Common use of Security of Confidential Information Clause in Contracts

Security of Confidential Information. 1. The Contractor shall implement and maintain a comprehensive data-security program in accordance with commercial best practices for the protection of Confidential Information, whether the Confidential Information is stored electronically and/or in hard copy. Such data-security program shall include, but is not limited to, the following: a. Security policies for the Contractor’s employees, agents, affiliates, and subcontractors related to the storage, access, retention, transportation, and disposition of data containing Confidential Information; b. Reasonable restrictions on access to records containing Confidential Information, including access to any locked storage where such records are kept; c. Secure access controls to Confidential Information, including but not limited to passwords; d. Procedures for data recovery, incident response and processes, and business continuity processes and procedures; e. Encryption of Confidential Information in accordance with industry standard encryption when it is stored or transmitted electronically; f. Protocols for regular backups that include retention of backup copies for such period of time as may be required by MCPS, or by federal, state, and county laws and regulations; g. Audit logs of its system on a secured server with restricted access to prevent tampering or altering of audit data; and h. A process for reviewing policies, procedures, and security measures, as well as training on security policies for employees who have access to Confidential Information, at least annually. 2. The Contractor certifies that it has implemented policies, procedures, and security measures to protect against reasonably foreseeable unauthorized access to, or disclosure of, Confidential Information, and to prevent other reasonably foreseeable events that may result in substantial harm to MCPS. In addition, the Contractor shall not maintain or store Confidential Information outside of the United States. To the extent that the Contractor uses cloud computing services, all Confidential Information provided by MCPS or MCPS Users shall be securely stored with a commercially reasonable third-party vendor using physical servers located solely within the United States and subject to network security measures consistent with industry standards. The Contractor will confirm to MCPS that the third-party vendor agrees to the non-disclosure agreement terms described in Article 18.C.6. 3. Access to the Contractor’s server(s) hosting Confidential Information shall be limited to the Contractor’s operations employees, agents, affiliates, or subcontractors who: (i) have access to Contractor’s access keys and are specifically trained to manage and secure data; and/or (ii) are involved in providing the Contractor’s deliverables, products and/or services. 4. Any computer, server, or database on which Confidential Information, or any analysis conducted pursuant to the Contract, is maintained shall have anti-virus, configuration control, monitoring/alerting, automated backups, and regular vulnerability testing. Such computer, server, or databases shall be password protected and securely stored at all times with proper authentication and authorization procedures and with access limited to the Contractor’s operations personnel and personnel directly involved in implementing the Contract. The Contractor shall not permit Confidential Information to be maintained or stored on any portable memory device, such as thumb drives or portable hard drives, without the express written consent of MCPS. The Contractor shall not permit Confidential Information to be maintained or stored on mobile computing devices (e.g. laptops or tablets), unless such device is being used in connection with the Contractor’s backup and recovery procedures. In the event that such a device is being used in connection with the Contractor’s backup and recovery procedures, the Contractor will ensure that such mobile computing devices are encrypted, centrally managed with respect to configuration updates and anti- virus, password protected, and that all such devices will be scanned at the expiration or termination of the Contract to ensure that no Confidential information remains stored on such mobile computing devices. 5. The Contractor will regularly backup or cause to be backed up all Confidential Information under its control and will securely store and retain backups for such period of time as may be required by federal or state law or regulation, or by MCPS. The Contractor will remove Confidential Information from backups in a manner consistent with technology best practices and industry standards for secure data disposal methods. If the Contractor is required to restore any materials from its backups, it will purge all personally identifiable Confidential Information not currently in use in the production systems from the restored backups.

Security of Confidential Information. 1. The Contractor shall implement and maintain a comprehensive data-security program in accordance with commercial best practices for the protection of Confidential Information, whether the Confidential Information is stored electronically and/or in hard copy. Such data-security program shall include, but is not limited to, the following: a. Security policies for the Contractor’s employees, agents, affiliates, and subcontractors related to the storage, access, retention, transportation, and disposition of data containing Confidential Information; b. Reasonable restrictions on access to records containing Confidential Information, including access to any locked storage where such records are kept; c. Secure access controls to Confidential Information, including but not limited to passwords; d. Procedures for data recovery, incident response and processes, and business continuity processes and procedures; e. Encryption of Confidential Information in accordance with industry standard encryption when it is stored or transmitted electronically; f. Protocols for regular backups that include retention of backup copies for such period of time as may be required by MCPS, or by federal, state, and county laws and regulations; g. Audit logs of its system on a secured server with restricted access to prevent tampering or altering of audit data; and h. A process for reviewing policies, procedures, and security measures, as well as training on security policies for employees who have access to Confidential Information, at least annually. 2. The Contractor certifies that it has implemented policies, procedures, and security measures to protect against reasonably foreseeable unauthorized access to, or disclosure of, Confidential Information, and to prevent other reasonably foreseeable events that may result in substantial harm to MCPS. In addition, the Contractor shall not maintain or store Confidential Information outside of the United States. To the extent that the Contractor uses cloud computing services, all Confidential Information provided by MCPS or MCPS Users shall be securely stored with a commercially reasonable third-party vendor using physical servers located solely within the United States and subject to network security measures consistent with industry standards. The Contractor will confirm to MCPS that the third-party vendor agrees to the non-disclosure agreement terms described in Article 18.C.6. 3. Access to the Contractor’s server(s) hosting Confidential Information shall be limited to the Contractor’s operations employees, agents, affiliates, or subcontractors who: (i) have access to Contractor’s access keys and are specifically trained to manage and secure data; and/or (ii) are involved in providing the Contractor’s deliverables, products and/or services. 4. Any computer, server, or database on which Confidential Information, or any analysis conducted pursuant to the Contract, is maintained shall have anti-virus, configuration control, monitoring/alerting, automated backups, and regular vulnerability testing. Such computer, server, or databases shall be password protected and securely stored at all times with proper authentication and authorization procedures and with access limited to the Contractor’s operations personnel and personnel directly involved in implementing the Contract. The Contractor shall not permit Confidential Information to be maintained or stored on any portable memory device, such as thumb drives or portable hard drives, without the express written consent of MCPS. The Contractor shall not permit Confidential Information to be maintained or stored on mobile computing devices (e.g. laptops or tablets), unless such device is being used in connection with the Contractor’s backup and recovery procedures. In the event that such a device is being used in connection with the Contractor’s backup and recovery procedures, the Contractor will ensure that such mobile computing devices are encrypted, centrally managed with respect to configuration updates and anti- virus, password protected, and that all such devices will be scanned at the expiration or termination of the Contract to ensure that no Confidential information remains stored on such mobile computing devices. 5. The Contractor will regularly backup or cause to be backed up all Confidential Information under its control and will securely store and retain backups for such period of time as may be required by federal or state law or regulation, or by MCPS. The Contractor will remove Confidential Information from backups in a manner consistent with technology best practices and industry standards for secure data disposal methods. If the Contractor is required to restore any materials from its backups, it will purge all personally identifiable Confidential Information not currently in use in the production systems from the restored backups.

Security of Confidential Information. 1. The Contractor shall implement and maintain a comprehensive data-security program in accordance with commercial best practices for the protection of Confidential Information, whether the Confidential Information is stored electronically and/or in hard copy. Such data-security program shall include, but is not limited to, the following: a. Security policies for the Contractor’s employees, agents, affiliates, and subcontractors related to the storage, access, retention, transportation, and disposition of data containing Confidential Information; b. Reasonable restrictions on access to records containing Confidential Information, including access to any locked storage where such records are kept; c. Secure access controls to Confidential Information, including but not limited to passwords; d. Procedures for data recovery, incident response and processes, and business continuity processes and procedures; e. Encryption of Confidential Information in accordance with industry standard encryption when it is stored or transmitted electronically; f. Protocols for regular backups that include retention of backup copies for such period of time as may be required by MCPS, or by federal, state, and county laws and regulations; g. Audit logs of its system on a secured server with restricted access to prevent tampering or altering of audit data; and h. A process for reviewing policies, procedures, and security measures, as well as training on security policies for employees who have access to Confidential Information, at least annually. 2. The Contractor certifies that it has implemented policies, procedures, and security measures to protect against reasonably foreseeable unauthorized access to, or disclosure of, Confidential Information, and to prevent other reasonably foreseeable events that may result in substantial harm to MCPS. In addition, the Contractor shall not maintain or store Confidential Information outside of the United States. To the extent that the Contractor uses cloud computing services, all Confidential Information provided by MCPS or MCPS Users shall be securely stored with a commercially reasonable third-party vendor using physical servers located solely within the United States and subject to network security measures consistent with industry standards. The Contractor will confirm to MCPS that the third-party vendor agrees to the non-disclosure agreement terms described in Article 18.C.6. 3. Access to the Contractor’s server(s) hosting Confidential Information shall be limited to the Contractor’s operations employees, agents, affiliates, or subcontractors who: (i) have access to Contractor’s access keys and are specifically trained to manage and secure data; and/or (ii) are involved in providing the Contractor’s deliverables, products and/or services. 4. Any computer, server, or database on which Confidential Information, or any analysis conducted pursuant to the Contract, is maintained shall have anti-virus, configuration control, monitoring/alerting, automated backups, and regular vulnerability testing. Such computer, server, or databases shall be password protected and securely stored at all times with proper authentication and authorization procedures and with access limited to the Contractor’s operations personnel and personnel directly involved in implementing the Contract. The Contractor shall not permit Confidential Information to be maintained or stored on any portable memory device, such as thumb drives or portable hard drives, without the express written consent of MCPS. The Contractor shall not permit Confidential Information to be maintained or stored on mobile computing devices (e.g. laptops or tablets), unless such device is being used in connection with the Contractor’s backup and recovery procedures. In the event that such a device is being used in connection with the Contractor’s backup and recovery procedures, the Contractor will ensure that such mobile computing devices are encrypted, centrally managed with respect to configuration updates and anti- virusantivirus, password protected, and that all such devices will be scanned at the expiration or termination of the Contract to ensure that no Confidential information remains stored on such mobile computing devices. 5. The Contractor will regularly backup or cause to be backed up all Confidential Information under its control and will securely store and retain backups for such period of time as may be required by federal or state law or regulation, or by MCPS. The Contractor will remove Confidential Information from backups in a manner consistent with technology best practices and industry standards for secure data disposal methods. If the Contractor is required to restore any materials from its backups, it will purge all personally identifiable Confidential Information not currently in use in the production systems from the restored backups.