Common use of SECURITY REQUIREMENTS AND PROTECTION OF DATA Clause in Contracts

SECURITY REQUIREMENTS AND PROTECTION OF DATA. The Supplier shall, within five (5) Working Days of the Commencement Date, develop and thereafter maintain a Security Management Plan, which shall be submitted to the Customer for Approval, in accordance with this Clause 20 to apply during the Contract Period. The Supplier shall develop, implement, operate, maintain and continuously improve and maintain an ISMS which will be submitted for Approval by the Customer, tested in accordance with the Methodology, periodically updated and audited in accordance with ISO/IEC 27001. Both the ISMS and the Security Management Plan shall, unless otherwise specified by the Customer, aim to protect all aspects of the Services and all processes associated with the delivery of the Services and shall comply with the Security Policy. The Supplier shall comply, and shall procure the compliance of the Supplier Staff, with the Security Policy and the Security Management Plan (if any) and the Supplier shall ensure (and the Customer shall be entitled to audit) that the Security Management Plan produced by the Supplier fully complies with the Security Policy. Customer Data shall be dealt with in the following way: The Supplier shall not delete or remove any proprietary notices contained within or relating to the Customer Data. The Supplier shall not store, copy, disclose, or use the Customer Data except as necessary for the performance by the Supplier of its obligations under this Call-Off Agreement or as otherwise Approved by the Customer. To the extent that the Customer Data is held and/or processed by the Supplier, the Supplier shall supply that Customer Data to the Customer as requested by the Customer and in the format (if any) specified by the Customer from time to time in writing. To the extent that Customer Data is held and/or processed by the Supplier, the Supplier shall take responsibility for preserving the integrity of the Customer Data and preventing the corruption or loss of Customer Data. The Supplier shall ensure that any system on which the Supplier holds any Customer Data, including back-up data, is a secure system that complies with the security requirements set out by the Customer under this Call-Off Agreement. The Supplier shall ensure that any system on which the Supplier holds any Customer Data which is protectively marked shall be accredited using such accreditation policy or system as specified by the Customer (such as the HMG Security Policy Framework and Information Assurance Policy, taking into account guidance issued by the Centre for Protection of National Infrastructure on Risk Management and Accreditation of Information Systems, and/or relevant HMG Information Assurance Standard(s), as in force from time to time) and, where the term of this Call-Off Agreement exceeds one year, the Supplier shall review such accreditation status at least once in each year to assess whether material changes have occurred which could alter the original accreditation decision in relation to Customer Data. If any such changes have occurred then the Supplier shall resubmit such system for accreditation. If the Customer Data is corrupted, lost or sufficiently degraded as a result of a Supplier’s Default so as to be unusable, the Customer may: require the Supplier (at the Supplier’s expense) to restore or procure the restoration of the Customer Data (as the case may be) to the extent and in accordance with the BCDR Plan and the Supplier shall do so as soon as practicable but in accordance with the time period notified by the Customer; and/or itself restore or procure the restoration of Customer Data, and shall be repaid by the Supplier any reasonable expenses incurred in doing so to the extent and in accordance with the requirements specified in the BCDR Plan. If at any time the Supplier suspects or has reason to believe that the Customer Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Supplier shall notify the Customer immediately and inform the Customer of the remedial action the Supplier proposes to take. The Supplier shall, at all times during and after the Term and during and after the Call-Off Agreement Period, indemnify the Customer and keep the Customer fully indemnified against all Losses incurred by, awarded against or agreed to be paid by the Customer at any time (whether such Losses arise before or after the making of a demand pursuant to the indemnity hereunder) arising from any breach of the Supplier’s obligations under this Clause 20.5.9 except and to the extent that such liabilities have resulted directly from the Customer’s instructions.

SECURITY REQUIREMENTS AND PROTECTION OF DATA. The Supplier shall, within five (5) Working Days of the Commencement Date, develop and thereafter maintain a Security Management Plan, which shall be submitted to the Customer for Approval, in accordance with this Clause 20 to apply during the Contract Period. The Supplier shall develop, implement, operate, maintain and continuously improve and maintain an ISMS which will be submitted for Approval by the Customer, tested in accordance with the Methodology, periodically updated and audited in accordance with ISO/IEC 27001. Both the ISMS and the Security Management Plan shall, unless otherwise specified by the Customer, aim to protect all aspects of the Services and all processes associated with the delivery of the Services and shall comply with the Security Policy. The Supplier shall comply, and shall procure the compliance of the Supplier Staff, with the Security Policy and the Security Management Plan (if any) and the Supplier shall ensure (and the Customer shall be entitled to audit) that the Security Management Plan produced by the Supplier fully complies with the Security Policy. Customer Data shall be dealt with in the following way: The Supplier shall not delete or remove any proprietary notices contained within or relating to the Customer Data. The Supplier shall not store, copy, disclose, or use the Customer Data except as necessary for the performance by the Supplier of its obligations under this Call-Off Agreement or as otherwise Approved by the Customer. To the extent that the Customer Data is held and/or processed by the Supplier, the Supplier shall supply that Customer Data to the Customer as requested by the Customer and in the format (if any) specified by the Customer from time to time in writing. To the extent that Customer Data is held and/or processed by the Supplier, the Supplier shall take responsibility for preserving the integrity of the Customer Data and preventing the corruption or loss of Customer Data. The Supplier shall ensure that any system on which the Supplier holds any Customer Data, including back-up data, is a secure system that complies with the security requirements set out by the Customer under this Call-Off Agreement. The Supplier shall ensure that any system on which the Supplier holds any Customer Data which is protectively marked shall be accredited using such accreditation policy or system as specified by the Customer (such as the HMG Security Policy Framework framework and Information Assurance Policy, taking into account guidance issued by the Centre for Protection of National Infrastructure on Risk Management and Accreditation of Information Systems, and/or relevant HMG Information Assurance Standard(s), as in force from time to time) and, where the term of this Call-Off Agreement exceeds one year, the Supplier shall review such accreditation status at least once in each year to assess whether material changes have occurred which could alter the original accreditation decision in relation to Customer Data. If any such changes have occurred then the Supplier shall resubmit such system for accreditation. If the Customer Data is corrupted, lost or sufficiently degraded as a result of a Supplier’s Default so as to be unusable, the Customer may: require the Supplier (at the Supplier’s expense) to restore or procure the restoration of the Customer Data (as the case may be) to the extent and in accordance with the BCDR Plan and the Supplier shall do so as soon as practicable but in accordance with the time period notified by the Customer; and/or itself restore or procure the restoration of Customer Data, and shall be repaid by the Supplier any reasonable expenses incurred in doing so to the extent and in accordance with the requirements specified in the BCDR Plan. If at any time the Supplier suspects or has reason to believe that the Customer Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Supplier shall notify the Customer immediately and inform the Customer of the remedial action the Supplier proposes to take. The Supplier shall, at all times during and after the Term and during and after the Call-Off Agreement Period, indemnify the Customer and keep the Customer fully indemnified against all Losses incurred by, awarded against or agreed to be paid by the Customer at any time (whether such Losses arise before or after the making of a demand pursuant to the indemnity hereunder) arising from any breach of the Supplier’s obligations under this Clause 20.5.9 except and to the extent that such liabilities have resulted directly from the Customer’s instructions.