PURPOSE AND INTRODUCTION. A. In the course of providing the Goods and/or Services contemplated by the Agreement, Supplier may gain access to the University of California’s (UC) Institutional Information and/or IT Resources (both defined below). In such an event, UC and Supplier desire to appropriately protect Institutional Information and IT Resources. The purpose of this Appendix-Data Security is to specify Supplier’s cybersecurity and risk management responsibilities when Supplier has access to Institutional Information and/or IT Resources. B. Any capitalized terms used here have the meaning ascribed to such terms as set forth in the Agreement or Incorporated Documents. C. Supplier must provide commercially acceptable cybersecurity and cyber risk management to protect Institutional Information and/or IT Resources. This must include, but is not limited to the Supplier: 1. Developing and documenting a plan that protects Institutional Information and IT Resources. 2. Conducting an accurate and thorough assessment of the potential risks to and vulnerabilities of the security of the Institutional Information and/or IT Resources. Supplier must mitigate anticipated risks effectively. This includes implementing commercially acceptable security policies, procedures, and practices that protect Institutional Information and/or IT Resources. 3. Updating its plan to effectively address new cybersecurity risks. 4. Complying with pertinent contractual and regulatory responsibilities. 5. Providing UC with evidence of compliance with Supplier’s information security plan. 6. Keeping UC informed with timely updates on risks, vulnerabilities, Security Incidents, and Breaches. 7. Keeping UC informed of any measures UC must perform to ensure the security of Institutional Information and IT Resources. 1 Examples include the latest versions of PCI DSS, NIST CSF, CIS Critical Security Controls, IS0 27002, NIST SP 800-53 and NIST SP 800-171. D. If, in the course of providing the Goods and/or Services under the Agreement, Supplier engages in transactions with UC affiliated individuals (including but not limited to: students, staff, faculty, customers, patients, guests, volunteers, visitors, research subjects, etc.), as a benefit and result of the Agreement, Supplier must treat any data about UC affiliated individuals that Supplier creates, receives, and/or collects in the course of those transactions with the same level of privacy and security protections and standards as required of Institutional Information by this Appendix. E. Supplier agrees to be bound by the obligations set forth in this Appendix. To the extent applicable, Supplier also agrees to impose, by written contract, the same terms and conditions contained in this Appendix on any sub-supplier retained by Supplier to provide or assist in providing the Goods and/or Services to UC. F. To the extent that a requirement of this Appendix conflicts with those of any other UC Agreement or Incorporated Document, the most stringent requirement (including but not limited to: least risk to UC, shortest time, best practice, etc.) will apply.
Appears in 2 contracts
Samples: Purchasing Agreement, Purchasing Agreement
PURPOSE AND INTRODUCTION. A. In the course of providing the Goods and/or Services contemplated by the Agreement, Supplier may gain access to the University of California’s (UC) Institutional Information and/or IT Resources (both defined below). In such an event, UC and Supplier desire to appropriately protect Institutional Information and IT Resources. The purpose of this Appendix-Data Security is to specify Supplier’s cybersecurity and risk management responsibilities when Supplier has access to Institutional Information and/or IT Resources.
B. Any capitalized terms used here have the meaning ascribed to such terms as set forth in the Agreement or Incorporated Documents.
C. Supplier must provide commercially acceptable cybersecurity and cyber risk management to protect Institutional Information and/or IT Resources. This must include, but is not limited to the Supplier:
1. Developing and documenting a plan that protects Institutional Information and IT Resources. Supplier must responsibly execute this plan. Supplier’s approach must conform to a recognized cybersecurity framework designed for that purpose.1 Supplier’s information security plan must be supported by a third-party review or certification. Supplier may only use an alternative to a third- party review if approved by the responsible UC Information Security Officer.
2. Conducting an accurate and thorough assessment of the potential risks to and vulnerabilities of the security of the Institutional Information and/or IT Resources. Supplier must mitigate anticipated risks effectively. This includes implementing commercially acceptable security policies, procedures, and practices that protect Institutional Information and/or IT Resources.
3. Updating its plan to effectively address new cybersecurity risks.
4. Complying with pertinent contractual and regulatory responsibilities.
5. Providing UC with evidence of compliance with Supplier’s information security plan.
6. Keeping UC informed with timely updates on risks, vulnerabilities, Security Incidents, and Breaches.
7. Keeping UC informed of any measures UC must perform to ensure the security of Institutional Information and IT Resources. .
1 Examples include the latest versions of PCI DSS, NIST CSF, CIS Critical Security Controls, IS0 2700227000 series, NIST SP 800-53 and NIST SP 800-171.
D. If, in the course of providing the Goods and/or Services under the Agreement, Supplier engages in transactions with UC affiliated individuals (including but not limited to: students, staff, faculty, customers, patients, guests, volunteers, visitors, research subjects, etc.), as a benefit and result of the Agreement, Supplier must treat any data about UC affiliated individuals that Supplier creates, receives, and/or collects in the course of those transactions with the same level of privacy and security protections and standards as required of Institutional Information by this Appendix.
E. Supplier agrees to be bound by the obligations set forth in this Appendix. To the extent applicable, Supplier also agrees to impose, by written contract, the same terms and conditions contained in this Appendix on any sub-supplier retained by Supplier to provide or assist in providing the Goods and/or Services to UC.
F. To the extent that a requirement of this Appendix conflicts with those of any other UC Agreement or Incorporated Document, the most stringent requirement (including but not limited to: least risk to UC, shortest time, best practice, etc.) will apply.apply.
Appears in 1 contract
Samples: Purchasing Agreement
PURPOSE AND INTRODUCTION. A. In the course of providing the Goods and/or Services contemplated by the Agreement, Supplier may gain access to the University of California’s (UC) Institutional Information and/or IT Resources (both defined below). In such an event, UC and Supplier desire to appropriately protect Institutional Information and IT Resources. The purpose of this Appendix-Data Security is to specify Supplier’s cybersecurity and risk management responsibilities when Supplier has Supplierhas access to Institutional Information and/or IT Resources.
B. Any capitalized terms used here have the meaning ascribed to such terms as set forth in the Agreement or Incorporated Documents.
C. Supplier must provide commercially acceptable cybersecurity and cyber risk management to protect Institutional Information and/or IT Resources. This must include, but is not limited to the Supplier:
1. Developing and documenting a plan that protects Institutional Information and IT Resources. • Supplier must responsibly execute this plan. • Supplier’s approach must conform to a recognized cybersecurity framework designed for that purpose.1 • Supplier’s information security plan must be supported by a third-party review or certification. Supplier may only use an alternative to a third- party review if approved by the responsible UC Information Security Officer.
2. Conducting an accurate and thorough assessment of the potential risks to and vulnerabilities of the security of the Institutional Information and/or IT Resources. Supplier must mitigate anticipated risks effectively. This includes implementing commercially acceptable security policies, procedures, and practices that protect Institutional Information and/or IT ResourcesITResources.
3. Updating its plan to effectively address new cybersecurity risks.
4. Complying with pertinent contractual and regulatory responsibilitiesregulatoryresponsibilities.
5. Providing UC with evidence of compliance with Supplier’s information security plan.
6. Keeping UC informed with timely updates on risks, vulnerabilities, Security Incidents, and Breaches.
7. Keeping UC informed of any measures UC must perform to ensure the security of Institutional Information and IT Resources. .
1 Examples include the latest versions of PCI DSS, NIST CSF, CIS Critical Security Controls, IS0 27002, NIST SP 800-53 and NIST SP 800-171.
D. If, in the course of providing the Goods and/or Services under the Agreement, Supplier engages in transactions with UC affiliated individuals (including but not limited to: students, staff, faculty, customers, patients, guests, volunteers, visitors, research subjects, etc.), as a benefit and result of the Agreement, Supplier must treat any data about UC affiliated individuals that Supplier creates, receives, and/or collects in the course of those transactions with the same level of privacy and security protections and standards as required of Institutional Information by this Appendix.
E. Supplier agrees to be bound by the obligations set forth in this Appendix. To the extent applicable, Supplier also agrees to impose, by written contract, the same terms and conditions contained in this Appendix on any sub-supplier retained by Supplier to provide or assist in providing the Goods and/or Services to UC.
F. To the extent that a requirement of this Appendix conflicts with those of any other UC Agreement or Incorporated Document, the most stringent requirement stringentrequirement (including but not limited to: least risk to UC, shortest time, best practice, etc.) will apply.apply.
Appears in 1 contract
Samples: Master Agreement
PURPOSE AND INTRODUCTION. A. In the course of providing the Goods and/or Services contemplated by the Agreement, Supplier may gain access to the University of California’s (UC) Institutional Information and/or IT Resources (both defined below). In such an event, UC and Supplier desire to appropriately protect Institutional Information and IT Resources. The purpose of this Appendix-Data Security is to specify Supplier’s cybersecurity and risk management responsibilities when Supplier has access to Institutional Information and/or IT Resources.
B. Any capitalized terms used here have the meaning ascribed to such terms as set forth in the Agreement or Incorporated Documents.
C. Supplier must provide commercially acceptable cybersecurity and cyber risk management to protect Institutional Information and/or IT Resources. This must include, but is not limited to the Supplier:
1. Developing and documenting a plan that protects Institutional Information and IT Resources. Supplier must responsibly execute this plan. Supplier’s approach must conform to a recognized cybersecurity framework designed for that purpose.1 Supplier’s information security plan must be supported by a third-party review or certification. Supplier may only use an alternative to a third- party review if approved by the responsible UC Information Security Officer.
2. Conducting an accurate and thorough assessment of the potential risks to and vulnerabilities of the security of the Institutional Information and/or IT Resources. Supplier must mitigate anticipated risks effectively. This includes implementing commercially acceptable security policies, procedures, and practices that protect Institutional Information and/or IT Resources.
3. Updating its plan to effectively address new cybersecurity risks.
4. Complying with pertinent contractual and regulatory responsibilities.
5. Providing UC with evidence of compliance with Supplier’s information security plan.
6. Keeping UC informed with timely updates on risks, vulnerabilities, Security Incidents, and Breaches.
7. Keeping UC informed of any measures UC must perform to ensure the security of Institutional Information and IT Resources. .
1 Examples include the latest versions of PCI DSS, NIST CSF, CIS Critical Security Controls, IS0 27002, NIST SP 800-53 and NIST SP 800-171.
D. If, in the course of providing the Goods and/or Services under the Agreement, Supplier engages in transactions with UC affiliated individuals (including but not limited to: students, staff, faculty, customers, patients, guests, volunteers, visitors, research subjects, etc.), as a benefit and result of the Agreement, Supplier must treat any data about UC affiliated individuals that Supplier creates, receives, and/or collects in the course of those transactions with the same level of privacy and security protections and standards as required of Institutional Information by this Appendix.
E. Supplier agrees to be bound by the obligations set forth in this Appendix. To the extent applicable, Supplier also agrees to impose, by written contract, the same terms and conditions contained in this Appendix on any sub-supplier retained by Supplier to provide or assist in providing the Goods and/or Services to UC.
F. To the extent that a requirement of this Appendix conflicts with those of any other UC Agreement or Incorporated Document, the most stringent requirement (including but not limited to: least risk to UC, shortest time, best practice, etc.) will apply.apply.
Appears in 1 contract
Samples: It Consulting Services Agreement
PURPOSE AND INTRODUCTION. A. In the course of providing the Goods and/or Services contemplated by the Agreement, Supplier may gain access to the University of California’s (UC) Institutional Information and/or IT Resources (both defined below). In such an event, UC and Supplier desire to appropriately protect Institutional Information and IT Resources. The purpose of this Appendix-Data Security is to specify Supplier’s cybersecurity and risk management responsibilities when Supplier has access to Institutional Information and/or IT Resources.
B. Any capitalized terms used here have the meaning ascribed to such terms as set forth in the Agreement or Incorporated Documents.
C. Supplier must provide commercially acceptable cybersecurity and cyber risk management to protect Institutional Information and/or IT Resources. This must include, but is not limited to the Supplier:
1. Developing and documenting a plan that protects Institutional Information and IT Resources. • Supplier must responsibly execute this plan. • Supplier’s approach must conform to a recognized cybersecurity framework designed for that purpose.1 • Supplier’s information security plan must be supported by a third-party review or certification. Supplier may only use an alternative to a third- party review if approved by the responsible UC Information Security Officer.
2. Conducting an accurate and thorough assessment of the potential risks to and vulnerabilities of the security of the Institutional Information and/or IT Resources. Supplier must mitigate anticipated risks effectively. This includes implementing commercially acceptable security policies, procedures, and practices that protect Institutional Information and/or IT Resources.
3. Updating its plan to effectively address new cybersecurity risks.
4. Complying with pertinent contractual and regulatory responsibilities.
5. Providing UC with evidence of compliance with Supplier’s information security plan.
6. Keeping UC informed with timely updates on risks, vulnerabilities, Security Incidents, and Breaches.
7. Keeping UC informed of any measures UC must perform to ensure the security of Institutional Information and IT Resources. {{Int_es_:signer1:initials}} {{Int_es_:signer2:initials}} {{Int_es_:signer3:initials}} 1 Examples include the latest versions of PCI DSS, NIST CSF, CIS Critical Security Controls, IS0 27002, NIST SP 800-53 and NIST SP 800-171.
D. If, in the course of providing the Goods and/or Services under the Agreement, Supplier engages in transactions with UC affiliated individuals (including but not limited to: students, staff, faculty, customers, patients, guests, volunteers, visitors, research subjects, etc.), as a benefit and result of the Agreement, Supplier must treat any data about UC affiliated individuals that Supplier creates, receives, and/or collects in the course of those transactions with the same level of privacy and security protections and standards as required of Institutional Information by this Appendix.
E. Supplier agrees to be bound by the obligations set forth in this Appendix. To the extent applicable, Supplier also agrees to impose, by written contract, the same terms and conditions contained in this Appendix on any sub-supplier retained by Supplier to provide or assist in providing the Goods and/or Services to UC.
F. To the extent that a requirement of this Appendix conflicts with those of any other UC Agreement or Incorporated Document, the most stringent requirement (including but not limited to: least risk to UC, shortest time, best practice, etc.) will apply.apply.
Appears in 1 contract
Samples: Supply Agreement
PURPOSE AND INTRODUCTION. A. In the course of providing the Goods and/or Services contemplated by the Agreement, Supplier may gain access to the University of California’s (UC) Institutional Information and/or IT Resources (both defined below). In such an event, UC and Supplier desire to appropriately protect Institutional Information and IT Resources. The purpose of this Appendix-Data Security is to specify Supplier’s cybersecurity and risk management responsibilities when Supplier has access to Institutional Information and/or IT Resources.
B. Any capitalized terms used here have the meaning ascribed to such terms as set forth in the Agreement or Incorporated Documents.
C. Supplier must provide commercially acceptable cybersecurity and cyber risk management to protect Institutional Information and/or IT Resources. This must include, but is not limited to the Supplier:
1. Developing and documenting a plan that protects Institutional Information and IT Resources. Supplier must responsibly execute this plan. Supplier’s approach must conform to a recognized cybersecurity framework designed for that purpose.1 Supplier’s information security plan must be supported by a third-party review or certification.
2. Conducting an accurate and thorough assessment of the potential risks to and vulnerabilities of the security of the Institutional Information and/or IT Resources. Supplier must reasonably mitigate anticipated risks effectively. This includes implementing commercially acceptable information and data security industry standard security policies, procedures, and practices that protect Institutional Information and/or IT Resources.
3. Updating its plan to effectively address new cybersecurity risks.
4. Complying with pertinent contractual and regulatory responsibilities.
5. Providing UC with evidence of compliance with Supplier’s information security planplan upon advanced written notice.
6. Keeping UC informed with timely updates on risks, vulnerabilities, Security Incidents, and BreachesXxxxxxxx that have a material effect upon institutional information.
7. Keeping UC informed of any measures UC must perform to ensure the security of Institutional Information and IT Resources. .
1 Examples include the latest versions of PCI DSS, NIST CSF, CIS Critical Security Controls, IS0 2700227000 series, NIST SP 800-800- 53 and NIST SP 800-171.
D. If, in the course of providing the Goods and/or Services under the Agreement, Supplier engages in transactions with UC affiliated individuals (including but not limited to: students, staff, faculty, customers, patients, guests, volunteers, visitors, research subjects, etc.), as a benefit and result of the Agreement, Supplier must treat any data about UC affiliated individuals that Supplier creates, receives, and/or collects in the course of those transactions with the same level of privacy and security protections and standards as required of Institutional Information by this Appendix.
E. Supplier agrees to be bound by the obligations set forth in this Appendix. To the extent applicable, Supplier also agrees to impose, by written contract, the same or substantially similar terms and conditions contained in this Appendix on any sub-sub- supplier retained by Supplier to provide or assist in providing the Goods and/or Services to UC.
F. To the extent that a requirement of this Appendix conflicts with those of any other UC Agreement or Incorporated Document, the most stringent requirement (including but not limited to: least risk to UC, shortest time, best practice, etc.) will apply.apply.
Appears in 1 contract
Samples: Purchasing Agreement
PURPOSE AND INTRODUCTION. A. In the course of providing the Goods and/or Services contemplated by the Agreement, Supplier may gain access to the University of California’s (UC) Institutional Information and/or IT Resources (both defined below). In such an event, UC and Supplier desire to appropriately protect Institutional Information and IT Resources. The purpose of this Appendix-Data Security is to specify Supplier’s cybersecurity and risk management responsibilities when Supplier has access to Institutional Information and/or IT Resources.
B. Any capitalized terms used here have the meaning ascribed to such terms as set forth in the Agreement or Incorporated Documents.
C. Supplier must provide commercially acceptable cybersecurity and cyber risk management to protect Institutional Information and/or IT Resources. This must include, but is not limited to the Supplier:
1. Developing and documenting a plan that protects Institutional Information and IT Resources. • Supplier must responsibly execute this plan. • Supplier’s approach must conform to a recognized cybersecurity framework designed for that purpose.1 • Supplier’s information security plan must be supported by a third-party review or certification. Supplier may only use an alternative to a third- party review if approved by the responsible UC Information Security Officer.
2. Conducting an accurate and thorough assessment of the potential risks to and vulnerabilities of the security of the Institutional Information and/or IT Resources. Supplier must mitigate anticipated risks effectively. This includes implementing commercially acceptable security policies, procedures, and practices that protect Institutional Information and/or IT Resources.
3. Updating its plan to effectively address new cybersecurity risks.
4. Complying with pertinent contractual and regulatory responsibilities.
5. Providing UC with evidence of compliance with Supplier’s information security plan.
6. Keeping UC informed with timely updates on risks, vulnerabilities, Security Incidents, and Breaches.
7. Keeping UC informed of any measures UC must perform to ensure the security of Institutional Information and IT Resources. .
1 Examples include the latest versions of PCI DSS, NIST CSF, CIS Critical Security Controls, IS0 27002, NIST SP 800-53 and NIST SP 800-171.. DocuSign Envelope ID: A
D. If, in the course of providing the Goods and/or Services under the Agreement, Supplier engages in transactions with UC affiliated individuals (including but not limited to: students, staff, faculty, customers, patients, guests, volunteers, visitors, research subjects, etc.), as a benefit and result of the Agreement, Supplier must treat any data about UC affiliated individuals that Supplier creates, receives, and/or collects in the course of those transactions with the same level of privacy and security protections and standards as required of Institutional Information by this Appendix.
E. Supplier agrees to be bound by the obligations set forth in this Appendix. To the extent applicable, Supplier also agrees to impose, by written contract, the same terms and conditions contained in this Appendix on any sub-supplier retained by Supplier that are specifically involved in data security and privacy, to provide or assist in providing the Goods and/or Services to UC.
F. To the extent that a requirement of this Appendix conflicts with those of any other UC Agreement or Incorporated Document, the most stringent requirement (including but not limited to: least risk to UC, shortest time, best practice, etc.) will apply.apply.
Appears in 1 contract
Samples: Purchase Agreement
PURPOSE AND INTRODUCTION. A. In the course of providing the Goods and/or Services contemplated by the Agreement, Supplier may gain access to the University of California’s (UC) Institutional Information and/or IT Resources (both defined below). In such an event, UC and Supplier desire to appropriately protect Institutional Information and IT Resources. The purpose of this Appendix-Data Security is to specify Supplier’s cybersecurity and risk management responsibilities when Supplier has access to Institutional Information and/or IT Resources.
B. Any capitalized terms used here have the meaning ascribed to such terms as set forth in the Agreement or Incorporated Documents.
C. Supplier must provide commercially acceptable cybersecurity and cyber risk management to protect Institutional Information and/or IT Resources. This must include, but is not limited to the Supplier:
1. Developing and documenting a plan that protects Institutional Information and IT Resources. • Supplier must responsibly execute this plan. • Supplier’s approach must conform to a recognized cybersecurity framework designed for that purpose.1 • Supplier’s information security plan must be supported by a third-party review or certification. Supplier may only use an alternative to a third- party review if approved by the responsible UC Information Security Officer.
2. Conducting an accurate and thorough assessment of the potential risks to and vulnerabilities of the security of the Institutional Information and/or IT Resources. Supplier must mitigate anticipated risks effectively. This includes implementing commercially acceptable security policies, procedures, and practices that protect Institutional Information and/or IT Resources.
3. Updating its plan to effectively address new cybersecurity risks.
4. Complying with pertinent contractual and regulatory responsibilities.
5. Providing UC with evidence of compliance with Supplier’s information security plan.
6. Keeping UC informed with timely updates on risks, vulnerabilities, Security Incidents, and Breaches.
7. Keeping UC informed of any measures UC must perform to ensure the security of Institutional Information and IT Resources. .
1 Examples include the latest versions of PCI DSS, NIST CSF, CIS Critical Security Controls, IS0 27002, NIST SP 800-53 and NIST SP 800-171.
D. If, in the course of providing the Goods and/or Services under the Agreement, Supplier engages in transactions with UC affiliated individuals (including but not limited to: students, staff, faculty, customers, patients, guests, volunteers, visitors, research subjects, etc.), as a benefit and result of the Agreement, Supplier must treat any data about UC affiliated individuals that Supplier creates, receives, and/or collects in the course of those transactions with the same level of privacy and security protections and standards as required of Institutional Information by this Appendix.
E. Supplier agrees to be bound by the obligations set forth in this Appendix. To the extent applicable, Supplier also agrees to impose, by written contract, the same terms and conditions contained in this Appendix on any sub-supplier retained by Supplier to provide or assist in providing the Goods and/or Services to UC.
F. To the extent that a requirement of this Appendix conflicts with those of any other UC Agreement or Incorporated Document, the most stringent requirement (including but not limited to: least risk to UC, shortest time, best practice, etc.) will apply.
Appears in 1 contract
Samples: Purchasing Agreement
PURPOSE AND INTRODUCTION. A. In the course of providing the Goods and/or Services contemplated by the Agreement, Supplier may gain access to the University of California’s (UC) Institutional Information and/or IT Resources (both defined below). In such an event, UC and Supplier desire to appropriately protect Institutional Information and IT Resources. The purpose of this Appendix-Data Security is to specify Supplier’s cybersecurity and risk management responsibilities when Supplier has access to Institutional Information and/or IT Resources.
B. Any capitalized terms used here have the meaning ascribed to such terms as set forth in the Agreement or Incorporated Documents.
C. Supplier must provide commercially acceptable cybersecurity and cyber risk management to protect Institutional Information and/or IT Resources. This must include, but is not limited to the Supplier:
1. Developing and documenting a plan that protects Institutional Information and IT Resources. • Supplier must responsibly execute this plan. • Supplier’s approach must conform to a recognized cybersecurity framework designed for that purpose.1 • Supplier’s information security plan must be supported by a third- party review or certification. Supplier may only use an alternative to a thirdparty review if approved by the responsible UC Information Security Officer.
2. Conducting an accurate and thorough assessment of the potential risks to and vulnerabilities of the security of the Institutional Information and/or IT Resources. Supplier must mitigate anticipated risks effectively. This includes implementing commercially acceptable security policies, procedures, and practices that protect Institutional Information and/or IT Resources.
3. Updating its plan to effectively address new cybersecurity risks.
4. Complying with pertinent contractual and regulatory responsibilities.
5. Providing UC with evidence of compliance with Supplier’s information security plan.
6. Keeping UC informed with timely updates on risks, vulnerabilities, Security Incidents, and BreachesBreaches with respect to Supplier’s environment and any material degradation in Supplier’s performance of its obligations under this Appendix. 1 Examples include the latest versions of PCI DSS, NIST CSF, CIS Critical Security Controls, IS0 27000 series, NIST SP 800-53 and NIST SP 800-171.
7. Keeping UC informed of any measures UC must perform to ensure the security of Institutional Information and IT Resources. 1 Examples include the latest versions of PCI DSS, NIST CSF, CIS Critical Security Controls, IS0 27002, NIST SP 800-53 and NIST SP 800-171.
D. If, in the course of providing the Goods and/or Services under the Agreement, Supplier engages in transactions with UC affiliated individuals (including but not limited to: students, staff, faculty, customers, patients, guests, volunteers, visitors, research subjects, etc.), as a benefit and result of the Agreement, Supplier must treat any data about UC affiliated individuals that Supplier creates, receives, and/or collects in the course of those transactions with the same level of privacy and security protections and standards as required of Institutional Information by this Appendix.
E. Supplier agrees to be bound by the obligations set forth in this Appendix. To the extent applicable, Supplier also agrees to impose, by written contract, the same substantially similar terms and conditions contained in this Appendix on any sub-sub- supplier retained by Supplier to provide or assist in providing the Goods and/or Services to UC.
F. To the extent that a requirement of this Appendix conflicts with those of any other UC Agreement or Incorporated Document, the most stringent requirement (including but not limited to: least risk to UC, shortest time, best practice, etc.) will apply.apply.
Appears in 1 contract
Samples: Purchasing Agreement
PURPOSE AND INTRODUCTION. A. In the course of providing the Goods and/or Services contemplated by the Agreement, Supplier may gain access to the University of California’s (UC) Institutional Information and/or IT Resources (both defined below). In such an event, UC and Supplier desire to appropriately protect Institutional Information and IT Resources. The purpose of this Appendix-Data Security is to specify Supplier’s cybersecurity and risk management responsibilities when Supplier has access to Institutional Information and/or IT Resources.
B. Any capitalized terms used here have the meaning ascribed to such terms as set forth in the Agreement or Incorporated Documents.
C. Supplier must provide commercially acceptable cybersecurity and cyber risk management to protect Institutional Information and/or IT Resources. This must include, but is not limited to the Supplier:
1. Developing and documenting a plan that protects Institutional Information and IT Resources. • Supplier must responsibly execute this plan. • Supplier’s approach must conform to a recognized cybersecurity framework designed for that purpose.1 • Supplier’s information security plan must be supported by a third-party review or certification. Supplier may only use an alternative to a third- party review if approved by the responsible UC Information Security Officer.
2. Conducting an accurate and thorough assessment of the potential risks to and vulnerabilities of the security of the Institutional Information and/or IT Resources. Supplier must mitigate anticipated risks effectively. This includes implementing commercially acceptable security policies, procedures, and practices that protect Institutional Information and/or IT Resources.
3. Updating its plan to effectively address new cybersecurity risks.
4. Complying with pertinent contractual and regulatory responsibilities.
5. Providing UC with evidence of compliance with Supplier’s information security plan.
6. Keeping UC informed with timely updates on risks, vulnerabilities, Security Incidents, and Breaches.
7. Keeping UC informed of any measures UC must perform to ensure the security of Institutional Information and IT Resources. .
1 Examples include the latest versions of PCI DSS, NIST CSF, CIS Critical Security Controls, IS0 27002, NIST SP 800-53 and NIST SP 800-171.
D. If, in the course of providing the Goods and/or Services under the Agreement, Supplier engages in transactions with UC affiliated individuals (including but not limited to: students, staff, faculty, customers, patients, guests, volunteers, visitors, research subjects, etc.), as a benefit and result of the Agreement, Supplier must treat any data about UC affiliated individuals that Supplier creates, receives, and/or collects in the course of those transactions with the same level of privacy and security protections and standards as required of Institutional Information by this Appendix.
E. Supplier agrees to be bound by the obligations set forth in this Appendix. To the extent applicable, Supplier also agrees to impose, by written contract, the same terms and conditions contained in this Appendix on any sub-supplier retained by Supplier to provide or assist in providing the Goods and/or Services to UC.
F. To the extent that a requirement of this Appendix conflicts with those of any other UC Agreement or Incorporated Document, the most stringent requirement (including but not limited to: least risk to UC, shortest time, best practice, etc.) will apply.apply.
Appears in 1 contract
Samples: Vendor Contract
