Common use of XXXXXXXX’S INFORMATION SECURITY PLAN AND RESPONSIBILITIES Clause in Contracts

XXXXXXXX’S INFORMATION SECURITY PLAN AND RESPONSIBILITIES. A. Supplier acknowledges that UC must comply with information security standards as required by law, regulation, and regulatory guidance, as well as by UC’s internal security program that protects Institutional Information and IT Resources. B. Supplier must establish, maintain, comply with, and responsibly execute its information security plan. C. Supplier’s initial information security plan is attached as Exhibit 2 and incorporated by reference. D. Updates to Exhibit 2 will occur as follows: 1. On an annual basis, Supplier will review its information security plan, update it as needed, and submit it upon written request by UC. 2. In the event of a Major Change, Supplier will review its information security plan, update it as needed, and submit it to UC as detailed herein. E. If Supplier makes any material modifications to its information security plan that will affect the security of Institutional Information and IT Resources, Supplier must notify UC within seventy-two (72) calendar hours and identify the changes. F. Supplier’s Information Security Plan must: 1. Ensure the security (including but not limited to: confidentiality, integrity, and availability) of Institutional Information and IT Resources through the use and maintenance of appropriate administrative, technical, and physical controls; 2. Protect against any reasonably anticipated threats or hazards to Institutional Information and IT Resources; 3. Address the risks associated with Supplier having access to Institutional Information and IT Resources; 4. Comply with applicable regulations and/or external obligations listed in Exhibit 1; 5. Comply with all applicable legal and regulatory requirements for data protection, security, and privacy; 6. Clearly document the cybersecurity responsibilities of each party; 7. Follow UC records retention requirements outlined in the Statement of Work (SOW) or in UC’s Terms and Conditions; 8. Prevent the sharing of passwords or authentication secrets that provide access to Institutional Information and/or IT Resources; 9. Prevent the use of passphrases (passwords) or other authentication secrets that are common across customers or multiple unrelated UC sites or units; 10. Prevent unauthorized access to Institutional Information and IT Resources; 11. Prevent unauthorized changes to IT Resources; 12. Prevent the reduction, removal, or turning off of any security control without express written approval from UC; 13. Prevent the creation of new Supplier accounts to access Institutional Information and IT Resources without express written approval from UC; 14. Prevent the storing, harvesting, or passing through of UC credentials (username, password, authentication secret, or other factor); and 15. Prevent the use or copying of Institutional Information for any purpose not authorized under the Agreement or any associated Statement of Work (SOW).

XXXXXXXX’S INFORMATION SECURITY PLAN AND RESPONSIBILITIES. A. Supplier acknowledges that UC must comply with information security standards as required by law, regulation, and regulatory guidance, as well as by UC’s internal security program that protects Institutional Information and IT Resources. B. Supplier must establish, maintain, comply with, and responsibly execute its information security plan. C. Supplier’s initial information security plan is attached as Exhibit 2 and incorporated by reference. D. Updates to Exhibit 2 will occur as follows: 1. On an annual basis, Supplier will review its information security plan, update it as needed, and submit it upon written request by UC. 2. In the event of a Major Change, Supplier will review its information security plan, update it as needed, and submit it to UC as detailed herein. E. If Supplier makes any material modifications to its information security plan that will affect the security of Institutional Information and IT Resources, Supplier must notify UC within seventy-two (72) calendar hours and identify the changes. F. Supplier’s Information Security Plan must: 1. Ensure the security (including but not limited to: confidentiality, integrity, and availability) of Institutional Information and IT Resources through the use and maintenance of appropriate administrative, technical, and physical controls; 2. Protect against any reasonably anticipated threats or hazards to Institutional Information and IT Resources; 3. Address the risks associated with Supplier having access to Institutional Information and IT Resources; 4. Comply with Address applicable regulations and/or external obligations listed in Exhibit 1; 5. Comply with all applicable legal and regulatory requirements for data protection, security, and privacy; 6. Clearly document the cybersecurity responsibilities of each party; 7. Follow UC records retention requirements outlined in the Statement of Work (SOW) or in UC’s Terms and Conditions; 8. Prevent the sharing of passwords or authentication secrets that provide access to Institutional Information and/or IT Resources; 9. Prevent the use of passphrases (passwords) or other authentication secrets that are common across customers or multiple unrelated UC sites or units; 10. Prevent unauthorized access to Institutional Information and IT Resources; 11. Prevent unauthorized changes to IT Resources; 12. Prevent the reduction, removal, or turning off of any security control without express written approval from UC; 13. Prevent the creation of new Supplier accounts to access Institutional Information and IT Resources without express written approval from UC; 14. Prevent the storing, harvesting, or passing through of UC credentials (username, password, authentication secret, or other factor); and 15. Prevent the use or copying of Institutional Information for any purpose not authorized under the Agreement or any associated Statement of Work (SOW).

XXXXXXXX’S INFORMATION SECURITY PLAN AND RESPONSIBILITIES. A. Supplier acknowledges that UC must comply with information security standards as required by law, regulation, and regulatory guidance, as well as by UC’s internal security program that protects Institutional Information and IT Resources. B. Supplier must establish, maintain, comply with, and responsibly execute its information security plan. C. Supplier’s initial information security plan is attached as Exhibit 2 and incorporated by reference. D. Updates to Exhibit 2 will occur as follows: 1. On an annual basis, Supplier will review its information security plan, update it as needed, and submit it a summary of such plan upon written request by UC. 2. In the event of a Major Change, Supplier will review its information security plan, update it as needed, and submit it a summary of such updated plan to UC as detailed herein. E. If Supplier makes any material modifications to its information security plan that will adversely affect the security of Institutional Information and IT Resources, Supplier must notify UC within seventy-two (72) calendar hours three business days and identify the changes. F. Supplier’s Information Security Plan mustmust address the following: 1. Ensure Ensuring the security (including but not limited to: confidentiality, integrity, and availability) of Institutional Information and IT Resources through the use and maintenance of appropriate administrative, technical, and physical controls; 2. Protect Protecting against any reasonably anticipated threats or hazards to Institutional Information and IT Resources; 3. Address Addressing the risks associated with Supplier having access to Institutional Information and IT Resources; 4. Comply with Addressing applicable regulations and/or external obligations listed in Exhibit 1; 5. Comply Complying with all applicable legal and regulatory requirements for data protection, security, and privacy; 6. Clearly document documenting the cybersecurity responsibilities of each party; 7. Follow UC records Documenting reasonable retention requirements outlined in the Statement of Work (SOW) or in UC’s Terms and Conditionsrequirements; 8. Prevent Preventing the sharing of passwords or authentication secrets that provide access to Institutional Information and/or IT Resources; 9. Prevent Preventing the use of passphrases (passwords) or other authentication secrets that are common across customers or multiple unrelated UC sites or units; 10. Prevent Preventing unauthorized access to Institutional Information and IT Resources; 11. Prevent Preventing unauthorized changes to IT Resources; 12. Prevent the reduction, removal, or turning off of any security control without express written approval from UC; 13. Prevent Preventing the creation of new Supplier accounts to access Institutional Information and IT Resources without express written approval from UC; 14. Prevent Preventing the storing, harvesting, or passing through of UC credentials (username, password, authentication secret, or other factor); and 15. Prevent Preventing the use or copying of Institutional Information for any purpose not authorized under the Agreement or any associated Statement of Work (SOW).

XXXXXXXX’S INFORMATION SECURITY PLAN AND RESPONSIBILITIES. A. Supplier acknowledges that UC must comply with information security standards as required by law, regulation, and regulatory guidance, as well as by UC’s internal security program that protects Institutional Information and IT Resources. B. Supplier must establish, maintain, comply with, and responsibly execute its information security plan. C. Supplier’s initial information security plan is attached as Exhibit 2 and incorporated by reference. D. Updates to Exhibit 2 will occur as follows: 1. On an annual basis, Supplier will review its information security plan, update it as needed, and submit it upon written request by UC. 2. In the event of a Major Change, Supplier will review its information security plan, update it as needed, and submit it to UC as detailed herein. E. If Supplier makes any material modifications to its information security plan that will affect materially degrades the security of Institutional Information and IT Resources, Supplier must notify UC within seventy-two (72) calendar hours and identify the changes. F. Supplier’s Information Security Plan must: 1. Ensure the security (including but not limited to: confidentiality, integrity, and availability) of Institutional Information and IT Resources through the use and maintenance of appropriate administrative, technical, and physical controls; 2. Protect against any reasonably anticipated threats or hazards to Institutional Information and IT Resources; 3. Address the risks associated with Supplier having access to Institutional Information and IT Resources; 4. Comply with Address applicable regulations and/or external obligations listed in Exhibit 1; 5. Comply with all applicable legal and regulatory requirements for data protection, security, and privacyprivacy as applicable to a data processor; 6. Clearly document the cybersecurity responsibilities of each party; 7. Follow UC records retention requirements outlined in the Statement of Work (SOW) or in UC’s Terms and Conditions; 8. Prevent the sharing of passwords or authentication secrets that provide access to Institutional Information and/or IT Resources; 9. Prevent the use of passphrases (passwords) or other authentication secrets that are common across customers or multiple unrelated UC sites or units; 10. Prevent unauthorized access to Institutional Information and IT Resources; 11. Prevent unauthorized changes to IT Resources; 12. Prevent the reduction, removal, or turning off of any security control without express written approval from UC; 13. Prevent the creation of new Supplier accounts to access Institutional Information and IT Resources without express written approval from UC; 14. Prevent the storing, harvesting, or passing through of UC credentials (username, password, authentication secret, or other factor); and 15. Prevent the use or copying of Institutional Information for any purpose not authorized under the Agreement or any associated Statement of Work (SOW).

XXXXXXXX’S INFORMATION SECURITY PLAN AND RESPONSIBILITIES. A. Supplier acknowledges that UC must comply with information security standards as required by law, regulation, and regulatory guidance, as well as by UC’s internal security program that protects Institutional Information and IT Resources. B. Supplier must establish, maintain, comply with, and responsibly execute its information security plan. C. Supplier’s initial information security plan is attached as Exhibit 2 and incorporated by reference. D. Updates to Exhibit 2 will occur as follows: 1. On an annual basis, Supplier will review its information security plan, update it as needed, and submit it upon written request by UC. 2. In the event of a Major Change, Supplier will review its information security plan, update it as needed, and submit it to UC as detailed herein. E. If Supplier makes any material modifications to its information security plan that will affect the security of Institutional Information and IT Resources, Supplier must notify UC within seventy-two (72) calendar hours and identify the changes. F. Supplier’s Information Security Plan must: 1. Ensure the security (including but not limited to: confidentiality, integrity, and availability) of Institutional Information and IT Resources through the use and maintenance of appropriate administrative, technical, and physical controls; 2. Protect against any reasonably anticipated threats or hazards to Institutional Information and IT Resources; 3. Address the risks associated with Supplier having access to Institutional Information and IT Resources; 4. Comply with applicable regulations and/or external obligations listed in Exhibit 1; 5. Comply with all applicable legal and regulatory requirements for data protection, security, and privacy; 6. Clearly document the cybersecurity responsibilities of each party; 7. Follow UC records retention requirements outlined in the Statement of Work (SOW) or in UC’s Terms and Conditions; 8. Prevent the sharing of passwords or authentication secrets that provide access to Institutional Information and/or IT Resources; 9. Prevent the use of passphrases (passwords) or other authentication secrets that are common across customers or multiple unrelated UC sites or units; 10. Prevent unauthorized access to Institutional Information and IT Resources; 11. Prevent unauthorized changes to IT Resources;; {{Int_es_:signer1:initials}} {{Int_es_:signer2:initials}} {{Int_es_:signer3:initials}} 12. Prevent the reduction, removal, or turning off of any security control without express written approval from UC; 13. Prevent the creation of new Supplier accounts to access Institutional Information and IT Resources without express written approval from UC; 14. Prevent the storing, harvesting, or passing through of UC credentials (username, password, authentication secret, or other factor); and 15. Prevent the use or copying of Institutional Information for any purpose not authorized under the Agreement or any associated Statement of Work (SOW).