Cloud Security Clause Samples

Cloud Security. 9.1. ▇▇▇▇ & ▇▇▇▇▇▇’▇ Travel Management Platform and server infrastructure is hosted in Microsoft Azure’s UK South data centre.
View SourceView Similar (5)
Cloud Security. ● The following sections may not be applicable if a third party owns the cloud environment: Preferred Environment, Resource Organization, Network Configuration, Secrets Management, Infrastructure as Code. ● Preferred Environment ○ Is the environment one of the “big 3” (AWS, GCP, Azure)? These are generally preferred as they are considered the services that are most mature security-wise. ○ Note: Using multiple services for infrastructure may be necessary (some vendors may require a specific service to be used), but it increases complexity and attack surface. ● Resource Organization ○ Can resources be deployed to different environments (development, production, sandbox, etc.)? This is valuable to allow developers a chance to test new features in non-production environments, allowing production to maintain uptime. ● Identity Management ○ Who will own the accounts/environments in the cloud? Who requires access keys/hard credentials? Who requires temporary access? ○ How will users be audited? For example, how will you remove users that are no longer employees? ● Access Management ○ How will your team access the environment (single-sign-on, role-based access, programmatic access, user-based access)? ○ How will your team audit access controls (e.g., removing permissions from users who no longer need access to certain controls/features)? ● Logging Requirements ○ Note: Many cloud services will be able to facilitate comprehensive logging. Focus on who has access to those logs, where the logs should be stored, and what value can be derived from the captured logs. ○ Do your logs need to be centralized for auditing purposes? ○ Are there specific infrastructure metrics that must be captured? ○ How long should logs be retained (consider any legal requirements to maintain logs for a certain amount of time)? ● Data Ingress and Manipulation ○ What are the requirements for data at rest and in transit? ○ Does your data require transformation/standardization? ○ Are there multiple points of data ingress into the cloud environment? ● Network Configuration ○ Are there specific requirements for infrastructure accessibility (Virtual Private Network (VPN) connection required for remote access, isolating databases/storage solutions from the internet, etc.)? ○ Are there any requirements for asset distribution? ■ Will the environment be hosting data/content that will be public? ● Secrets Management ○ How will secrets be protected in your infrastructure (e.g., encryption keys, parameter...
View SourceView Similar (2)
Cloud Security. 15.1 Supplier shall establish a data protection agreement with third-party service provider such as a cloud service provider where Buyer data will be processed and/or stored. 15.2 Supplier shall monitor, review, and perform a security assessment on their cloud service provider(s) that will process and/or store any Buyer data. Upon request, Supplier shall provide Buyer with a copy of the assessment results. 15.3 Supplier shall maintain a complete inventory of cloud-based applications and/or systems in which Buyer data will be processed and/or stored. 15.4 Supplier shall ensure cloud service providers and/or any cloud-based solutions that are being utilized to deliver the services to the Buyer undergo a security assessment conducted by an independent third-party assessor to assess the security controls at least annually. 15.5 Supplier shall ensure access management controls are implemented in cloud-based environments and/or applications that will be utilized to process and/or store any of the Buyer’s data. Access management controls shall include but are not limited to implementing multifactor authentication (“MFA”), performing periodic access reviews and ensuring minimum necessary access is granted to systems and applications in which Buyer data will be processed and/or stored. 15.5.a. If security responsibilities for cloud environments are shared between Supplier and ▇▇▇▇▇, roles and responsibilities must be documented and communicated. Supplier must notify Buyer promptly of any personnel changes impacting such security responsibilities and operation for the cloud environment. 15.6 Supplier shall ensure Buyer data that will be stored in cloud-based applications and/or systems will be stored and transmitted utilizing industry standard level encryption algorithms such AES-256. Supplier shall establish an encryption key management policy and procedure for data stored in the cloud environment. 15.7 Supplier shall ensure security event log and monitoring alerts are implemented in cloud-based applications and/or systems in which Buyer data will be processed and/or stored. System and event logs are retained for a minimum period of one (1) year for cloud environments. 15.8 Supplier shall ensure Buyer’s data is segregated in cloud-based systems and/or applications where technically feasible. 15.9 Supplier shall ensure cloud service provider stores Buyer’s data within the U.S. jurisdiction and geographically distributed locations for primary and redundant data cente...
View Source
Cloud Security. 18.1 The 3rd Party must be certified to the latest version of ISO27017 or have an established and consistent framework to ensure that all use of Cloud technology and non-public data stored in the Cloud is approved and subject to appropriate controls equivalent to the latest version of the Cloud Security Alliance, Cloud Controls Matrix (CCM). 18.2 Network and infrastructure service level agreements (in-house or outsourced) shall clearly document shared responsibilities, security controls, capacity and service levels, and business or customer requirements. 18.3 3rd Party must implement security measures across all aspects of the service being supplied, such that it safeguards the confidentiality, availability, quality, and integrity by minimizing the opportunity of unauthorised individuals (e.g., other cloud customers) from gaining access to BT Information and the services utilised by BT. 18.4 To the extent 3rd Party provides hosted applications or services to BT, whether single-tenant or multi- tenant, including software-as-a- service, platform-as-a-service, infrastructure-as-a-service, and similar offerings, to collect, transmit, store, or otherwise process Confidential Data, 3rd Party shall provide BT the ability: • to isolate such Confidential Data logically from the data of 3rd Party’s other customers. • to restrict, log, and monitor access to such Confidential Data at any time including access by 3rd Party Personnel • to create, enable, disable, and delete the uppermost encryption key (known as Customer Managed Key) used to encrypt and decrypt subsequent keys including the lowermost data encryption key. • to restrict, log, and monitor access to the Customer Managed Key at any time; and at no time shall any subsequent encryption key, an encryption key in a key hierarchy lower than the Customer Managed Key, be stored in the same system as Confidential Data unless encrypted by the Customer Managed Key, also known as being wrapped by the Customer Managed Key.
View Source
Cloud Security. The Current Health System is a cloud-hosted system, which means we manage the environment, updates, and security of our system. Users are not required to install or manage software on services or manage/administrate operating systems to use the system. Current Health uses Amazon Web Services (AWS) as the cloud provider and their services enable us to manage the fleet of servers and have backups and redundancy to ensure patient data remains confidential and maintains its integrity and availability. Current Health utilises a number of high-availability and multi-region strategies within AWS to facilitate recovery in the event of a service disruption. The agreed service level agreements (SLAs) are defined in our terms of service. As cloud-hosted environment, Current Health have implemented the following controls to mitigate risk: • Custom service firewalls are in place on each server • Security Updates: Critical security vulnerability updates are automatically applied across our server fleet. Our security team continuously reviews vulnerability disclosures to identify new risks early. • Platform event audit logging is maintained to monitor all actions across every Current Health system. • Internal access control to the cloud is heavily governed through both technical controls and procedures. A combination of username and password are used to control access to the Current Health Patients App or Devices App. It is the responsibility of the operating institution to apply the appropriate password policies e.g. password complexity, renewal intervals. Follow these general recommendations on password strength in case your institution does not have a more specific policy: • Use a minimum password length of 8 characters • Include lowercase and uppercase alphabetic characters, numbers and symbols • Generate passwords randomly where feasible Follow this general recommendation for a password renewal interval in case your institution does not have a more specific policy: • Passwords should be renewed after 90 days. Users will be automatically logged out of the Patients App if they are inactive for 15 minutes. Compliance Current Health is committed to complying with all applicable legal, regulatory, and contractual obligations. This includes but not limited to: • Health Insurance Portability and Accountability Act 1996 (HIPAA) • UK Data Protection Act 2018 • ISO 27001:2013 – Information Security Management SystemSOC 2 Type 2Cyber Essentials Plus • NHS – Digital Secur...
View Source
Cloud Security. 9.1 The Locale Party will maintain the following security arrangements for the Cloud Services (Security Arrangements): 9.1.1 all data centres in which the Locale Party hosts any part of the Cloud Services will be ISO27001, SOC2 and SOC3 accredited; 9.1.2 replicate the application database for the Cloud Services in real time across not less than two geographically distributed data centres; 9.1.3 take nightly snapshots of the Customer Data which are retained at weekly, monthly and annual intervals for not less than seven years and carry out such quarterly integrity checks that the Locale Party considers reasonably necessary to verify the integrity of the data that it holds from the nightly snapshots taken; 9.1.4 only allow access to the Cloud Services via HTTPS traffic using SHA-256 with RSA encryption; and 9.1.5 carry out such penetration testing and infrastructure scanning as the Locale Party considers reasonably necessary to test its security arrangements annually, or such other updated arrangements that the Locale Party makes available to the Customer from time to time. 9.2 The Customer acknowledges and agrees that it is responsible for assessing the applicability and suitability of the Security Arrangements and for check any updated arrangements that the Locale Party makes available to it. 9.3 The Locale Party shall, without undue delay, inform the Customer of any Virus or Vulnerability affecting the Cloud Services and shall promptly: 9.3.1 use reasonable endeavours to remedy the Virus or Vulnerability as soon as practicable; and 9.3.2 respond to Customer's reasonable requests for information in relation to the Virus or Vulnerability.
View Source
Cloud Security. Preferred Environment and Resource Organization. The Port’s cloud security begins with Azure as the preferred cloud environment. Within this environment, several security and functional resources can be deployed to different environments that are organized by logical groupings, such as test and production environments. This environment will provide the easiest integration into existing Port infrastructure. Identity and Access Management. Administrators control the cloud accounts which are regularly audited to confirm accuracy and that decommissioned accounts have been removed by the identity management system. Checks are performed to ensure the correct level of access within the administrator’s group. Administrators use single sign-on and role-based access to control the cloud environment. Logging Requirements and Data Ingress. Comprehensive logging is aggregated to the internal Security Information and Event Management (SIEM) tool, and both administrators and the Information Security team have access to these logs. Standard data ingress into the logging environment such as syslog or event logs are preferred, but not required, and several different data sets can be parsed to work within our logging models. While more verbose logging is retained for 90 days, the meta data is held and accessible for auditing purposes for 9 months. Software and Asset Inventory. Port staff is only permitted to use Port hardware as dictated by the Acceptable Use Administrative Procedure #124-102 (See APPENDIX K). Approved software is controlled via the Microsoft Intune software deployment tool, and end users do not have administrative access to their local machines. Account Management and Access Control. Account credentials are managed in Active Directory. Regular audits are performed to confirm access is appropriate and Single Sign-On is utilized wherever possible in conjunction with Multi-Factor Authentication. Future systems are preferred to have Single Sign-On capabilities. Vulnerability Management. The environment is scanned for vulnerabilities on an ongoing basis and machines are patched on a strict schedule. Security Training. Security awareness training occurs quarterly for the entire organization. Research has been performed to determine the optimal absorption of information in relation to the length of training and the security awareness follows that model. Service Provider Management. Third party services are vetted through the Information Security team prior to purc...
View Source
Cloud Security 
View Source

Related to Cloud Security

  • E7 Security The Authority shall be responsible for maintaining the security of the Authority premises in accordance with its standard security requirements. The Contractor shall comply with all security requirements of the Authority while on the Authority premises, and shall ensure that all Staff comply with such requirements.

  • Password Security Any password we provide to you may be used only during the Term to access Seller Central (or other tools we provide) to use the Services, electronically accept Your Transactions, and review your completed Transactions. You are solely responsible for maintaining the security of your password. You may not disclose your password to any third party (other than third parties authorized by you to use your account or Seller Central in accordance with this Agreement) and are solely responsible for any use of or action taken under your password. If your password is compromised, you must immediately change your password.

  • Bid Security 2.1 Bid security, as a guarantee of good faith, in the form of a certified check, cashier's check, or bidder's bond, may be required to be submitted with this bid document, as indicated on the bid. 2.1.1 Bid security, if required, shall be in the amount specified on the bid. The bid security must be scanned and attached to the “Response Attachments” section of your response or it can be faxed to the Purchasing Office at ▇▇▇-▇▇▇-▇▇▇▇. The original bid security should then be sent or delivered to the office of the Purchasing Division, ▇▇▇ ▇. ▇▇▇ ▇▇., ▇▇▇. ▇▇▇, ▇▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇ to be received within three (3) days of bid closing. 2.1.2 If bid security is not received in the Office of the Purchasing Division as stated above, the vendor may be determined to be non-responsive. 2.2 If alternates are submitted, only one bid security will be required, provided the bid security is based on the amount of the highest gross bid. 2.3 Such bid security will be returned to the unsuccessful Bidders when the award of bid is made. 2.4 Bid security will be returned to the successful Bidder(s) as follows: 2.4.1 For single order bids with specified quantities: upon the delivery of all equipment or merchandise, and upon final acceptance by the Owners. 2.4.2 For all other contracts: upon approval by the Owners of the executed contract and bonds. 2.5 Owners shall have the right to retain the bid security of Bidders to whom an award is being considered until either: 2.5.1 A contract has been executed and bonds have been furnished. 2.5.2 The specified time has elapsed so that the bids may be withdrawn. 2.5.3 All bids have been rejected. 2.6 Bid security will be forfeited to the Owners as full liquidated damages, but not as a penalty, for any of the following reasons, as pertains to this specification document: 2.6.1 If the Bidder fails or refuses to enter into a contract on forms provided by the Owners, and/or if the Bidder fails to provide sufficient bonds or insurance within the time period as established in this specification document.

  • JOB SECURITY 23.01 Subject to the willingness and capacity of individual employees to accept relocation and retraining, the Employer will make every reasonable effort to ensure that any reduction in the work force will be accomplished through attrition.

  • Aviation Security 1. In accordance with their rights and obligations under international law, the Parties reaffirm that their obligation to each other to protect the security of civil aviation against acts of unlawful interference forms an integral part of this Agreement. Without limiting the generality of their rights and obligations under international law, the Parties shall in particular act in conformity with the provisions of the Convention on Offenses and Certain Other Acts Committed on Board Aircraft, done at Tokyo September 14, 1963, the Convention for the Suppression of Unlawful Seizure of Aircraft, done at The Hague December 16, 1970, the Convention for the Suppression of Unlawful Acts against the Safety of Civil Aviation, done at Montreal September 23, 1971, and the Protocol for the Suppression of Unlawful Acts of Violence at Airports Serving International Civil Aviation, done at Montreal February 24, 1988. 2. The Parties shall provide upon request all necessary assistance to each other to prevent acts of unlawful seizure of civil aircraft and other unlawful acts against the safety of such aircraft, of their passengers and crew, and of airports and air navigation facilities, and to address any other threat to the security of civil air navigation. 3. The Parties shall, in their mutual relations, act in conformity with the aviation security standards and appropriate recommended practices established by the International Civil Aviation Organization and designated as Annexes to the Convention; they shall require that operators of aircraft of their registry, operators of aircraft who have their principal place of business or permanent residence in their territory, and the operators of airports in their territory act in conformity with such aviation security provisions. 4. Each Party agrees to observe the security provisions required by the other Party for entry into, for departure from, and while within the territory of that other Party and to take adequate measures to protect aircraft and to inspect passengers, crew, and their baggage and carry-on items, as well as cargo and aircraft stores, prior to and during boarding or loading. Each Party shall also give positive consideration to any request from the other Party for special security measures to meet a particular threat. 5. When an incident or threat of an incident of unlawful seizure of aircraft or other unlawful acts against the safety of passengers, crew, aircraft, airports or air navigation facilities occurs, the Parties shall assist each other by facilitating communications and other appropriate measures intended to terminate rapidly and safely such incident or threat. 6. When a Party has reasonable grounds to believe that the other Party has departed from the aviation security provisions of this Article, the aeronautical authorities of that Party may request immediate consultations with the aeronautical authorities of the other Party. Failure to reach a satisfactory agreement within 15 days from the date of such request shall constitute grounds to withhold, revoke, limit, or impose conditions on the operating authorization and technical permissions of an airline or airlines of that Party. When required by an emergency, a Party may take interim action prior to the expiry of 15 days.