Common use of Security and Policies Clause in Contracts

Security and Policies. All performance under this Contract shall be in accordance with County’s security requirements, policies, and procedures as set forth in this Paragraph. Contractor shall at all times use industry best practices and methods with regard to the prevention, detection, and elimination, by all appropriate means, of fraud, abuse, and other inappropriate or unauthorized access to County Resources (which is defined as all applicable County systems, software, assets, hardware, equipment, and other resources owned by or leased or licensed to County or that are provided to County by third party service providers) and County Data accessed in the performance of Services in this Contract. Contractor also must comply with Attachment D, Business Associate Contract. Information Access Contractor must at all times use appropriate safeguard and security measures to ensure the confidentiality and security of all County Data and County Resources. All County Data and County Resources used and/or accessed by Contractor: (a) must be used and accessed by Contractor solely and exclusively in connection with, and in furtherance of, the performance of Contractor’s obligations under this Contract; (b) must not be used or accessed except as expressly permitted in this Contract and must not be commercially exploited in any manner whatsoever by Contractor or Contractor’s personnel and subcontractors; and (c) must not be shared with Contractor’s parent company or other affiliate without County’s express prior written consent. County may require Contractor to issue any necessary information-access mechanisms, including access IDs and passwords, to Contractor personnel and subcontractors, only with such level of access as is required for the individual to perform the individual’s assigned tasks and functions under this Contract. The issued mechanisms may not be shared and may only be used by the individual to whom the information-access mechanism is issued. In addition, the issued mechanisms must be promptly cancelled when the individual is terminated, transferred or on a leave of absence. Each calendar year of the Contract and any time upon request by County, Contractor must provide County with an accurate, up-to-date list of those Contractor personnel and subcontractors with access to County Data and/or County Resources and the respective security level or clearance assigned to each such individual. Contractor, including Contractor personnel and subcontractors, must fully comply with all of County’s policies and procedures regarding data access and security, including those prohibiting or restricting remote access to County Data and County Resources. County may require all Contractor personnel and subcontractors performing Services under this Contract to execute a confidentiality and non-disclosure agreement concerning County Data and County Resources in the form provided by County. Contractor’s failure to comply with the provisions of this Paragraph is a breach of this Contract and entitles County to deny or restrict the rights of such non-complying Contractor personnel to access and use the County Resources and County Data, as County in its sole discretion deems appropriate. Data Security Requirements Without limiting Contractor’s obligation of confidentiality as further described in this Contract, Contractor must establish, maintain, and enforce a data privacy program and an information security program, including safety, physical, and technical security policies and procedures, that comply with the requirements set forth in this Contract and, to the extent such programs are consistent with and not less protective than the requirements set forth in this Contract, are at least equal to applicable best industry practices and standards. These programs must provide physical and technical safeguards against accidental, unlawful, or unauthorized access to or use, destruction, loss, alteration, disclosure, transfer, commingling, or processing of County Data. Contractor must take all necessary measures to secure and defend all locations, equipment, systems, and other materials and facilities employed in connection with the Services against “hackers” and others who may seek, without authorization, to disrupt, damage, modify, access or otherwise use Contractor Resources (which is defined as all Services, software, assets, hardware, equipment, and other resources and materials provided by Contractor to County, otherwise utilized by Contractor, or approved by Contractor for utilization by County, in connection with this Contract) or the information found therein; and prevent County Data from being commingled with or contaminated by the data of other customers or their users. Contractor also must continuously monitor Contractor Resources for potential areas where security could be breached. Contractor must review the data privacy and information security programs regularly, but no less than annually, and update and maintain them to comply with applicable laws, regulations, technology changes, and best practices. Without limiting County’s audit rights in this Contract, County has the right to review Contractor’s data privacy program and information security program prior to commencement of Services and from time to time during the term of this Contract. Contractor must allow County reasonable access to Contractor’s security logs, latency statistics, and other related security data that affect this Contract and County Data, at no cost to County. In addition, during the term of this Contract from time to time without notice, County, at its own expense, is entitled to perform, or to have performed, an on-site audit of Contractor’s data privacy and information security program. Contractor must implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information security program. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof for cause pursuant to Paragraph K, Termination, if County reasonably determines Contractor fails or has failed to meet its obligations under this Paragraph. Enhanced Security Measures County may, in its discretion, designate certain areas, facilities, or County Resources as requiring an enhanced level of security and access control above that expressly required in this Contract. County will notify Contractor in writing reasonably in advance of any such designation becoming effective. The notice will set forth in reasonable detail the enhanced security or access-control procedures, measures, or requirements that Contractor must implement and enforce as well as the date on which such procedures and measures will take effect. If commercially reasonable, Contractor, including Contractor’s personnel and subcontractors, must fully comply with and abide by all such enhanced security and access measures and procedures as of such date. If not commercially reasonable to fully comply as of such date, Contractor, including Contractor’s personnel and subcontractors, must fully comply with and abide by all such enhanced security and access measures and procedures within a commercially reasonable time. County will be responsible for any additional cost required by the changes. General Security Standards Contractor is solely responsible for the Contractor Resources used by or for Contractor to access County Resources, County Data or otherwise in connection with the Services and must prevent unauthorized access to County Resources or County Data through the Contractor Resources. At all times during the term, Contractor must maintain a level of security with regard to the Contractor Resources, that in all events is at least as secure as the levels of security that are common and prevalent in the industry and in accordance with industry best practices. Contractor must maintain all appropriate administrative, physical, technical, and procedural safeguards and controls to secure County Data from data breach, protect County Data and the Services from loss, corruption, unauthorized disclosure, and from hacks, and the introduction of viruses, Disabling Devices, malware, and other forms of malicious and inadvertent acts that can disrupt County’s access and use of County Data and the Services. Such measures must include at a minimum: (a) access controls on information systems, including controls to authenticate and permit access to County Data only to authorized individuals and controls to prevent Contractor employees from providing County Data to unauthorized individuals who may seek to obtain this information; (b) industry-standard firewall protection; (c) encryption of electronic County Data while in transit from Contractor networks to external networks; (d) measures to store in a secure fashion all County Data which must include but not be limited to, encryption at rest and multiple levels of authentication; (e) dual control procedures, segregation of duties, and pre-employment criminal background checks from employees with responsibilities for or access to County Data; (f) measures to ensure that County Data is not altered or corrupted without the prior written consent of County; (g) measures to protect against destruction, loss or damage of County Data due to potential environmental hazards, such as fire and water damage; (h) staff training to implement the information security measures; and (i) monitoring of the security of any portions of Contractor Resources that are used in the provision of the Services against intrusion on a twenty-four hour a day basis.

Security and Policies. All performance under this Contract shall be in accordance with County’s security requirements, policies, and procedures as set forth in this Paragraph. Contractor shall at all times use industry best practices and methods with regard to the prevention, detection, and elimination, by all appropriate means, of fraud, abuse, and other inappropriate or unauthorized access to County Resources (which is defined as all applicable County systems, software, assets, hardware, equipment, and other resources owned by or leased or licensed to County or that are provided to County by third party service providers) and County Data accessed in the performance of Services in this Contract. Contractor also must comply with Attachment D, Business Associate Contract. Information Access Contractor must at all times use appropriate safeguard and security measures to ensure the confidentiality and security of all County Data and County Resources. All County Data and County Resources used and/or accessed by Contractor: (a) must be used and accessed by Contractor solely and exclusively in connection with, and in furtherance of, the performance of Contractor’s obligations under this Contract; (b) must not be used or accessed except as expressly permitted in this Contract and must not be commercially exploited in any manner whatsoever by Contractor or Contractor’s personnel and subcontractors; and (c) must not be shared with Contractor’s parent company or other affiliate without County’s express prior written consent. County may require Contractor to issue any necessary information-access mechanisms, including access IDs and passwords, to Contractor personnel and subcontractors, only with such level of access as is required for the individual to perform the individual’s assigned tasks and functions under this Contract. The issued mechanisms may not be shared and may only be used by the individual to whom the information-access mechanism is issued. In addition, the issued mechanisms must be promptly cancelled when the individual is terminated, transferred or on a leave of absence. Each calendar year of the Contract and any time upon request by County, Contractor must provide County with an accurate, up-to-date list of those Contractor personnel and subcontractors with access to County Data and/or County Resources and the respective security level or clearance assigned to each such individual. Contractor, including Contractor personnel and subcontractors, must fully comply with all of County’s policies and procedures regarding data access and security, including those prohibiting or restricting remote access to County Data and County Resources. County may require all Contractor personnel and subcontractors performing Services under this Contract to execute a confidentiality and non-disclosure agreement Contract. Contract concerning County Data and County Resources in the form provided by County. Contractor’s failure to comply with the provisions of this Paragraph is a breach of this Contract and entitles County to deny or restrict the rights of such non-complying Contractor personnel to access and use the County Resources and County Data, as County in its sole discretion deems appropriate. Data Security Requirements Without limiting Contractor’s obligation of confidentiality as further described in this Contract, Contractor must establish, maintain, and enforce a data privacy program and an information security program, including safety, physical, and technical security policies and procedures, that comply with the requirements set forth in this Contract and, to the extent such programs are consistent with and not less protective than the requirements set forth in this Contract, are at least equal to applicable best industry practices and standards. These programs must provide physical and technical safeguards against accidental, unlawful, or unauthorized access to or use, destruction, loss, alteration, disclosure, transfer, commingling, or processing of County Data. Contractor must take all necessary measures to secure and defend all locations, equipment, systems, and other materials and facilities employed in connection with the Services against “hackers” and others who may seek, without authorization, to disrupt, damage, modify, access or otherwise use Contractor Resources (which is defined as all Services, software, assets, hardware, equipment, and other resources and materials provided by Contractor to County, otherwise utilized by Contractor, or approved by Contractor for utilization by County, in connection with this Contract) or the information found therein; and prevent County Data from being commingled with or contaminated by the data of other customers or their users. Contractor also must continuously monitor Contractor Resources for potential areas where security could be breached. Contractor must review the data privacy and information security programs regularly, but no less than annually, and update and maintain them to comply with applicable laws, regulations, technology changes, and best practices. Without limiting County’s audit rights in this Contract, County has the right to review Contractor’s data privacy program and information security program prior to commencement of Services and from time to time during the term of this Contract. Contractor must allow County reasonable access to Contractor’s security logs, latency statistics, and other related security data that affect this Contract and County Data, at no cost to County. In addition, during the term of this Contract from time to time without and upon reasonable notice, County, at its own expense, is entitled to perform, or to have performed, an on-site audit of Contractor’s data privacy and information security program, provided that any such audits shall be limited to once during any calendar year. Contractor must implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information security program. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof for cause pursuant to Paragraph K, Termination, if County reasonably determines Contractor fails or has failed to meet its obligations under this Paragraph. Enhanced Security Measures County may, in its discretion, designate certain areas, facilities, or County Resources as requiring an enhanced level of security and access control above that expressly required in this Contract. County will notify Contractor in writing reasonably in advance of any such designation becoming effective. The notice will set forth in reasonable detail the enhanced security or access-control procedures, measures, or requirements that Contractor must implement and enforce as well as the date on which such procedures and measures will take effect. If commercially reasonable, Contractor, including Contractor’s personnel and subcontractors, must fully comply with and abide by all such enhanced security and access measures and procedures as of such date. If not commercially reasonable to fully comply as of such date, Contractor, including Contractor’s personnel and subcontractors, must fully comply with and abide by all such enhanced security and access measures and procedures within a commercially reasonable time. County will be responsible for any additional cost required by the changes. General Security Standards Contractor is solely responsible for the Contractor Resources used by or for Contractor to access County Resources, County Data or otherwise in connection with the Services and must prevent unauthorized access to County Resources or County Data through the Contractor Resources. At all times during the term, Contractor must maintain a level of security with regard to the Contractor Resources, that in all events is at least as secure as the levels of security that are common and prevalent in the industry and in accordance with industry best practices. Contractor must maintain all appropriate administrative, physical, technical, and procedural safeguards and controls to secure County Data from data breach, protect County Data and the Services from loss, corruption, unauthorized disclosure, and from hacks, and the introduction of viruses, Disabling Devices, malware, and other forms of malicious and inadvertent acts that can disrupt County’s access and use of County Data and the Services. Such measures must include at a minimum: (a) access controls on information systems, including controls to authenticate and permit access to County Data only to authorized individuals and controls to prevent Contractor employees from providing County Data to unauthorized individuals who may seek to obtain this information; (b) industry-standard firewall protection; (c) encryption of electronic County Data while in transit from Contractor networks to external networks; (d) measures to store in a secure fashion all County Data which must include but not be limited to, encryption at rest and multiple levels of authentication; (e) dual control procedures, segregation of duties, and pre-employment criminal background checks from employees with responsibilities for or access to County Data; (f) measures to ensure that County Data is not altered or corrupted without the prior written consent of County; (g) measures to protect against destruction, loss or damage of County Data due to potential environmental hazards, such as fire and water damage; (h) staff training to implement the information security measures; and (i) monitoring of the security of any portions of Contractor Resources that are used in the provision of the Services against intrusion on a twenty-four hour a day basis.

Security and Policies. All performance under this Contract shall be in accordance with County’s security requirements, policies, and procedures as set forth in this Paragraph. Contractor shall at all times use industry best practices and methods with regard to the prevention, detection, and elimination, by all appropriate means, of fraud, abuse, and other inappropriate or unauthorized access to County Resources (which is defined as all applicable County systems, software, assets, hardware, equipment, and other resources owned by or leased or licensed to County or that are provided to County by third party service providers) and County Data accessed in the performance of Services in this Contract. Contractor also must comply with Attachment D, Business Associate Contract. Information Access Contractor must at all times use appropriate safeguard and security measures to ensure the confidentiality and security of all County Data and County Resources. All County Data and County Resources used and/or accessed by Contractor: (a) must be used and accessed by Contractor solely and exclusively in connection with, and in furtherance of, the performance of Contractor’s obligations under this Contract; (b) must not be used or accessed except as expressly permitted in this Contract and must not be commercially exploited in any manner whatsoever by Contractor or Contractor’s personnel and subcontractors; and (c) must not be shared with Contractor’s parent company or other affiliate without County’s express prior written consent. County may require Contractor to issue any necessary information-access mechanisms, including access IDs and passwords, to Contractor personnel and subcontractors, only with such level of access as is required for the individual to perform the individual’s assigned tasks and functions under this Contract. The issued mechanisms may not be shared and may only be used by the individual to whom the information-access mechanism is issued. In addition, the issued mechanisms must be promptly cancelled when the individual is terminated, transferred or on a leave of absence. Each calendar year of the Contract and any time upon request by County, Contractor must provide County with an accurate, up-to-date list of those Contractor personnel and subcontractors with access to County Data and/or County Resources and the respective security level or clearance assigned to each such individual. Contractor, including Contractor personnel and subcontractors, must fully comply with all of County’s policies and procedures regarding data access and security, including those prohibiting or restricting remote access to County Data and County Resources. County may require all Contractor personnel and subcontractors performing Services under this Contract , that are provided to execute a confidentiality and non-disclosure agreement concerning County Data and County Resources in the form provided by County. or made available to Contractor’s failure to comply with the provisions of this Paragraph is a breach of this Contract and entitles County to deny or restrict the rights of such non-complying Contractor personnel to access and use the County Resources and County Data, as County in its sole discretion deems appropriate. Data Security Requirements Without limiting Contractor’s obligation of confidentiality as further described in this Contract, Contractor must establish, maintain, and enforce a data privacy program and an information security program, including safety, physical, and technical security policies and procedures, that comply with the requirements set forth in this Contract and, to the extent such programs are consistent with and not less protective than the requirements set forth in this Contract, are at least equal to applicable best industry practices and standards. These programs must provide physical and technical safeguards against accidental, unlawful, or unauthorized access to or use, destruction, loss, alteration, disclosure, transfer, commingling, or processing of County Data. Contractor must take all necessary measures to secure and defend all locations, equipment, systems, and other materials and facilities employed in connection with the Services against “hackers” and others who may seek, without authorization, to disrupt, damage, modify, access or otherwise use Contractor Resources (which is defined as all Services, software, assets, hardware, equipment, and other resources and materials provided by Contractor to County, otherwise utilized by Contractor, or approved by Contractor for utilization by County, in connection with this Contract) or the information found therein; and prevent County Data from being commingled with or contaminated by the data of other customers or their users. Contractor also must continuously monitor Contractor Resources for potential areas where security could be breached. Contractor must review the data privacy and information security programs regularly, but no less than annually, and update and maintain them to comply with applicable laws, regulations, technology changes, and best practices. Without limiting County’s audit rights in this Contract, County has the right to review Contractor’s data privacy program and information security program prior to commencement of Services and from time to time during the term of this Contract. Contractor must allow County reasonable access to Contractor’s security logs, latency statistics, and other related security data that affect this Contract and County Data, at no cost to County. In addition, during the term of this Contract from time to time without notice, County, at its own expense, is entitled to perform, or to have performed, an on-site audit of Contractor’s data privacy and information security program. Contractor must implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information security program. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof for cause pursuant to Paragraph K, Termination, if County reasonably determines Contractor fails or has failed to meet its obligations under this Paragraph. Enhanced Security Measures County may, in its discretion, designate certain areas, facilities, or County Resources as requiring an enhanced level of security and access control above that expressly required in this Contract. County will notify Contractor in writing reasonably in advance of any such designation becoming effective. The notice will set forth in reasonable detail the enhanced security or access-control procedures, measures, or requirements that Contractor must implement and enforce as well as the date on which such procedures and measures will take effect. If commercially reasonable, Contractor, including Contractor’s personnel and subcontractors, must fully comply with and abide by all such enhanced security and access measures and procedures as of such date. If not commercially reasonable to fully comply as of such date, Contractor, including Contractor’s personnel and subcontractors, must fully comply with and abide by all such enhanced security and access measures and procedures within a commercially reasonable time. County will be responsible for any additional cost required by the changes. General Security Standards Contractor is solely responsible for the Contractor Resources used by or for Contractor to access County Resources, County Data or otherwise in connection with the Services and must prevent unauthorized access to County Resources or County Data through the Contractor Resources. At all times during the term, Contractor must maintain a level of security with regard to the Contractor Resources, that in all events is at least as secure as the levels of security that are common and prevalent in the industry and in accordance with industry best practices. Contractor must maintain all appropriate administrative, physical, technical, and procedural safeguards and controls to secure County Data from data breach, protect County Data and the Services from loss, corruption, unauthorized disclosure, and from hacks, and the introduction of viruses, Disabling Devices, malware, and other forms of malicious and inadvertent acts that can disrupt County’s access and use of County Data and the Services. Such measures must include at a minimum: (a) access controls on information systems, including controls to authenticate and permit access to County Data only to authorized individuals and controls to prevent Contractor employees from providing County Data to unauthorized individuals who may seek to obtain this information; (b) industry-standard firewall protection; (c) encryption of electronic County Data while in transit from Contractor networks to external networks; (d) measures to store in a secure fashion all County Data which must include but not be limited to, encryption at rest and multiple levels of authentication; (e) dual control procedures, segregation of duties, and pre-employment criminal background checks from employees with responsibilities for or access to County Data; (f) measures to ensure that County Data is not altered or corrupted without the prior written consent of County; (g) measures to protect against destruction, loss or damage of County Data due to potential environmental hazards, such as fire and water damage; (h) staff training to implement the information security measures; and (i) monitoring of the security of any portions of Contractor Resources that are used in the provision of the Services against intrusion on a twenty-four hour a day basis.

Security and Policies. All performance under this Contract shall be in accordance with County’s security requirements, policies, and procedures as set forth in this Paragraph. Contractor shall at all times use industry best practices and methods with regard to the prevention, detection, and elimination, by all appropriate means, of fraud, abuse, and other inappropriate or unauthorized access to County Resources (which is defined as all applicable County systems, software, assets, hardware, equipment, and other resources owned by or leased or licensed to County or that are provided to County by third party service providers) and County Data accessed in the performance of Services in this Contract. Contractor also must comply with Attachment D, Business Associate Contract. Information Access Contractor must at all times use appropriate safeguard and security measures to ensure the confidentiality and security of all County Data and County Resources. All County Data and County Resources used and/or accessed by Contractor: (a) must be used and accessed by Contractor solely and exclusively in connection with, and in furtherance of, the performance of Contractor’s obligations under this Contract; (b) must not be used or accessed except as expressly permitted in this Contract and must not be commercially exploited in any manner whatsoever by Contractor or Contractor’s personnel and subcontractors; and (c) must not be shared with Contractor’s parent company or other affiliate without County’s express prior written consent. County may require Contractor to issue any necessary information-access mechanisms, including access IDs and passwords, to Contractor personnel and subcontractors, only with such level of access as is required for the individual to perform the individual’s assigned tasks and functions under this Contract. The issued mechanisms may not be shared and may only be used by the individual to whom the information-access mechanism is issued. In addition, the issued mechanisms must be promptly cancelled when the individual is terminated, transferred or on a leave of absence. Each calendar year of the Contract and any time upon request by County, Contractor must provide County with an accurate, up-to-date list of those Contractor personnel and subcontractors with access to County Data and/or County Resources and the respective security level or clearance assigned to each such individual. Contractor, including Contractor personnel and subcontractors, must fully comply with all of County’s policies and procedures regarding data access and security, including those prohibiting or restricting remote access to County Data and County Resources. County may require all Contractor personnel and subcontractors performing Services under this Contract to execute a confidentiality and non-disclosure agreement concerning County Data and County Resources in the form provided by County. Contractor’s failure to comply with the provisions of this Paragraph is a breach of this Contract and entitles County to deny or restrict the rights of such non-complying Contractor personnel to access and use the County Resources and County Data, as County in its sole discretion deems appropriate. Data Security Requirements Without limiting Contractor’s obligation of confidentiality as further described in this Contract, Contractor must establish, maintain, and enforce a data privacy program and an information security program, including safety, physical, and technical security policies and procedures, that comply with the requirements set forth in this Contract and, to the extent such programs are consistent with and not less protective than the requirements set forth in this Contract, are at least equal to applicable best industry practices and standards. These programs must provide physical and technical safeguards against accidental, unlawful, or unauthorized access to or use, destruction, loss, alteration, disclosure, transfer, commingling, or processing of County Data. Contractor must take all necessary measures to secure and defend all locations, equipment, systems, and other materials and facilities employed in connection with the Services against “hackers” and others who may seek, without authorization, to disrupt, damage, modify, access or otherwise use Contractor Resources (which is defined as all Services, software, assets, hardware, equipment, and other resources and materials provided by Contractor to County, otherwise utilized by Contractor, or approved by Contractor for utilization by County, in connection with this Contract) or the information found therein; and prevent County Data from being commingled with or contaminated by the data of other customers or their users. Contractor also must continuously monitor Contractor Resources for potential areas where security could be breached. Contractor must review the data privacy and information security programs regularly, but no less than annually, and update and maintain them to comply with applicable laws, regulations, technology changes, and best practices. Without limiting County’s audit rights in this Contract, County has the right to review Contractor’s data privacy program and information security program prior to commencement of Services services and from time to time during the term of this Contract. Contractor must allow County reasonable access to Contractor’s security logs, latency statistics, and other related security data that affect this Contract and County Data, at no cost to County. In addition, during the term of this Contract from time to time without notice, County, at its own expense, is entitled to perform, or to have performed, an on-site audit of Contractor’s data privacy and information security program. Contractor must implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information security program. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof for cause pursuant to Paragraph K19, Termination, if County reasonably determines Contractor fails or has failed to meet its obligations under this Paragraph. Enhanced Security Measures County may, in its discretion, designate certain areas, facilities, or County Resources as requiring an enhanced level of security and access control above that expressly required in this Contract. County will notify Contractor in writing reasonably in advance of any such designation becoming effective. The notice will set forth in reasonable detail the enhanced security or access-control procedures, measures, or requirements that Contractor must implement and enforce as well as the date on which such procedures and measures will take effect. If commercially reasonable, Contractor, including Contractor’s personnel and subcontractors, must fully comply with and abide by all such enhanced security and access measures and procedures as of such date. If not commercially reasonable to fully comply as of such date, Contractor, including Contractor’s personnel and subcontractors, must fully comply with and abide by all such enhanced security and access measures and procedures within a commercially reasonable time. County will be responsible for any additional cost required by the changes. General Security Standards Contractor is solely responsible for the Contractor Resources used by or for Contractor to access County Resources, County Data or otherwise in connection with the Services services and must prevent unauthorized access to County Resources or County Data through the Contractor Resources. At all times during the term, Contractor must maintain a level of security with regard to the Contractor Resources, that in all events is at least as secure as the levels of security that are common and prevalent in the industry and in accordance with industry best practices. Contractor must maintain all appropriate administrative, physical, technical, and procedural safeguards and controls to secure County Data from data breach, protect County Data and the Services services from loss, corruption, unauthorized disclosure, and from hacks, and the introduction of viruses, Disabling Devices, malware, and other forms of malicious and inadvertent acts that can disrupt County’s access and use of County Data and the Servicesservices. Such measures must include at a minimum: (a) access controls on information systems, including controls to authenticate and permit access to County Data only to authorized individuals and controls to prevent Contractor employees from providing County Data to unauthorized individuals who may seek to obtain this information; (b) industry-standard firewall protection; (c) encryption of electronic County Data while in transit from Contractor networks to external networks; (d) measures to store in a secure fashion all County Data which must include but not be limited to, encryption at rest and multiple levels of authentication; (e) dual control procedures, segregation of duties, and pre-employment criminal background checks from employees with responsibilities for or access to County Data; (f) measures to ensure that County Data is not altered or corrupted without the prior written consent of County; (g) measures to protect against destruction, loss or damage of County Data due to potential environmental hazards, such as fire and water damage; (h) staff training to implement the information security measures; and (i) monitoring of the security of any portions of Contractor Resources that are used in the provision of the Services services against intrusion on a twenty-four hour a day basis.

Security and Policies. All performance under this Contract shall be in accordance with County’s security requirements, policies, and procedures as set forth in this Paragraph. Contractor shall at all times use industry best practices and methods with regard to the prevention, detection, and elimination, by all appropriate means, of fraud, abuse, and other inappropriate or unauthorized access to County Resources (which is defined as all applicable County systems, software, assets, hardware, equipment, and other resources owned by or leased or licensed to County or that are provided to County by third party service providers) and County Data accessed in the performance of Services in this Contract. Contractor also must comply with Attachment D, Business Associate Contract. Information Access Contractor must at all times use appropriate safeguard and security measures to ensure the confidentiality and security of all County Data and County Resources. All County Data and County Resources used and/or accessed by Contractor: (a) must be used and accessed by Contractor solely and exclusively in connection with, and in furtherance of, the performance of Contractor’s obligations under this Contract; (b) must not be used or accessed except as expressly permitted in this Contract and must not be commercially exploited in any manner whatsoever by Contractor or Contractor’s personnel and subcontractors; and (c) must not be shared with Contractor’s parent company or other affiliate without County’s express prior written consent. County may require Contractor to issue any necessary information-access mechanisms, including access IDs and passwords, to Contractor personnel and subcontractors, only with such level of access as is required for the individual to perform the individual’s assigned tasks and functions under this Contract. The issued mechanisms may not be shared and may only be used by the individual to whom the information-access mechanism is issued. In addition, the issued mechanisms must be promptly cancelled when the individual is terminated, transferred or on a leave of absence. Each calendar year of the Contract and any time upon request by County, Contractor must provide County with an accurate, up-to-date list of those Contractor personnel and subcontractors with access to County Data and/or County Resources and the respective security level or clearance assigned to each such individual. Contractor, including Contractor personnel and subcontractors, must fully comply with all of County’s policies and procedures regarding data access and security, including those prohibiting or restricting remote access to County Data and County Resources. County may require all Contractor personnel and subcontractors performing Services under this Contract to execute a confidentiality and non-disclosure agreement concerning County Data and County Resources in the form provided by County. Contractor’s failure to comply with the provisions of this Paragraph is a breach of this Contract and entitles County to deny or restrict the rights of such non-complying Contractor personnel to access and use the County Resources and County Data, as County in its sole discretion deems appropriate. Data Security Requirements Without limiting Contractor’s obligation of confidentiality as further described in this Contract, Contractor must establish, maintain, and enforce a data privacy program and an information security program, including safety, physical, and technical security policies and procedures, that comply with the requirements set forth in this Contract and, to the extent such programs are consistent with and not less protective than the requirements set forth in this Contract, are at least equal to applicable best industry practices and standards. These programs must provide physical and technical safeguards against accidental, unlawful, or unauthorized access to or use, destruction, loss, alteration, disclosure, transfer, commingling, or processing of County Data. Contractor must take all necessary measures to secure and defend all locations, equipment, systems, and other materials and facilities employed in connection with the Services against “hackers” and others who may seek, without authorization, to disrupt, damage, modify, access or otherwise use Contractor Resources (which is defined as all Services, software, assets, hardware, equipment, and other resources and materials provided by Contractor to County, otherwise utilized by Contractor, or approved by Contractor for utilization by County, in connection with this Contract) or the information found therein; and prevent County Data from being commingled with or contaminated by the data of other customers or their users. Contractor also must continuously monitor Contractor Resources for potential areas where security could be breached. Contractor must review the data privacy and information security programs regularly, but no less than annually, and update and maintain them to comply with applicable laws, regulations, technology changes, and best practices. Without limiting County’s audit rights in this Contract, County has the right to review Contractor’s data privacy program and information security program prior to commencement of Services services and from time to time during the term of this Contract. Contractor must allow County reasonable access to Contractor’s security logs, latency statistics, and other related security data that affect this Contract and County Data, at no cost to County. In addition, during the term of this Contract from time to time without notice, County, at its own expense, is entitled to perform, or to have performed, an on-site audit of Contractor’s data privacy and information security program. Contractor must implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information security program. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof for cause pursuant to Paragraph KXxxxxxxxx 00, TerminationXxxxxxxxxxx, if County reasonably determines Contractor fails or has failed to meet its obligations under this Paragraph. Enhanced Security Measures County may, in its discretion, designate certain areas, facilities, or County Resources as requiring an enhanced level of security and access control above that expressly required in this Contract. County will notify Contractor in writing reasonably in advance of any such designation becoming effective. The notice will set forth in reasonable detail the enhanced security or access-control procedures, measures, or requirements that Contractor must implement and enforce as well as the date on which such procedures and measures will take effect. If commercially reasonable, Contractor, including Contractor’s personnel and subcontractors, must fully comply with and abide by all such enhanced security and access measures and procedures as of such date. If not commercially reasonable to fully comply as of such date, Contractor, including Contractor’s personnel and subcontractors, must fully comply with and abide by all such enhanced security and access measures and procedures within a commercially reasonable time. County will be responsible for any additional cost required by the changes. General Security Standards Contractor is solely responsible for the Contractor Resources used by or for Contractor to access County Resources, County Data or otherwise in connection with the Services services and must prevent unauthorized access to County Resources or County Data through the Contractor Resources. At all times during the term, Contractor must maintain a level of security with regard to the Contractor Resources, that in all events is at least as secure as the levels of security that are common and prevalent in the industry and in accordance with industry best practices. Contractor must maintain all appropriate administrative, physical, technical, and procedural safeguards and controls to secure County Data from data breach, protect County Data and the Services services from loss, corruption, unauthorized disclosure, and from hacks, and the introduction of viruses, Disabling Devices, malware, and other forms of malicious and inadvertent acts that can disrupt County’s access and use of County Data and the Servicesservices. Such measures must include at a minimum: (a) access controls on information systems, including controls to authenticate and permit access to County Data only to authorized individuals and controls to prevent Contractor employees from providing County Data to unauthorized individuals who may seek to obtain this information; (b) industry-standard firewall protection; (c) encryption of electronic County Data while in transit from Contractor networks to external networks; (d) measures to store in a secure fashion all County Data which must include but not be limited to, encryption at rest and multiple levels of authentication; (e) dual control procedures, segregation of duties, and pre-employment criminal background checks from employees with responsibilities for or access to County Data; (f) measures to ensure that County Data is not altered or corrupted without the prior written consent of County; (g) measures to protect against destruction, loss or damage of County Data due to potential environmental hazards, such as fire and water damage; (h) staff training to implement the information security measures; and (i) monitoring of the security of any portions of Contractor Resources that are used in the provision of the Services services against intrusion on a twenty-four hour a day basis.

Security and Policies. All performance under this Contract shall be in accordance with County’s security requirements, policies, and procedures as set forth in this Paragraph. Contractor shall at all times use industry best practices and methods with regard to the prevention, detection, and elimination, by all appropriate means, of fraud, abuse, and other inappropriate or unauthorized access to County Resources (which is defined as all applicable County systems, software, assets, hardware, equipment, and other resources owned by or leased or licensed to County or that are provided to County by third party service providers) and County Data accessed in the performance of Services in this Contract. Contractor also must comply with Attachment D, Business Associate Contract. Information Access Contractor must at all times use appropriate safeguard and security measures to ensure the confidentiality and security of all County Data and County Resources. All County Data and County Resources used and/or accessed by Contractor: (a) must be used and accessed by Contractor solely and exclusively in connection with, and in furtherance of, the performance of Contractor’s obligations under this Contract; (b) must not be used or DocuSign Envelope ID: 32AC7F38-40B4-4FD7-9103-57D01A9AA5C7 accessed except as expressly permitted in this Contract and must not be commercially exploited in any manner whatsoever by Contractor or Contractor’s personnel and subcontractors; and (c) must not be shared with Contractor’s parent company or other affiliate without County’s express prior written consent. County may require Contractor to issue any necessary information-access mechanisms, including access IDs and passwords, to Contractor personnel and subcontractors, only with such level of access as is required for the individual to perform the individual’s assigned tasks and functions under this Contract. The issued mechanisms may not be shared and may only be used by the individual to whom the information-access mechanism is issued. In addition, the issued mechanisms must be promptly cancelled when the individual is terminated, transferred or on a leave of absence. Each calendar year of the Contract and any time upon request by County, Contractor must provide County with an accurate, up-to-date list of those Contractor personnel and subcontractors with access to County Data and/or County Resources and the respective security level or clearance assigned to each such individual. Contractor, including Contractor personnel and subcontractors, must fully comply with all of County’s policies and procedures regarding data access and security, including those prohibiting or restricting remote access to County Data and County Resources. County may require all Contractor personnel and subcontractors performing Services under this Contract to execute a confidentiality and non-disclosure agreement concerning County Data and County Resources in the form provided by County. Contractor’s failure to comply with the provisions of this Paragraph is a breach of this Contract and entitles County to deny or restrict the rights of such non-complying Contractor personnel to access and use the County Resources and County Data, as County in its sole discretion deems appropriate. Data Security Requirements Without limiting Contractor’s obligation of confidentiality as further described in this Contract, Contractor must establish, maintain, and enforce a data privacy program and an information security program, including safety, physical, and technical security policies and procedures, that comply with the requirements set forth in this Contract and, to the extent such programs are consistent with and not less protective than the requirements set forth in this Contract, are at least equal to applicable best industry practices and standards. These programs must provide physical and technical safeguards against accidental, unlawful, or unauthorized access to or use, destruction, loss, alteration, disclosure, transfer, commingling, or processing of County Data. Contractor must take all necessary measures to secure and defend all locations, equipment, systems, and other materials and facilities employed in connection with the Services against “hackers” and others who may seek, without authorization, to disrupt, damage, modify, access or otherwise use Contractor Resources (which is defined as all Services, software, assets, hardware, equipment, and other resources and materials provided by Contractor to County, otherwise utilized by Contractor, or approved by Contractor for utilization by County, in connection with this Contract) or the information found therein; and prevent County Data from being commingled with or contaminated by the data of other customers or their users. Contractor also must continuously monitor Contractor Resources for potential areas where security could be breached. Contractor must review the data privacy and information security programs regularly, but no less than annually, and update and maintain them to comply with applicable laws, regulations, technology changes, and best practices. DocuSign Envelope ID: 32AC7F38-40B4-4FD7-9103-57D01A9AA5C7 Without limiting County’s audit rights in this Contract, County has the right to review Contractor’s data privacy program and information security program prior to commencement of Services services and from time to time during the term of this Contract. Contractor must allow County reasonable access to Contractor’s security logs, latency statistics, and other related security data that affect this Contract and County Data, at no cost to County. In addition, during the term of this Contract from time to time without notice, County, at its own expense, is entitled to perform, or to have performed, an on-site audit of Contractor’s data privacy and information security program. Contractor must implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information security program. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof for cause pursuant to Paragraph K19, Termination, if County reasonably determines Contractor fails or has failed to meet its obligations under this Paragraph. Enhanced Security Measures County may, in its discretion, designate certain areas, facilities, or County Resources as requiring an enhanced level of security and access control above that expressly required in this Contract. County will notify Contractor in writing reasonably in advance of any such designation becoming effective. The notice will set forth in reasonable detail the enhanced security or access-control procedures, measures, or requirements that Contractor must implement and enforce as well as the date on which such procedures and measures will take effect. If commercially reasonable, Contractor, including Contractor’s personnel and subcontractors, must fully comply with and abide by all such enhanced security and access measures and procedures as of such date. If not commercially reasonable to fully comply as of such date, Contractor, including Contractor’s personnel and subcontractors, must fully comply with and abide by all such enhanced security and access measures and procedures within a commercially reasonable time. County will be responsible for any additional cost required by the changes. General Security Standards Contractor is solely responsible for the Contractor Resources used by or for Contractor to access County Resources, County Data or otherwise in connection with the Services services and must prevent unauthorized access to County Resources or County Data through the Contractor Resources. At all times during the term, Contractor must maintain a level of security with regard to the Contractor Resources, that in all events is at least as secure as the levels of security that are common and prevalent in the industry and in accordance with industry best practices. Contractor must maintain all appropriate administrative, physical, technical, and procedural safeguards and controls to secure County Data from data breach, protect County Data and the Services services from loss, corruption, unauthorized disclosure, and from hacks, and the introduction of viruses, Disabling Devices, malware, and other forms of malicious and inadvertent acts that can disrupt County’s access and use of County Data and the Servicesservices. Such measures must include at a minimum: (a) access controls on information systems, including controls to authenticate and permit access to County Data only to authorized individuals and controls to prevent Contractor employees from providing County Data to unauthorized individuals who may seek to obtain this information; (b) industry-standard firewall protection; (c) encryption of electronic County Data while in transit from Contractor networks to external networks; (d) measures to store in a secure fashion all County Data which must include but not be limited to, encryption at rest and multiple levels of authentication; (e) dual control procedures, segregation of duties, and pre-employment criminal background checks from employees with responsibilities for or access to County Data; (f) measures to ensure that County Data is not altered or corrupted without the prior written consent of County; (g) measures to DocuSign Envelope ID: 32AC7F38-40B4-4FD7-9103-57D01A9AA5C7 protect against destruction, loss or damage of County Data due to potential environmental hazards, such as fire and water damage; (h) staff training to implement the information security measures; and (i) monitoring of the security of any portions of Contractor Resources that are used in the provision of the Services services against intrusion on a twenty-four hour a day basis.