Common use of Asset Protection Clause in Contracts

Asset Protection. 8.1 The Processor shall acquire, create, provide, manage and maintain mechanisms to prevent or mitigate destruction, loss, alteration, disclosure or misuse of equipment used within the Services Environment, Data and Controller assets, having regard to Good Industry Practice. This includes annual Penetration testing and the satisfactory completion of remedial actions identified following that testing. 8.2 All Data shall be appropriately backed up and stored in a secure facility which in line with industry practice would be off site. 8.3 The Processor will ensure adequate business continuity services and disaster recovery services are in place and regularly tested. Evidence of this testing may be required as part of the Controller's due diligence. 8.4 The Processor shall ensure that no-one, other than properly authorised Processor Personnel, has physical access to any servers in scope under this Contract or used to deliver the Services, including any servers located at the Processor's facilities without formal documented approval from the Controller. 8.5 In relation to Processor 's facilities, the Processor shall, at a minimum, acquire, create, provide, manage and maintain mechanisms to prevent or mitigate destruction, loss, alteration, disclosure or misuse of Controller systems and/or Data, having regard to Good Industry Practice. 8.6 The Processor will fully and regularly assess the physical security risk for all premises and ensure reasonable controls are in place to prevent inappropriate access as would be expected for the National Health Service. 8.7 Implement National Cyber Security Centre (NCSC) guidelines (e.g. cyber essentials) as agreed with the Controller so that assets are protected.

Asset Protection. 8.1 The Processor Supplier shall acquire, create, provide, manage and maintain mechanisms to prevent or mitigate destruction, loss, alteration, disclosure or misuse of equipment used within the Services Environment, Data and Controller assets, having regard to Good Industry Practice. This includes annual Penetration testing and the satisfactory completion of remedial actions identified following that testing. 8.2 All Data shall be appropriately backed up and stored in a secure facility which in line with industry practice would be off site. 8.3 The Processor Supplier will ensure adequate business continuity services and disaster recovery services are in place and regularly tested. Evidence of this testing may be required as part of the Controller's due diligence. 8.4 The Processor Supplier shall ensure that no-one, other than properly authorised Processor Supplier Personnel, has physical access to any servers in scope under this Contract or used to deliver the Services, including any servers located at the ProcessorSupplier's facilities without formal documented approval from the Controller. 8.5 In relation to Processor Supplier 's facilities, the Processor Supplier shall, at a minimum, acquire, create, provide, manage and maintain mechanisms to prevent or mitigate destruction, loss, alteration, disclosure or misuse of Controller systems and/or Data, having regard to Good Industry Practice. 8.6 The Processor Supplier will fully and regularly assess the physical security risk for all premises and ensure reasonable controls are in place to prevent inappropriate access as would be expected for the National Health Service. 8.7 Implement National Cyber Security Centre (NCSC) guidelines (e.g. cyber essentials) as agreed with the Controller so that assets are protected.