Common use of Separation of Duties / Access Controls Clause in Contracts

Separation of Duties / Access Controls. The Contractor must ensure that all NYS Confidential Information that it holds under this Contract is stored in a controlled access environment to ensure data security and integrity. Contractor will provide the State a list of the physical locations where Contractor has stored any NYS Confidential Information at any given time and will update that list if the physical location changes. All Contractor facilities must have adequate security systems in place to protect against the unauthorized access to such facilities and data stored therein. Access into and within such facilities must be restricted by Contractor through an access control system that requirespositive identification of authorized individuals as well as maintains a log of all accesses (e.g., date and time of the event, type of event, user identity, component of the information system, outcome of the event). The Contractor shall have a formal procedure in place for granting computer system access to NYS Confidential Information and to track access. Contractor access to NYS Confidential Information for any types of projects outside of those approved by ITS are prohibited. ITS requires the Contractor to follow security best practices by adhering to separation of job duties, and limiting Contractor staff knowledge of NYS Confidential Information to that which is absolutely needed to perform job duties. Upon request, Contractor will provide documentation to ITS clearly defining the security roles and access levels for each of its staff working with NYS Confidential Information with a level of specificity objectively reasonable to and approved by ITS.

Separation of Duties / Access Controls. The Contractor must ensure that all NYS Confidential Information that it holds under this the Contract is stored in a controlled access environment to ensure data security and integrityintegrity that adheres to all applicable Local, State, and Federal laws, rules, regulations, ordinances, policies, standards, and guidelines. Contractor will provide the State a list of the physical locations where Contractor has stored any NYS Confidential Information at any given time and will update that list if the physical location changes. All Contractor facilities must have adequate security systems in place to protect against the unauthorized access to such facilities and data stored therein. Access into and within such facilities must be restricted by Contractor through an access control system that requirespositive requires positive identification of authorized individuals as well as maintains a log of all accesses (e.g., date and time of the event, type of event, user identity, component of the information system, outcome of the event). The Contractor shall have a formal procedure in place for granting computer system access to NYS Confidential Information and to track access. Contractor access to NYS Confidential Information for any types of projects outside of those approved by ITS are prohibited. ITS requires the Contractor to follow security best practices by adhering to the principle of least privilege and adhering to separation of job duties, and limiting Contractor staff Staff knowledge of NYS Confidential Information to that which is absolutely needed to perform job duties. Upon request, Contractor will provide documentation to ITS the State clearly defining the security roles and access levels for each of its staff working with NYS Confidential Information with a level of specificity objectively reasonable to and approved by ITSthe State. Only those individuals who have successfully completed all security clearance and background check requirements, including training, shall have access to NYS Confidential Information.