Common use of System Development Clause in Contracts

System Development. (1) To the extent that Company provides the Services, the Company and its Subcontractors shall agree to apply the following requirements: i. Establish policies and procedures that ensure the application system has been designed, built and implemented in a secure manner according to industry recognized best practices or frameworks (e.g., Build Security in Maturity Model (BSIMM) benchmarks, Open Group ACS Trusted Technology Provider framework, NIST, OWASP, etc.). ii. Establish policies and procedures that ensure data security has been designed, built, and implemented into the application system according to industry recognized best practices or frameworks (e.g.,CDSA, MULITSAFE, CSA Trusted Cloud Architectural Standard, FedRAMP, CAESARS, etc.). iii. Establish policies and procedures that ensure the application system has been properly tested, including the development of a security test plan that defines an approach for testing or otherwise establishing that each of the security requirements has been met. iv. Perform vulnerability assessment and penetration test on the application system to identify any security issues prior to the application system being placed into production. The Company or its Subcontractors verify that appropriate and reasonable action will be taken to mitigate any security issues identified prior to the system being placed into production. v. Upon Central Xxxxxx’x request, the Company and each Subcontractor shall promptly provide the results of any vulnerability assessment and penetration test. vi. Establish policies and procedures that ensure the application system has a proper change management and patch management process that includes applying, testing, and validating the appropriate changes / patches before being placed in the production system. vii. Upon Central Xxxxxx’x request, the Company and each Subcontractor shall promptly provide a self-certification letter to Central Xxxxxx verifying that the application system meets the security requirements stated in the Data Security Rider, that all security activities have been performed, and all identified security issues have been documented and resolved. (2) Company warrants that the application system contains no virus, Trojan, worm, undocumented shutdown mechanism or other code or feature which is intended, or is known by Company as likely, to disable, damage, destroy, deny access to or degrade the performance of the application system, or Confidential Information, Data or other information technology resource. Company warrants that the application system contains no backdoors or other feature that is intended to allow Company or someone else to gain unauthorized or surreptitious access to the application system or Confidential Information, Data or other information technology resources. Company agrees to indemnify and hold Central Xxxxxx harmless from any claims, damages, causes of action, costs and expenses arising out of or related to any breach of the warranty set forth in this paragraph.

System Development. (1) To the extent that Company provides the Services, the Company and its Subcontractors shall agree to apply the following requirements: i. Establish policies and procedures that ensure the application system has been designed, built and implemented in a secure manner according to industry recognized best practices or frameworks (e.g., Build Security in Maturity Model (BSIMM) benchmarks, Open Group ACS Trusted Technology Provider framework, NIST, OWASP, etc.). ii. Establish policies and procedures that ensure data security has been designed, built, and implemented into the application system according to industry recognized best practices or frameworks (e.g.,CDSA, CDSA, MULITSAFE, CSA Trusted Cloud Architectural Standard, FedRAMP, CAESARS, etc.). iii. Establish policies and procedures that ensure the application system has been properly tested, including the development of a security test plan that defines an approach for testing or otherwise establishing that each of the security requirements has been met. iv. Perform vulnerability assessment and penetration test on the application system to identify any security issues prior to the application system being placed into production. The Company or its Subcontractors verify that appropriate and reasonable action will be taken to mitigate any security issues identified prior to the system being placed into production. v. Upon Central Xxxxxx’x request, the Company and each Subcontractor shall promptly provide the results of any vulnerability assessment and penetration test. vi. Establish policies and procedures that ensure the application system has a proper change management and patch management process that includes applying, testing, and validating the appropriate changes / patches before being placed in the production system. vii. Upon Central Xxxxxx’x request, the Company and each Subcontractor shall promptly provide a self-certification letter to Central Xxxxxx verifying that the application system meets the security requirements stated in the Data Security Rider, that all security activities have been performed, and all identified security issues have been documented and resolved. (2) Company warrants that the application system contains no virus, Trojan, worm, undocumented shutdown mechanism or other code or feature which is intended, or is known by Company as likely, to disable, damage, destroy, deny access to or degrade the performance of the application system, or Confidential Information, Data or other information technology resource. Company warrants that the application system contains no backdoors or other feature that is intended to allow Company or someone else to gain unauthorized or surreptitious access to the application system or Confidential Information, Data or other information technology resources. Company agrees to indemnify and hold Central Xxxxxx harmless from any claims, damages, causes of action, costs and expenses arising out of or related to any breach of the warranty set forth in this paragraph.

System Development. (1) To the extent that Company Contractor provides the Services, the Company Contractor and its Subcontractors shall agree to apply comply with the following requirements: i. Establish policies and procedures that ensure the application system has been designed, built and implemented in a secure manner according to industry recognized best practices or frameworks (e.g., Build Security in Maturity Model (BSIMM) benchmarks, Open Group ACS Trusted Technology Provider framework, NIST, OWASP, etc.). ii. Establish policies and procedures that ensure data security has been designed, built, and implemented into the application system according to industry recognized best practices or frameworks (e.g.,CDSA, MULITSAFE, CSA Trusted Cloud Architectural Standard, FedRAMP, CAESARS, etc.). iii. Establish policies and procedures that ensure the application system has been properly tested, including the development of a security test plan that defines an approach for testing or otherwise establishing that each of the security requirements has been met. iv. Perform vulnerability assessment and penetration test on the application system to identify any security issues prior to the application system being placed into production. The Company Contractor or its Subcontractors verify that appropriate and reasonable action will be taken to mitigate any security issues identified prior to the system being placed into production. v. Upon Central Xxxxxx’x Owner’s request, the Company Contractor and each Subcontractor shall promptly provide the results of any vulnerability assessment and penetration test. vi. Establish policies and procedures that ensure the application system has a proper change management and patch management process that includes applying, testing, and validating the appropriate changes / patches before being placed in the production system. vii. Upon Central Xxxxxx’x Owner’s request, the Company Contractor and each Subcontractor shall promptly provide a self-certification letter to Central Xxxxxx Owner verifying that the application system meets the security requirements stated in the Data Security this Rider, that all security activities have been performed, and all identified security issues have been documented and resolved. (2) Company Contractor warrants that the application system contains no virus, Trojan, worm, undocumented shutdown mechanism or other code or feature which is intended, or is known by Company Contractor as likely, to disable, damage, destroy, deny access to or degrade the performance of the application system, or Confidential Information, Data or other information technology resource. Company Contractor warrants that the application system contains no backdoors or other feature that is intended to allow Company Contractor or someone else to gain unauthorized or surreptitious access to the application system or Confidential Information, Data or other information technology resourcesresources of Owner. Company Contractor agrees to indemnify and hold Central Xxxxxx Owner harmless from any claims, damages, causes of action, costs and expenses arising out of or related to any breach of the warranty set forth in this paragraph.