Common use of SECURITY GUIDELINES Clause in Contracts

SECURITY GUIDELINES. 37.2.1 Both Parties will maintain accurate records, subject to audit, that monitor user authentication and machine integrity and confidentiality (e.g., password assignment and aging, chronological logs configured, system accounting data, etc.). 37.2.2 Both Parties shall maintain accurate and complete records detailing the individual data connections and systems to which they have granted the other Party access or interface privileges. These records will include, but are not limited to, user ID assignment, user request records, system configuration, time limits of user access or system interfaces. These records should be kept until the termination of this Agreement or the termination of the requested access by the identified individual. Either Party may initiate a compliance review of the connection records to verify that only the agreed to connections are in place and that the connection records are accurate. 37.2.3 Each Party shall notify the other Party immediately upon termination of employment of an individual user with approved access to the other Party’s network. 37.2.4 Both Parties shall use an industry standard virus detection software program at all times. The Parties shall immediately advise each other by telephone upon actual knowledge that a virus or other malicious code has been transmitted to the other Party. 37.2.5 All physical access to equipment and Services required to transmit data will be in secured locations. Verification of authorization will be required for access to all such secured locations. A secured location is where walls and doors are constructed and arranged to serve as barriers and to provide uniform protection for all equipment used in the data connections which are made as a result of the user’s access to either the CLEC or SBC-ASI/13State network. At a minimum, this shall include: access doors equipped with card reader control or an equivalent authentication procedure and/or device, and egress doors which generate a real-time alarm when opened and which are equipped with tamper resistant and panic hardware as required to meet building and safety standards. 37.2.6 Both Parties shall maintain accurate and complete records on the card access system or lock and key administration to the rooms housing the equipment utilized to make the connection(s) to the other Party’s network. These records will include management of card or key issue, activation or distribution and deactivation. 37.2.7 Each Party will monitor its own network relating to any user's access to the Party’s networks, processing systems, and applications. This information may be collected, retained, and analyzed to identify potential security risks without notice. This information may include, but is not limited to, trace files, statistics, network addresses, and the actual data or screens accessed or transferred. 37.2.8 Each Party shall notify the other Party’s security organization immediately upon initial discovery of actual or suspected unauthorized access to, misuse of, or other “at risk” conditions regarding the identified data facilities or information. Each Party shall provide a specified point of contact. If either Party suspects unauthorized or inappropriate access, the Parties shall work together to isolate and resolve the problem. 37.2.9 In the event that one Party identifies inconsistencies or lapses in the other Party’s adherence to the security provisions described herein, or a discrepancy is found, documented, and delivered to the non-complying Party, a corrective action plan to address the identified vulnerabilities must be provided by the non-complying Party within ten (10) calendar days of the date of the identified inconsistency. The corrective action plan must identify what will be done, the Party accountable/responsible, and the proposed compliance date. 37.2.10 Each Party is responsible to notify its employees, contractors and vendors who will have access to the other Party’s network, on the proper security responsibilities identified within this Agreement. Adherence to these policies is a requirement for continued access to the other Party’s systems, networks or information. Exceptions to the policies must be requested in writing and approved by the other Party’s information security organization.

SECURITY GUIDELINES. 37.2.1 Both Parties will maintain accurate records, subject to audit, that monitor user authentication and machine integrity and confidentiality (e.g., password assignment and aging, chronological logs configured, system accounting data, etc.). 37.2.2 Both Parties shall maintain accurate and complete records detailing the individual data connections and systems to which they have granted the other Party access or interface privileges. These records will include, but are not limited to, user ID assignment, user request records, system configuration, time limits of user access or system interfaces. These records should be kept until the termination of this Agreement or the termination of the requested access by the identified individual. Either Party may initiate a compliance review of the connection records to verify that only the agreed to connections are in place and that the connection records are accurate. 37.2.3 Each Party shall notify the other Party immediately upon termination of employment of an individual user with approved access to the other Party’s network. 37.2.4 Both Parties shall use an industry standard virus detection software program at all times. The Parties shall immediately advise each other by telephone upon actual knowledge that a virus or other malicious code has been transmitted to the other Party. 37.2.5 All physical access to equipment and Services required to transmit data will be in secured locations. Verification of authorization will be required for access to all such secured locations. A secured location is where walls and doors are constructed and arranged to serve as barriers and to provide uniform protection for all equipment used in the data connections which are made as a result of the user’s access to either the CLEC or SBCAT&T-ASI/13State ASI/13 State network. At a minimum, this shall include: access doors equipped with card reader control or an equivalent authentication procedure and/or device, and egress doors which generate a real-time alarm when opened and which are equipped with tamper resistant and panic hardware as required to meet building and safety standards. 37.2.6 Both Parties shall maintain accurate and complete records on the card access system or lock and key administration to the rooms housing the equipment utilized to make the connection(s) to the other Party’s network. These records will include management of card or key issue, activation or distribution and deactivation. 37.2.7 Each Party will monitor its own network relating to any user's access to the Party’s networks, processing systems, and applications. This information may be collected, retained, and analyzed to identify potential security risks without notice. This information may include, but is not limited to, trace files, statistics, network addresses, and the actual data or screens accessed or transferred. 37.2.8 Each Party shall notify the other Party’s security organization immediately upon initial discovery of actual or suspected unauthorized access to, misuse of, or other “at risk” conditions regarding the identified data facilities or information. Each Party shall provide a specified point of contact. If either Party suspects unauthorized or inappropriate access, the Parties shall work together to isolate and resolve the problem. 37.2.9 In the event that one Party identifies inconsistencies or lapses in the other Party’s adherence to the security provisions described herein, or a discrepancy is found, documented, and delivered to the non-complying Party, a corrective action plan to address the identified vulnerabilities must be provided by the non-complying Party within ten (10) calendar days of the date of the identified inconsistency. The corrective action plan must identify what will be done, the Party accountable/responsible, and the proposed compliance date. 37.2.10 Each Party is responsible to notify its employees, contractors and vendors who will have access to the other Party’s network, on the proper security responsibilities identified within this Agreement. Adherence to these policies is a requirement for continued access to the other Party’s systems, networks or information. Exceptions to the policies must be requested in writing and approved by the other Party’s information security organization.

SECURITY GUIDELINES. 37.2.1 (1) Both Parties will maintain accurate records, subject to audit, and auditable records that monitor user authentication and machine integrity and confidentiality (e.g., password assignment and aging, chronological logs configured, system accounting data, etc.). 37.2.2 (2) Both Parties shall maintain accurate and complete records detailing the individual data connections and systems to which they have granted the other Party access or interface privileges. These records will include, but are not limited to, user ID assignment, user request records, system configuration, time limits of user access or system interfaces. These records should be kept until the termination of this Agreement or the termination of the requested access by the identified individual. Either Party may initiate a compliance review of the connection records to verify that only the agreed to connections are in place and that the connection records are accurate. 37.2.3 (3) Each Party shall notify the other Party immediately upon termination of employment of an individual user with approved access to the other Party’s network. 37.2.4 (4) Both Parties shall use an industry standard virus detection software program at all times. The Parties shall immediately advise each other by telephone upon actual knowledge that a virus or other malicious code has been transmitted to the other Party. 37.2.5 (5) All physical access to equipment and Services services required to transmit data will be in secured locations. Verification of authorization will be required for access to all such secured locations. A secured location is where walls and doors are constructed and arranged to serve as barriers and to provide uniform protection for all equipment used in the data connections which are made as a result of the user’s access to either the CLEC or SBC-ASI/13State ASI- North network. At a minimum, this shall include: access doors equipped with card reader control or an equivalent authentication procedure and/or device, and egress doors which generate a real-time alarm when opened and which are equipped with tamper resistant and panic hardware as required to meet building and safety standards. 37.2.6 (6) Both Parties shall maintain accurate and complete records on the card access system or lock and key administration to the rooms housing the equipment utilized to make the connection(s) to the other Party’s network. These records will include management of card or key issue, activation or distribution and deactivation. 37.2.7 (7) Each Party will monitor its own network relating to any user's access to the Party’s networks, processing systems, and applications. This information may be collected, retained, and analyzed to identify potential security risks without notice. This information may include, but is not limited to, trace files, statistics, network addresses, and the actual data or screens accessed or transferred. 37.2.8 (8) Each Party shall notify the other Party’s security organization immediately upon initial discovery of actual or suspected unauthorized access to, misuse of, or other “at risk” conditions regarding the identified data facilities or information. Each Party shall provide a specified point of contact. If either Party suspects unauthorized or inappropriate access, the Parties shall work together to isolate and resolve the problem. 37.2.9 (9) In the event that one Party identifies inconsistencies or lapses in the other Party’s adherence to the security provisions described herein, or a discrepancy is found, documented, and delivered to the non-complying Party, a corrective action plan to address the identified vulnerabilities must be provided by the non-complying Party within ten (10) calendar days of the date of the identified inconsistency. The corrective action plan must identify what will be done, the Party accountable/responsible, and the proposed compliance date. 37.2.10 (10) Each Party is responsible to notify its employees, contractors and vendors who will have access to the other Party’s network, on the proper security responsibilities identified within this Agreement. Adherence to these policies is a requirement for continued access to the other Party’s systems, networks or information. Exceptions to the policies must be requested in writing and approved by the other Party’s information security organization.

SECURITY GUIDELINES. 37.2.1 Both Parties will maintain accurate records, subject to audit, and auditable records that monitor user authentication and machine integrity and confidentiality (e.g., password assignment and aging, chronological logs configured, system accounting data, etc.). 37.2.2 . Both Parties shall maintain accurate and complete records detailing the individual data connections and systems to which they have granted the other Party access or interface privileges. These records will include, but are not limited to, user ID assignment, user request records, system configuration, time limits of user access or system interfaces. These records should be kept until the termination of this Agreement or the termination of the requested access by the identified individual. Either Party may initiate a compliance review of the connection records to verify that only the agreed to connections are in place and that the connection records are accurate. 37.2.3 . Each Party shall notify the other Party immediately upon termination of employment of an individual user with approved access to the other Party’s network. 37.2.4 . Both Parties shall use an industry standard virus detection software program at all times. The Parties shall immediately advise each other by telephone upon actual knowledge that a virus or other malicious code has been transmitted to the other Party. 37.2.5 . All physical access to equipment and Services services required to transmit data will be in secured locations. Verification of authorization will be required for access to all such secured locations. A secured location is where walls and doors are constructed and arranged to serve as barriers and to provide uniform protection for all equipment used in the data connections which are made as a result of the user’s access to either the CLEC or SBC-ASI/13State ASI/8-STATE network. At a minimum, this shall include: access doors equipped with card reader control or an equivalent authentication procedure and/or device, and egress doors which generate a real-time alarm when opened and which are equipped with tamper resistant and panic hardware as required to meet building and safety standards. 37.2.6 . Both Parties shall maintain accurate and complete records on the card access system or lock and key administration to the rooms housing the equipment utilized to make the connection(s) to the other Party’s network. These records will include management of card or key issue, activation or distribution and deactivation. 37.2.7 . Each Party will monitor its own network relating to any user's access to the Party’s networks, processing systems, and applications. This information may be collected, retained, and analyzed to identify potential security risks without notice. This information may include, but is not limited to, trace files, statistics, network addresses, and the actual data or screens accessed or transferred. 37.2.8 . Each Party shall notify the other Party’s security organization immediately upon initial discovery of actual or suspected unauthorized access to, misuse of, or other “at risk” conditions regarding the identified data facilities or information. Each Party shall provide a specified point of contact. If either Party suspects unauthorized or inappropriate access, the Parties shall work together to isolate and resolve the problem. 37.2.9 . In the event that one Party identifies inconsistencies or lapses in the other Party’s adherence to the security provisions described herein, or a discrepancy is found, documented, and delivered to the non-complying Party, a corrective action plan to address the identified vulnerabilities must be provided by the non-complying Party within ten (10) calendar days of the date of the identified inconsistency. The corrective action plan must identify what will be done, the Party accountable/responsible, and the proposed compliance date. 37.2.10 . Each Party is responsible to notify its employees, contractors and vendors who will have access to the other Party’s network, on the proper security responsibilities identified within this Agreement. Adherence to these policies is a requirement for continued access to the other Party’s systems, networks or information. Exceptions to the policies must be requested in writing and approved by the other Party’s information security organization.

SECURITY GUIDELINES. 37.2.1 40.2.1 Both Parties will maintain accurate records, subject to audit, that monitor user authentication and machine integrity and confidentiality (e.g., password assignment and aging, chronological logs configured, system accounting data, etc.). 37.2.2 40.2.2 Both Parties shall maintain accurate and complete records detailing the individual data connections and systems to which they have granted the other Party access or interface privileges. These records will include, but are not limited to, user ID assignment, user request records, system configuration, time limits of user access or system interfaces. These records should be kept until the termination of this Agreement or the termination of the requested access by the identified individual. Either Party may initiate a compliance review of the connection records to verify that only the agreed to connections are in place and that the connection records are accurate. 37.2.3 40.2.3 Each Party shall notify the other Party immediately upon termination of employment of an individual user with approved access to the other Party’s network. 37.2.4 40.2.4 Both Parties shall use an industry standard virus detection software program at all times. The Parties shall immediately advise each other by telephone upon actual knowledge that a virus or other malicious code has been transmitted to the other Party. 37.2.5 40.2.5 All physical access to equipment and Services services required to transmit data will be in secured locations. Verification of authorization will be required for access to all such secured locations. A secured location is where walls and doors are constructed and arranged to serve as barriers and to provide uniform protection for all equipment used in the data connections which are made as a result of the user’s access to either the CLEC or SBC-ASI/13State network. At a minimum, this shall include: access doors equipped with card reader control or an equivalent authentication procedure and/or device, and egress doors which generate a real-time alarm when opened and which are equipped with tamper resistant and panic hardware as required to meet building and safety standards. 37.2.6 40.2.6 Both Parties shall maintain accurate and complete records on the card access system or lock and key administration to the rooms housing the equipment utilized to make the connection(s) to the other Party’s network. These records will include management of card or key issue, activation or distribution and deactivation. 37.2.7 40.2.7 Each Party will monitor its own network relating to any user's access to the Party’s networks, processing systems, and applications. This information may be collected, retained, and analyzed to identify potential security risks without notice. This information may include, but is not limited to, trace files, statistics, network addresses, and the actual data or screens accessed or transferred. 37.2.8 40.2.8 Each Party shall notify the other Party’s security organization immediately upon initial discovery of actual or suspected unauthorized access to, misuse of, or other “at risk” conditions regarding the identified data facilities or information. Each Party shall provide a specified point of contact. If either Party suspects unauthorized or inappropriate access, the Parties shall work together to isolate and resolve the problem. 37.2.9 40.2.9 In the event that one Party identifies inconsistencies or lapses in the other Party’s adherence to the security provisions described herein, or a discrepancy is found, documented, and delivered to the non-complying Party, a corrective action plan to address the identified vulnerabilities must be provided by the non-complying Party within ten (10) calendar days of the date of the identified inconsistency. The corrective action plan must identify what will be done, the Party accountable/responsible, and the proposed compliance date. 37.2.10 40.2.10 Each Party is responsible to notify its employees, contractors and vendors who will have access to the other Party’s network, on the proper security responsibilities identified within this Agreement. Adherence to these policies is a requirement for continued access to the other Party’s systems, networks or information. Exceptions to the policies must be requested in writing and approved by the other Party’s information security organization.