Privacy and Security Requirements. The parties to the CPTA Agreement are required to protect the Confidential Information in accordance with applicable direction and guidelines from the Treasury Board of Canada, or their equivalent in the case of the CPTA, with respect to the protection of “Protected B” data, including guidance from CSE (ITSG-33) which aligns with the ISO 27001 framework. Further as a federal government institution, the CPTA acknowledges that CMHC is subject to the Access to Information Act (Canada) and the Privacy Act (Canada) and therefore the CPTA agrees to submit to whatever reasonable measures are necessary in order to ensure that CMHC can comply with these laws and their related regulations, policies, and directives (“ATIP Legislation”). As such, the CPTA agrees: (i) to protect any Personal Information that it may access through the course of providing CPTA Services under this CPTA Agreement in a manner that is compatible with provisions of ATIP Legislation; and (ii) that it has in place appropriate privacy protection measures to safeguard all the Confidential Information that it has access to under this CPTA Agreement. More specifically, the CPTA shall, as required by the provisions of Sections 5.1 and
Privacy and Security Requirements. Blue Shield must adhere to the terms and conditions in the Information Privacy and Security Requirements which are incorporated as Exhibit E to this Agreement. Schedule A
Privacy and Security Requirements. If the Contractor is a “Business Associate” as defined at 45 C.F.R. § 160.103, it must comply with the privacy and security requirements for functioning as a “business associate” of the Department or as a “covered entity” under HIPAA and HITECH. In addition to executing this Contract, the Contractor must execute the Business Associate Agreement attached to this Contract as Attachment 6.
Privacy and Security Requirements. While in possession of such information, GemCloud shall apply all applicable privacy and security requirements set forth in this Agreement to maintain the confidentiality, security, integrity, and availability of such data. Notwithstanding any other provision in this Agreement, in case of non-permitted use or disclosure, GemCloud shall immediately take all reasonable and legal actions to retrieve such information if disclosed to any non-permitted individual or entity.
Privacy and Security Requirements. The Contractor and State will establish written agreements for the requirements to specify applicable systems, tools, and approach to completion of privacy and security deliverables. The Contractor shall provide the following deliverables to the State at the frequencies listed below: NIST 800-53 Task name Periodicity Due to State Delivery Schedule Definition of Deliverables Third party supported services (Included or alternative) Definition of Alternatives and Exceptions Attestation due to the State AC-2 Weekly Privileged Account review Weekly (minimum) Quarterly End of March, June, Sep, Dec Letter to state for Contract or-maintained services Alternative Separate attestation letter for EVV SaaS AU-6 Audit log review Weekly (minimum) Quarterly End of March, June, Sep, Dec Letter to state for Contract or-maintained services Alternative Separate attestation letter for EVV SaaS AC-2 System Access review 180 days 180 days/6 months/ bi-annually End of June, End of December Letter to state for Contract or-maintained services Alternative Separate attestation letter for EVV SaaS AC-2 Roles review forseparation of duties Annual Annual End of June Letter to state for Contractor-maintained services Alternative Separate attestation letterfor EVV SaaS AT-2 Security Awarenesstraining Annual Annual End of July Letter to state for Contractor-maintained services Alternative Separate attestation letterfor EVV SaaS Documen t- wide Security Policy review Annual Annual End of June Letter to state for Contract or-maintained services Alternative Separate attestation letter for EVV SaaS Exercise to be Performed with the State IR-2/3 Incident Response Plan review & training – participation in IR tabletop exercise Annual Annual September Review of IR Plan and documented tabletop exercise results Alternative Separate attestation letter for EVV SaaS CP-3 Contingency planreview/test – participation in Annual Annual October Review of DR/BCP documentation Alternative Separate attestation letter for EVV SaaS DR/BCP tabletopexercise CP-2 Disaster recovery presentation and Review - participation in DR/BCP tabletop exercise Annual Annual October Review of DR/BCP documentation and DR test reports for MMIS core and PMM Alternative attestation letter for EVV SaaS with DR exercise summary available on request Deliverables due to the State CA-7 Continuous monitoring/Securitymetrics report Monthly Quarterly End of March, June, Sep, Dec Metrics tabin POAM workbook. Alternative Separate attestation ...
Privacy and Security Requirements. Customer will comply with all applicable laws concerning the Enformion Products, including without limitation applicable laws regulating how an organization manages, protects and distributes confidential information and laws restricting the collection, use, disclosure, processing and free movement of personal information (collectively, the “Privacy Regulations”). The Privacy Regulations include, to the extent applicable, the Federal “Privacy of Consumer Financial Information” Regulation (12 CFP Part 40) and Interagency Guidelines Establishing Information Security Standards (App B to 12 CFR Part 30), as amended from time to time, issued pursuant to the GLBA. Customer expressly agrees that it will comply with the use requirements applicable pursuant to the GLBA and similar laws, including without limitation each of the permissible use requirements set forth on Exhibit C attached hereto. Customer will maintain all appropriate administrative, physical and technological processes and equipment to store and protect the Enformion Products in a secure manner, including without limitation, maintaining an information security program that is designed to protect information processing system(s) and media containing the Enformion Products from internal and external security threats, and the Enformion Products from unauthorized use or disclosure. In addition and to the extent applicable, Customer specifically agrees to comply with each of the security requirements set forth on Exhibit B attached hereto. Enformion may, from time to time, provide written notice to Customer of updates to the security requirements set forth on Exhibit B, and Customer will comply with the updated security requirements following a mutually agreed upon and reasonable period of time. Customer acknowledges and agrees that Customer has an ongoing obligation to protect and preserve the confidentiality, privacy, security and integrity of the Enformion Products, and the standards embodied in this Agreement are merely minimum standards of conduct for Customer in furtherance of the foregoing continuing obligation.
Privacy and Security Requirements. The parties to the Custodial Agreement are required to protect the Confidential Information in accordance with applicable direction and guidelines from the Treasury Board of Canada, or their equivalent in the case of the Custodian, with respect to the protection of "Protected B" data, including guidance from CSE (ITSG-33) which aligns with the ISO 27001 framework. Further as a federal government institution, the Custodian acknowledges that the Trust is subject to the Access to Information Act (Canada) and the Privacy Act (Canada) and therefore the Custodian agrees to submit to whatever reasonable measures are necessary in order to ensure that the Trust can comply with these laws and their related regulations, policies, and directives ("ATIP Legislation"). As such, the Custodian agrees: (i) to protect any Personal Information that it may access through the course of providing Custodial Services under this Custodial Agreement in a manner that is compatible with provisions of ATIP Legislation; and (ii) that it has in place appropriate privacy protection measures to safeguard all the Confidential Information that it has access to under this Custodial Agreement. More specifically, the Custodian shall, as required by the provisions of Section 11.10 of this Custodial Agreement, comply with the security requirements described below at all times.
Privacy and Security Requirements. Contractor’s obligations under this Contract include the requirements of this exhibit.
Privacy and Security Requirements. Contractor and its employees, agents and subcontractors shall comply with laws, regulations, and plicies governing access to and use of Agency Data, Privacy and Security Requirements, as they are stated elsewhere in this Contract, and as such laws, regulations, and policies are updated or otherwise made available to Contractor.
Privacy and Security Requirements. The Ceding Company and Reinsurer agree to comply with all applicable laws and regulations governing the privacy and security of consumer and customer “non-public personal information”. “Non-public personal information” may be transmitted by either the Ceding Company or Reinsurer to the other in accordance with the transmitting party’s then current privacy policy and practices, in order to allow the other party to perform pursuant to this Agreement. During the continuation of this Agreement and after its termination, the Ceding Company or Reinsurer shall at all times use reasonable care to maintain the confidentiality of the “non-public personal information” and shall not make any use of the “non-public personal information” beyond the purpose for which it was disclosed. The Ceding Company and Reinsurer agree that they will not transfer information to a third party, except as provided in this Agreement or as permitted by law. The Reinsurer will obtain agreements from any third parties or Reinsurers receiving non-public personal information that requires the use of reasonable care to maintain the confidentiality of the “non-public personal information”. “Non-public personal information” does not include de-identified personal data, i.e., information that does not identify, or could not reasonably be associated with, an individual.
