Security Best Practices. Contractor shall implement the following security best practices with respect to City Data and to any service provided:
Security Best Practices. External Party shall implement security best practices to ensure data integrity so that the repudiation of significant facts is negated by functionality involving a secure digital signature or another form of adequate proof that a certain person (and no other) performed a particular task.
a. Once an Employee has been authenticated as described above, External Party shall employ a verification scheme that identifies the Employee and provides an acceptable measure of security for access to Information Assets.
b. External Party must have procedures in place that create appropriate audit trails for all transactions and retain those audit trails for not less than ninety (90) days online and one (1) year offline.
c. External Party must take steps to protect Employee access by timing out the Employee session after a period of inactivity not to exceed fifteen (15) minutes.
Security Best Practices. Assessing whether client is adhering to a limited set of common security best practice measures. Adherence to these measures may help limit risk of systems, data, and access being compromised. The Information Security Assessment is designed to assist Client in identifying certain security risks to Client’s business information. The Information Security Assessment includes Marco’s review of a limited set of security risks in areas aligned with the National Institute of Standards and Technology, Cybersecurity Framework 1.1 April 2018 as described below. Marco will gather information for the Information Security Assessment by conducting interviews with Client personnel. Marco will provide a summary of its findings in a report that identifies its primary concerns, the potential business impact of those concerns, and its remediation recommendation(s). Client understands and agrees that the Information Security Assessment is not intended to be a comprehensive information security review and is not a replacement for any legal compliance review, forensic review, general third party technology audit or regulatory audit. To develop recommendations, the following risk areas will be considered:
1. Identify- Are you identifying and controlling who has access to your business information?
2. Protect- Are you protecting the confidentiality, integrity and availability of your business information?
3. Detect- Are you able to detect risks to your business information?
4. Respond- Are you able to respond to a disaster or an information security incident?
5. Recover- Are you prepared to recover from a disaster or an information security incident?
Security Best Practices. 7.1. The site shall be a stand-alone site and not require Alachua County Network access.
7.2. All Security Updates and Patches should be done in a timely manner.
7.3. The website should not list any County emails but should use forms to communicate to Alachua County staff (hiding internal emails).
7.4. Ensure that website redirects are handled in a secure manner.
7.5. Professional will work with the Alachua County Tourism staff for implementation and maintenance of the website so Alachua County Tourism staff will have knowledge for general troubling shooting purposes.
7.6. All website maintenance shall be done in accordance with industry best practices to include monthly patching and updates to reduce the risk of security vulnerabilities.
7.7. Professional will setup a production and testing website environment.
7.8. Updates to the website will be coordinated with Alachua County Tourism.
7.9. Work with Alachua County to review and coordinate all Disaster Recovery Site Plans, Service Level Agreements and Timing of Backups for Site Restoration Purposes.
Security Best Practices. Supplier shall provide a secure environment for Confidential Information and any hardware and software, including servers, network, and data components, to be provided or supported by Supplier as part of its performance under this Agreement. Supplier represents that the security measures it takes in performance of its obligations under this Agreement do, and will at all times, remain at the higher of (1) applicable security and privacy laws and regulations, (2) applicable privacy and security rules imposed by industry groups, such as the PCI Standards Council, (3) secure software development practices consistent with the BSIMM Software Security Framework, and (4) all security requirements, obligations, specifications and event reporting procedures as mutually agreed upon by the Parties; collectively referred to as “Security Best Practices”. Failure by Supplier to comply with Security Best Practices in fulfilling its security obligations shall constitute a material breach of this Agreement and no limitation on Supplier’s liability to Southwest as set forth in the Agreement shall apply to any losses resulting from or relating to such a breach, including, without limitation, any limitation on consequential and/or incidental damages.
Security Best Practices. Assessing whether client is adhering to a limited set of common security best practice measures. Adherence to these measures may help limit risk of systems, data, and access being compromised. The Basic Risk Security Assessment is designed to assist Client in identifying certain security risks to Client’s business information. The Basic Risk Security Assessment includes Marco’s review of a limited set of security risks in areas aligned with the National Institute of Standards and Technology, Cybersecurity Framework 1.1 April 2018 as described below. Marco will gather information for the Basic Risk Security Assessments by conducting interviews with Client personnel. Marco will provide a summary of its findings in a report that identifies its primary concerns, the potential business impact of those concerns, and its remediation recommendation(s). Client understands and agrees that the Basic Risk Security Assessment is not intended to be a comprehensive information security review and is not a replacement for any legal compliance review, forensic review, general third party technology audit or regulatory audit. To develop recommendations, the following risk areas will be considered:
1. Identify- Are you identifying and controlling who has access to your business information?
2. Protect- Are you protecting the confidentiality, integrity and availability of your business information?
3. Detect- Are you able to detect risks to your business information?
4. Respond- Are you able to respond to a disaster or an information security incident?
5. Recover- Are you prepared to recover from a disaster or an information security incident? Marco’s Cyber Security Assessment is designed to assist Client in identifying certain risks to Client’s network, business information, and other information technology. The Cyber Security Assessment includes all components of the Basic Risk Security Assessment defined above. Additionally, Marco will provide the following network and information security review or testing as a part of its Cyber Security Assessment.
Security Best Practices. DOM IT will adhere to rules enforced by UAB IT and HSIS for security best practices. Risk Assessment: DOM IT will annually review risk assessment of REDCap infrastructure. Scheduled Maintenance: DOM IT will have scheduled maintenance windows to install updates and to take preventive measures. Backup and Data Recovery: Backup will be done nightly, weekly, and monthly. Monthly backups are kept at an off-site location. Depending on backup retention period, DOM IT will recover files that are accidentally deleted. Inventory: At the request of the customer, DOM IT will provide an annual inventory report of hosted projects. IRB Approval: REDCap projects that involve human subject research (per the U.S. Department of Health and Human Services [DDHS] Code of Federal Regulations definition) must have IRB approval before moving to production or commencing actual data collection. If the project is a multi-site study, the project owner attests that appropriate IRB and regulatory approvals have been obtained prior to data collection date. The project owners must submit all IRB approval/amendment documents before project initiation. IRB Training: All users (both UAB and External) must also successfully complete IRB Training. UAB users can refer to the following link for more information xxxx://xxx.xxx.xxx/research/administration/offices/IRB/Training/Pages/InitialIRBTraining Login Accounts: Access to REDCap system is controlled and authorized for approved users only. UAB users must use their BlazerID credentials to access projects. Non-UAB (external) users who are collaborating on the project must apply for XIAS accounts (xxxx://xxx.xxx.xxx.xxx/xias). PI is responsible for maintaining access rights to project. Data Privacy: Project owners and coordinators agree to respect data privacy and will follow the principle of least privilege to assign minimum necessary access rights. Users who have full export rights must also have their computer systems encrypted. Copyrighted Forms: The investigators must obtain permission before reusing copyrighted forms (i.e. EORTC QLQ-C30, FACIT-SP-12) in REDCap. REDCap Shared Library forms are excluded. Yearly Audit: PI or project coordinators must perform annual audit of their projects. Annual audit of project is a mandatory task. Refer to Appendix C for more information. Publications: Any publication resulting from the use of REDCap as a data collection tool should be properly cited.
Security Best Practices. Without limiting the application of any other provision of this Section 2, Developer agrees to implement and maintain industry best practices with respect to the security of, and access to, each System, including the imposition and enforcement of requirements against sharing of Authentication Credentials between and among users, and accepts all risks and liability resulting from any failure to adopt and maintain such industry best practices.
Security Best Practices. Do not attempt to override technical or management controls to access data for which you have not been expressly authorized. • Do not use your trusted position and access rights to exploit system controls or access data for any reason other than in the performance of the proposed research. • Do not allow others to use your account, including the data that you have accessed from the HHEAR Repository. Each user must obtain and use their own account in order to access HHEAR data. • Ensure that anyone directed to use the system has access to, and is aware of, HHEAR Data Repository Information Security Best Practices and Security Standards as well as all existing policies and procedures relevant to the use of the HHEAR Data Repository, including but not limited to 45 CFR Part 46. • Follow the HHEAR Data Repository password policy which includes: o Choose passwords of at least seven characters including at least three of the following types of characters: capital letters, lower case letters, numeric characters and other special characters. o Change your passwords every six months. o Protect your HHEAR Data Repository password from access by other individuals—for example, store it electronically in a secure location. • Notify the HHEAR Data Repository staff at: xxxxxxxxxxxx@xxxx.xxx of security incidents, or any incidents of suspected fraud, waste or misuse of the HHEAR Data Repository or when access to HHEAR Data Repository is no longer required. • Protect the data, providing access solely to authorized researchers permitted access to such data by your institution. • Neither store nor transmit links between personally identifiable information and HHEAR Participant IDs (PIDs). • When you download HHEAR Data Repository data, download the data to a secured computer, with strong password protection, and encrypted storage. • For the computers hosting HHEAR Data Repository data, ensure that they have the latest security patches and are running virus protection software. • Make sure the data are protected from anonymous access from users both inside and outside of the organization. • If you leave your office, close out of data files or lock your computer. Consider the installation of a timed screen saver with password protection. • When finished using the data, destroy the data or otherwise dispose of it properly.
Security Best Practices. Supplier shall provide a secure environment for American’s Confidential Information, and any hardware and software to be provided or used by Supplier as part of its performance under this Agreement, in order to protect the same from unauthorized Processing, destruction, use, modification, or disclosure. Supplier represents and warrants that the security measures it takes in performance of its obligations under this Agreement are, and will at all times remain, at the highest of the following (collectively referred to herein as “Security Best Practices”): (i) Privacy & IT Security Best Practices (as defined by ISO 27001); (ii) the security requirements, standards, obligations, specifications and event reporting procedures in this Agreement, including as set forth in this Attachment and any Statement of Work; (iii) to the extent applicable, Payment Card Industry standards or VISA, MasterCard, and any other credit card network bylaws and operating regulations, and federal and state laws and regulations relating to credit card processing (collectively, “PCI Standards”); and (iv) any security requirements, standards, obligations, specifications and/or event reporting procedures required by any Data Law. Additionally, Supplier shall contractually require any subcontractors or agents with access to American’s Confidential Information to adhere to Security Best Practices. Without limiting or affecting American’s rights under this Agreement, if Supplier or Supplier subcontractors or agents discover or are notified of a breach or potential breach of the foregoing relating to American’s Confidential Information, Supplier shall expeditiously (A) notify American of such breach or potential breach, (B) investigate and use commercially reasonable efforts to remediate the effects of such breach or potential breach, and (C) provide assurances satisfactory to American that such breach or potential breach will not recur. Any notifications to Customers of security breaches involving American’s Confidential Information will be handled exclusively by American and Supplier may not under any circumstances contact Customers relating to such security breach.