks. 7.3 Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated. 7.4 Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other. 7.5 Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is Experian data to be exchanged between secured and non-secured applications on the mobile device. 7.6 In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing Experian data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk- based authentication mechanisms are utilized to authenticate users to application. 7.7 When using cloud providers to access, transmit, store, or process Experian data ensure that: Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by Experian: 8. General o ISO 27001 o PCI DSS o EI3PA o SSAE 16 – SOC 2 or SOC3 o FISMA o CAI / CCM assessment 8.1 ACRAnet may from time to time audit the security mechanisms Company maintains to safeguard access to Experian information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices 8.2 In cases where the Company is accessing Experian information and systems via third party software, the Company agrees to make available to ACRAnet upon request, audit trail information and management reports generated by the vendor software, regarding Company individual authorized users. 8.3 Company shall be responsible for and ensure that third party software, which accesses ACRAnet information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use. 8.4 Company shall conduct software development (for software which accesses ACRAnet information systems; this applies to both in-house or outsourced software development) based on the following requirements: 8.4.1 Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks. 8.4.2 Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated. 8.4.3 Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other. 8.5 Reasonable access to audit trail reports of systems utilized to access ACRAnet systems shall be made available to ACRAnet upon request, for example during breach investigation or while performing audits 8.6 Data requests from Company to ACRAnet must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where applicable. 8.7 Company shall report actual security violations or incidents that impact Experian to ACRAnet within twenty-four (24) hours or per agreed contractual notification timeline. Company agrees to provide notice to ACRAnet of any confirmed security breach that may involve data 8.8 Company acknowledges and agrees that the Company (a) has received a copy of these requirements, (b) has read and understands Company’s obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to ACRAnet services, systems or data, and (d) will abide by the provisions of these requirements when accessing Experian data. 8.9 Company understands that its use of ACRAnet networking and computing resources may be monitored and audited by ACRAnet, without further notice. 8.10 Company acknowledges and agrees that it is responsible for all activities of its employees/authorized users, and for assuring that mechanisms to access ACRAnet services or data are secure and in compliance with its membership agreement. 8.11 When using third party service providers to access, transmit, or store Experian data, additional documentation may be required by ACRAnet. Internet Delivery Security Requirements 1. The Company shall designate in writing, an employee to be its Head Security Designate, to act as the primary interface with ACRAnet on systems access related matters. The Company’s Head Security Designate will be responsible for establishing, administering and monitoring all Company employees’ access to ACRAnet provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions. 2. The Company’s Head Security Designate or Security Designate shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each ACRAnet product based upon the legitimate business needs of each employee. ACRAnet shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data. 3. Unless automated means become available, the Company shall request employee's (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by ACRAnet. Those employees approved by the Head Security Designate or Security Designate for Internet access ("Authorized Users") will be individually assigned unique access identification accounts ("User ID") and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). ACRAnet’s approval of requests for (Internet) access may be granted or withheld in its sole discretion. ACRAnet may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Company), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted. 4. An officer of the Company agrees to notify ACRAnet in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User. 1. Company agrees to identify an employee it has designated to act on its behalf as a primary interface with ACRAnet on systems access related matters. This individual shall be identified as the "Head Security Designate." The Head Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Company and shall be available to interact with ACRAnet on information and product access, in accordance with these Experian Access Security Requirements for Reseller End-Users. The Head Security Designate Authorization Form must be signed by a duly authorized representative of the Company. Company’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Company’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to ACRAnet’s systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to ACRAnet immediately. 2. As a Client to ACRAnet’s products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Company. 3. The Security Designate may be appointed by the Head Security Designate as the individual that the Company authorizes to act on behalf of the business in regards to ACRAnet product access control (e.g. request to add/change/remove access). The Company can opt to appoint more than one Security Designate (e.g. for backup purposes). The Company understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with ACRAnet’s Security Administration group on information and product access matters. 4. The Head Designate shall be responsible for notifying their corresponding ACRAnet representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity. 1. Must be an employee and duly appointed representative of Company, identified as an approval point for Company’s Authorized Users. 2. Is responsible for the initial and on-going authentication and validation of Company’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.). 3. Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User's job responsibilities. 4. Is responsible for ensuring that Company’s Authorized Users are authorized to access ACRAnet products and services. 5. Must disable Authorized User ID if it becomes compromised or if the Authorized User's employment is terminated by Company. 6. Must immediately report any suspicious or questionable activity to ACRAnet regarding access to ACRAnet’s products and services. 7. Shall immediately report changes in their Head Security Designate's status (e.g. transfer or termination) to ACRAnet.
Appears in 8 contracts
Samples: Client Service Agreement, Client Service Agreement, Client Service Agreement
Mobile and Cloud Technology. 7.1 Storing Experian data on mobile devices is prohibited. Any exceptions must be obtained from Experian in writing; additional security requirements will apply.
7.2 Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks.
7.3 Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
7.4 Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
7.5 Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is Experian data to be exchanged between secured and non-secured applications on the mobile device.
7.6 In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing Experian data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk- based authentication mechanisms are utilized to authenticate users to application.
7.7 When using cloud providers to access, transmit, store, or process Experian data ensure that: • Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations • Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by Experian: 8. General o ISO 27001 o PCI DSS o EI3PA o SSAE 16 – SOC 2 or SOC3 o FISMA o CAI / CCM assessment
8.1 ACRAnet may from time to time audit the security mechanisms Company maintains to safeguard access to Experian information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices
8.2 In cases where the Company is accessing Experian information and systems via third party software, the Company agrees to make available to ACRAnet upon request, audit trail information and management reports generated by the vendor software, regarding Company individual authorized users.
8.3 Company shall be responsible for and ensure that third party software, which accesses ACRAnet information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use.
8.4 Company shall conduct software development (for software which accesses ACRAnet information systems; this applies to both in-house or outsourced software development) based on the following requirements:
8.4.1 Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks.
8.4.2 Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
8.4.3 Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
8.5 Reasonable access to audit trail reports of systems utilized to access ACRAnet systems shall be made available to ACRAnet upon request, for example during breach investigation or while performing audits
8.6 Data requests from Company to ACRAnet must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where applicable.
8.7 Company shall report actual security violations or incidents that impact Experian to ACRAnet within twenty-four (24) hours or per agreed contractual notification timeline. Company agrees to provide notice to ACRAnet of any confirmed security breach that may involve data
8.8 Company acknowledges and agrees that the Company (a) has received a copy of these requirements, (b) has read and understands Company’s obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to ACRAnet services, systems or data, and (d) will abide by the provisions of these requirements when accessing Experian data.
8.9 Company understands that its use of ACRAnet networking and computing resources may be monitored and audited by ACRAnet, without further notice.
8.10 Company acknowledges and agrees that it is responsible for all activities of its employees/authorized users, and for assuring that mechanisms to access ACRAnet services or data are secure and in compliance with its membership agreement.
8.11 When using third party service providers to access, transmit, or store Experian data, additional documentation may be required by ACRAnet. Internet Delivery Security Requirements
1. The Company shall designate in writing, an employee to be its Head Security Designate, to act as the primary interface with ACRAnet on systems access related matters. The Company’s Head Security Designate will be responsible for establishing, administering and monitoring all Company employees’ access to ACRAnet provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions.
2. The Company’s Head Security Designate or Security Designate shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each ACRAnet product based upon the legitimate business needs of each employee. ACRAnet shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.
3. Unless automated means become available, the Company shall request employee's (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by ACRAnet. Those employees approved by the Head Security Designate or Security Designate for Internet access ("Authorized Users") will be individually assigned unique access identification accounts ("User ID") and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). ACRAnet’s approval of requests for (Internet) access may be granted or withheld in its sole discretion. ACRAnet may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Company), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted.
4. An officer of the Company agrees to notify ACRAnet in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User.
1. Company agrees to identify an employee it has designated to act on its behalf as a primary interface with ACRAnet on systems access related matters. This individual shall be identified as the "Head Security Designate." The Head Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Company and shall be available to interact with ACRAnet on information and product access, in accordance with these Experian Access Security Requirements for Reseller End-Users. The Head Security Designate Authorization Form must be signed by a duly authorized representative of the Company. Company’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Company’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to ACRAnet’s systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to ACRAnet immediately.
2. As a Client to ACRAnet’s products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Company.
3. The Security Designate may be appointed by the Head Security Designate as the individual that the Company authorizes to act on behalf of the business in regards to ACRAnet product access control (e.g. request to add/change/remove access). The Company can opt to appoint more than one Security Designate (e.g. for backup purposes). The Company understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with ACRAnet’s Security Administration group on information and product access matters.
4. The Head Designate shall be responsible for notifying their corresponding ACRAnet representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity.
1. Must be an employee and duly appointed representative of Company, identified as an approval point for Company’s Authorized Users.
2. Is responsible for the initial and on-going authentication and validation of Company’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.).
3. Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User's job responsibilities.
4. Is responsible for ensuring that Company’s Authorized Users are authorized to access ACRAnet products and services.
5. Must disable Authorized User ID if it becomes compromised or if the Authorized User's employment is terminated by Company.
6. Must immediately report any suspicious or questionable activity to ACRAnet regarding access to ACRAnet’s products and services.
7. Shall immediately report changes in their Head Security Designate's status (e.g. transfer or termination) to ACRAnet.
Appears in 4 contracts
Samples: Client Service Agreement, Client Service Agreement, Client Service Agreement
Mobile and Cloud Technology. 7.1 Storing Experian data on mobile devices is prohibited. Any exceptions must be obtained from Experian in writing; additional security requirements will apply.
7.2 Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks.
7.3 Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.. Mobility
7.4 Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
7.5 . Mobile applications and data shall be hosted on devices through a secure container separate separate
7.5 from any personal applications and data. See details below. Under no circumstances is Experian data to be exchanged between secured and non-secured applications on the mobile device.
7.6 . In case of non-consumer access, that is, commercial/business-to-business (B2B) users users
7.6 accessing Experian data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk- risk-based authentication mechanisms are utilized to authenticate users to application.
7.7 . When using cloud providers to access, transmit, store, or process Experian data ensure that: :
7.7 Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations • Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by Experian: 8. General o ISO 27001 o PCI DSS o EI3PA o SSAE 16 – SOC 2 or SOC3 o FISMA o CAI / CCM assessment
8.1 ACRAnet may from time to time audit the security mechanisms Company maintains to safeguard access to Experian information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices
8.2 In cases where the Company is accessing Experian information and systems via third party software, the Company agrees to make available to ACRAnet upon request, audit trail information and management reports generated by the vendor software, regarding Company individual authorized users.
8.3 Company shall be responsible for and ensure that third party software, which accesses ACRAnet information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use.
8.4 Company shall conduct software development (for software which accesses ACRAnet information systems; this applies to both in-house or outsourced software development) based on the following requirements:
8.4.1 Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks.
8.4.2 Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
8.4.3 Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
8.5 Reasonable access to audit trail reports of systems utilized to access ACRAnet systems shall be made available to ACRAnet upon request, for example during breach investigation or while performing audits
8.6 Data requests from Company to ACRAnet must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where applicable.
8.7 Company shall report actual security violations or incidents that impact Experian to ACRAnet within twenty-four (24) hours or per agreed contractual notification timeline. Company agrees to provide notice to ACRAnet of any confirmed security breach that may involve data
8.8 Company acknowledges and agrees that the Company (a) has received a copy of these requirements, (b) has read and understands Company’s obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to ACRAnet services, systems or data, and (d) will abide by the provisions of these requirements when accessing Experian data.
8.9 Company understands that its use of ACRAnet networking and computing resources may be monitored and audited by ACRAnet, without further notice.
8.10 Company acknowledges and agrees that it is responsible for all activities of its employees/authorized users, and for assuring that mechanisms to access ACRAnet services or data are secure and in compliance with its membership agreement.
8.11 When using third party service providers to access, transmit, or store Experian data, additional documentation may be required by ACRAnet. Internet Delivery Security Requirements
1. The Company shall designate in writing, an employee to be its Head Security Designate, to act as the primary interface with ACRAnet on systems access related matters. The Company’s Head Security Designate will be responsible for establishing, administering and monitoring all Company employees’ access to ACRAnet provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions.
2. The Company’s Head Security Designate or Security Designate shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each ACRAnet product based upon the legitimate business needs of each employee. ACRAnet shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.
3. Unless automated means become available, the Company shall request employee's (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by ACRAnet. Those employees approved by the Head Security Designate or Security Designate for Internet access ("Authorized Users") will be individually assigned unique access identification accounts ("User ID") and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). ACRAnet’s approval of requests for (Internet) access may be granted or withheld in its sole discretion. ACRAnet may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Company), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted.
4. An officer of the Company agrees to notify ACRAnet in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User.
1. Company agrees to identify an employee it has designated to act on its behalf as a primary interface with ACRAnet on systems access related matters. This individual shall be identified as the "Head Security Designate." The Head Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Company and shall be available to interact with ACRAnet on information and product access, in accordance with these Experian Access Security Requirements for Reseller End-Users. The Head Security Designate Authorization Form must be signed by a duly authorized representative of the Company. Company’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Company’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to ACRAnet’s systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to ACRAnet immediately.
2. As a Client to ACRAnet’s products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Company.
3. The Security Designate may be appointed by the Head Security Designate as the individual that the Company authorizes to act on behalf of the business in regards to ACRAnet product access control (e.g. request to add/change/remove access). The Company can opt to appoint more than one Security Designate (e.g. for backup purposes). The Company understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with ACRAnet’s Security Administration group on information and product access matters.
4. The Head Designate shall be responsible for notifying their corresponding ACRAnet representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity.
1. Must be an employee and duly appointed representative of Company, identified as an approval point for Company’s Authorized Users.
2. Is responsible for the initial and on-going authentication and validation of Company’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.).
3. Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User's job responsibilities.
4. Is responsible for ensuring that Company’s Authorized Users are authorized to access ACRAnet products and services.
5. Must disable Authorized User ID if it becomes compromised or if the Authorized User's employment is terminated by Company.
6. Must immediately report any suspicious or questionable activity to ACRAnet regarding access to ACRAnet’s products and services.
7. Shall immediately report changes in their Head Security Designate's status (e.g. transfer or termination) to ACRAnet.
Appears in 2 contracts
Samples: Business Information Services Agreement, Business Information Services Agreement
Mobile and Cloud Technology. 7.1 Storing Experian data on mobile devices is prohibited. Any exceptions must be obtained from Experian in writing; additional security requirements will apply.. 03/2016 CISCO Credit Public Page 4 of 10 Reseller ASR for End Users
7.2 Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks.
7.3 Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
7.4 Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
7.5 Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is Experian data to be exchanged between secured and non-secured applications on the mobile device.
7.6 In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing Experian data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk- risk-based authentication mechanisms are utilized to authenticate users to application.
7.7 When using cloud providers to access, transmit, store, or process Experian data ensure that: Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by Experian: 8. General o ISO 27001 o PCI DSS o EI3PA o SSAE 16 – SOC 2 or SOC3 o FISMA o CAI / CCM assessment
8.1 ACRAnet may from time to time audit the security mechanisms Company maintains to safeguard access to Experian information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices
8.2 In cases where the Company is accessing Experian information and systems via third party software, the Company agrees to make available to ACRAnet upon request, audit trail information and management reports generated by the vendor software, regarding Company individual authorized users.
8.3 Company shall be responsible for and ensure that third party software, which accesses ACRAnet information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use.
8.4 Company shall conduct software development (for software which accesses ACRAnet information systems; this applies to both in-house or outsourced software development) based on the following requirements:
8.4.1 Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks.
8.4.2 Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
8.4.3 Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
8.5 Reasonable access to audit trail reports of systems utilized to access ACRAnet systems shall be made available to ACRAnet upon request, for example during breach investigation or while performing audits
8.6 Data requests from Company to ACRAnet must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where applicable.
8.7 Company shall report actual security violations or incidents that impact Experian to ACRAnet within twenty-four (24) hours or per agreed contractual notification timeline. Company agrees to provide notice to ACRAnet of any confirmed security breach that may involve data
8.8 Company acknowledges and agrees that the Company (a) has received a copy of these requirements, (b) has read and understands Company’s obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to ACRAnet services, systems or data, and (d) will abide by the provisions of these requirements when accessing Experian data.
8.9 Company understands that its use of ACRAnet networking and computing resources may be monitored and audited by ACRAnet, without further notice.
8.10 Company acknowledges and agrees that it is responsible for all activities of its employees/authorized users, and for assuring that mechanisms to access ACRAnet services or data are secure and in compliance with its membership agreement.
8.11 When using third party service providers to access, transmit, or store Experian data, additional documentation may be required by ACRAnet. Internet Delivery Security Requirements
1. The Company shall designate in writing, an employee to be its Head Security Designate, to act as the primary interface with ACRAnet on systems access related matters. The Company’s Head Security Designate will be responsible for establishing, administering and monitoring all Company employees’ access to ACRAnet provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions.
2. The Company’s Head Security Designate or Security Designate shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each ACRAnet product based upon the legitimate business needs of each employee. ACRAnet shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.
3. Unless automated means become available, the Company shall request employee's (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by ACRAnet. Those employees approved by the Head Security Designate or Security Designate for Internet access ("Authorized Users") will be individually assigned unique access identification accounts ("User ID") and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). ACRAnet’s approval of requests for (Internet) access may be granted or withheld in its sole discretion. ACRAnet may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Company), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted.
4. An officer of the Company agrees to notify ACRAnet in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User.
1. Company agrees to identify an employee it has designated to act on its behalf as a primary interface with ACRAnet on systems access related matters. This individual shall be identified as the "Head Security Designate." The Head Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Company and shall be available to interact with ACRAnet on information and product access, in accordance with these Experian Access Security Requirements for Reseller End-Users. The Head Security Designate Authorization Form must be signed by a duly authorized representative of the Company. Company’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Company’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to ACRAnet’s systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to ACRAnet immediately.
2. As a Client to ACRAnet’s products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Company.
3. The Security Designate may be appointed by the Head Security Designate as the individual that the Company authorizes to act on behalf of the business in regards to ACRAnet product access control (e.g. request to add/change/remove access). The Company can opt to appoint more than one Security Designate (e.g. for backup purposes). The Company understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with ACRAnet’s Security Administration group on information and product access matters.
4. The Head Designate shall be responsible for notifying their corresponding ACRAnet representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity.
1. Must be an employee and duly appointed representative of Company, identified as an approval point for Company’s Authorized Users.
2. Is responsible for the initial and on-going authentication and validation of Company’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.).
3. Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User's job responsibilities.
4. Is responsible for ensuring that Company’s Authorized Users are authorized to access ACRAnet products and services.
5. Must disable Authorized User ID if it becomes compromised or if the Authorized User's employment is terminated by Company.
6. Must immediately report any suspicious or questionable activity to ACRAnet regarding access to ACRAnet’s products and services.
7. Shall immediately report changes in their Head Security Designate's status (e.g. transfer or termination) to ACRAnet.
Appears in 1 contract
Samples: Credit Reporting Services Agreement
Mobile and Cloud Technology. 7.1 Storing Experian data on mobile devices is prohibited. Any exceptions must be obtained from Experian in writing; additional security requirements will apply.
7.2 Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks.
7.3 Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
7.4 Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
7.5 Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is Experian data to be exchanged between secured and non-secured applications on the mobile device.
7.6 In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing Experian data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk- risk-based authentication mechanisms are utilized to authenticate users to application.
7.7 When using cloud providers to access, transmit, store, or process Experian data ensure that: • Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations • Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by Experian: 8. General o ISO 27001 o PCI DSS o EI3PA o SSAE 16 – SOC 2 or SOC3 o FISMA o CAI / CCM assessment
8.1 ACRAnet may from time to time audit the security mechanisms Company maintains to safeguard access to Experian information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices
8.2 In cases where the Company is accessing Experian information and systems via third party software, the Company agrees to make available to ACRAnet upon request, audit trail information and management reports generated by the vendor software, regarding Company individual authorized users.
8.3 Company shall be responsible for and ensure that third party software, which accesses ACRAnet information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use.
8.4 Company shall conduct software development (for software which accesses ACRAnet information systems; this applies to both in-house or outsourced software development) based on the following requirements:
8.4.1 Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks.
8.4.2 Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
8.4.3 Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
8.5 Reasonable access to audit trail reports of systems utilized to access ACRAnet systems shall be made available to ACRAnet upon request, for example during breach investigation or while performing audits
8.6 Data requests from Company to ACRAnet must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where applicable.
8.7 Company shall report actual security violations or incidents that impact Experian to ACRAnet within twenty-four (24) hours or per agreed contractual notification timeline. Company agrees to provide notice to ACRAnet of any confirmed security breach that may involve data
8.8 Company acknowledges and agrees that the Company (a) has received a copy of these requirements, (b) has read and understands Company’s obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to ACRAnet services, systems or data, and (d) will abide by the provisions of these requirements when accessing Experian data.
8.9 Company understands that its use of ACRAnet networking and computing resources may be monitored and audited by ACRAnet, without further notice.
8.10 Company acknowledges and agrees that it is responsible for all activities of its employees/authorized users, and for assuring that mechanisms to access ACRAnet services or data are secure and in compliance with its membership agreement.
8.11 When using third party service providers to access, transmit, or store Experian data, additional documentation may be required by ACRAnet. Internet Delivery Security Requirements
1. The Company shall designate in writing, an employee to be its Head Security Designate, to act as the primary interface with ACRAnet on systems access related matters. The Company’s Head Security Designate will be responsible for establishing, administering and monitoring all Company employees’ access to ACRAnet provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions.
2. The Company’s Head Security Designate or Security Designate shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each ACRAnet product based upon the legitimate business needs of each employee. ACRAnet shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.
3. Unless automated means become available, the Company shall request employee's (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by ACRAnet. Those employees approved by the Head Security Designate or Security Designate for Internet access ("Authorized Users") will be individually assigned unique access identification accounts ("User ID") and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). ACRAnet’s approval of requests for (Internet) access may be granted or withheld in its sole discretion. ACRAnet may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Company), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted.
4. An officer of the Company agrees to notify ACRAnet in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User.
1. Company agrees to identify an employee it has designated to act on its behalf as a primary interface with ACRAnet on systems access related matters. This individual shall be identified as the "Head Security Designate." The Head Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Company and shall be available to interact with ACRAnet on information and product access, in accordance with these Experian Access Security Requirements for Reseller End-Users. The Head Security Designate Authorization Form must be signed by a duly authorized representative of the Company. Company’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Company’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to ACRAnet’s systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to ACRAnet immediately.
2. As a Client to ACRAnet’s products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Company.
3. The Security Designate may be appointed by the Head Security Designate as the individual that the Company authorizes to act on behalf of the business in regards to ACRAnet product access control (e.g. request to add/change/remove access). The Company can opt to appoint more than one Security Designate (e.g. for backup purposes). The Company understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with ACRAnet’s Security Administration group on information and product access matters.
4. The Head Designate shall be responsible for notifying their corresponding ACRAnet representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity.
1. Must be an employee and duly appointed representative of Company, identified as an approval point for Company’s Authorized Users.
2. Is responsible for the initial and on-going authentication and validation of Company’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.).
3. Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User's job responsibilities.
4. Is responsible for ensuring that Company’s Authorized Users are authorized to access ACRAnet products and services.
5. Must disable Authorized User ID if it becomes compromised or if the Authorized User's employment is terminated by Company.
6. Must immediately report any suspicious or questionable activity to ACRAnet regarding access to ACRAnet’s products and services.
7. Shall immediately report changes in their Head Security Designate's status (e.g. transfer or termination) to ACRAnet.
Appears in 1 contract
Samples: Technical Provider Agreement
