Common use of Data Center Security Clause in Contracts

Data Center Security. (a) CSG will undertake and maintain physical, administrative, and technical safeguards and other security measures necessary to ensure the security and confidentiality of (x) Charter Customer Information, and (y) CSG-supplied assets, systems and software. As part of the Services, CSG will maintain and enforce at each data center, and all other locations where services relating directly or indirectly to the Services are performed, safety and physical and computer system security procedures that are at least (i) equal to current industry standards for such types of service locations; and (ii) as rigorous as those procedures in effect at the service location as of the effective date of the Agreement. In the event that CSG becomes aware of a potential compromise to the security of a data center, CSG will, [****** * ************ ********** ****], notify Customer of such potential compromise after verifying the reasonable possibility of such potential compromise based upon plausible evidence. The parties will work together in good faith to isolate any potentially compromised host to determine the current security posture and whether further corrective action is necessary. However, CSG shall maintain control, discretion, and responsibility for infrastructure changes necessary to resolve any potential compromise. (b) CSG must test the security of its systems used in connection with this Agreement on a [******** *****], as necessary to confirm system integrity and security as consistent with current industry standards and best practices. CSG is responsible for and shall conduct penetration testing of any Product, Service or system that contains [*** ****] to identify and remediate vulnerabilities in CSG’s environment. CSG further agrees to conduct such penetration testing and remediation of identified vulnerabilities based upon industry accepted penetration testing approaches (e.g., NIST SP800-115 or Payment Card Industry Standard). CSG shall: (i) Employ a program of code analysis to identify security vulnerabilities in software code during the development process, and not issue a release that contains critical, high, or medium vulnerabilities using the Common Vulnerability Scoring System. (ii) Perform vulnerability scans at least every [****** ****] days. (iii) Perform penetration tests. Such penetration testing shall be: (i) conducted using appropriately qualified assessors; (ii) based on current industry accepted penetration testing approaches (for example, NIST SP800-115); and (iii) performed at least [********] and also after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a major release). (iv) Correct exploitable vulnerabilities discovered during penetration testing within reasonable time frames, with follow up testing to verify the effectiveness of the corrections. As a baseline for reasonableness, Provider must apply critical security patches immediately, high security patches within [*** ***** ** *******, medium security patches within ****** **** ****, and low security patches ****** ****** **** ****]. For any vulnerabilities for which the corrections were not effective, Provider shall undertake additional measures to correct the vulnerabilities and restart this verification and testing cycle (this step to be repeated until effective corrections are implemented). (v) As requested by Customer, communicate to Customer the occurrence of penetration test and that all vulnerabilities have been remediated. (vi) As requested by Customer, provide to Customer an executive summary certified by a member of CSG’s security team after each penetration testing cycle that all identified such vulnerabilities have been adequately remediated. (c) CSG will update any third party assets, systems, and software included in or used in conjunction with CSG’s operating systems/platform, network, or hardware/software (“Third Party Element(s)”) that are utilized to provide any Products, Services, other services, or any deliverable under this Agreement to the current or to the prior major release of such Third Party Element, unless otherwise agreed in writing between the Parties. CSG shall not use a version of any such Third Party Elements for which support is no longer available from any entity or for which code fixes addressing vulnerabilities are no longer developed. (d) For any software development processes related to this Agreement, CSG must address common coding vulnerabilities as follows: (i) Use secure coding guidelines and latest industry accepted practices for vulnerability management such as the Open Web Application Security Project (“OWASP”) Guide, the SANS CWE Top 25 Most Dangerous Software Errors, and CERT Secure Coding. (ii) Train developers at least annually in up-to-date secure coding techniques, including, but not limited to, how to avoid common coding vulnerabilities. (iii) CSG must have industry-accepted controls on the source code to detect and prevent any unauthorized modifications, deletions, or insertions of code. This should include industry-accepted security controls covering all development workstations (including, but not limited to, malware, anti-phishing, and logical access controls) and processes that include validation code reviews. (iv) CSG will not undertake any code development with any resource that is a Restricted Party. (e) CSG must ensure that Customer’s use of the Products and Services will not impede Customer’s ability to mitigate vulnerabilities in the systems used for accessing the Products and Services.

Data Center Security. (a) CSG will undertake and maintain physical, administrative, and technical safeguards and other security measures necessary to ensure the security and confidentiality of (x) Charter Customer Information, and (y) CSG-supplied assets, systems and software. As part of the Services, CSG will maintain and enforce at each data center, and all other locations where services relating directly or indirectly to the Services are performed, safety and physical and computer system security procedures that are at least (i) equal to current industry standards for such types of service locations; and (ii) as rigorous as those procedures in effect at the service location as of the effective date of the Agreement. CSG will take all commercially reasonable steps necessary to retain, maintain and protect against the loss or alteration of all Charter Customer Information provided to CSG. In the event that CSG becomes aware of a potential compromise to the security of a data center, CSG will, [****** * within a ************ ********** ****], notify Customer of such potential compromise after verifying the reasonable possibility of such potential compromise based upon plausible evidence. The parties will work together in good faith to isolate any potentially compromised host to determine the current security posture and whether further corrective action is necessary. However, CSG shall maintain control, discretion, and responsibility for infrastructure changes necessary to resolve any potential compromise. (b) CSG must test the security of its systems used in connection with this Agreement on a [******** *****], as necessary to confirm system integrity and security as consistent with current industry best standards and best practices. CSG is responsible for and shall conduct penetration testing of any Product, Service or system that contains [*** ****] PCI data to identify and remediate vulnerabilities in CSG’s environment. CSG further agrees to conduct such penetration testing and remediation of identified vulnerabilities based upon industry accepted penetration testing approaches (e.g., e.g. NIST SP800-115 or Payment Card Industry Standard). CSG shall: (i) Employ a program of code analysis to identify security vulnerabilities in software code during the development process, and not issue a release that contains critical, high, or medium vulnerabilities using the Common Vulnerability Scoring System. Perform penetration testing (iiA) Perform vulnerability scans at least every [*** (*) ******; and (B) after any *********** ****] days. (iii) Perform penetration tests. Such penetration testing shall be: (i) conducted using appropriately qualified assessors; (ii) based on current industry accepted penetration testing approaches (for example, NIST SP800-115); and (iii) performed at least [********] and also after any significant infrastructure ** or application upgrade *********** ******* or modification (such as an operating system upgrade************ that CSG determines, a sub-network added in its sole discretion, to the environment, or a major release)be ******** under CSG’s security policy applicable to *********** *******. (ivii) Correct exploitable vulnerabilities discovered during penetration testing within reasonable time frames, with follow up testing to verify the effectiveness of the corrections. As a baseline ; for reasonableness, Provider must apply critical security patches immediately, high security patches within [*** ***** ** *******, medium security patches within ****** **** ****, and low security patches ****** ****** **** ****]. For any vulnerabilities for which the corrections were not effective, Provider CSG shall undertake additional measures to correct the vulnerabilities and restart this verification process and testing cycle (this step to be repeated until effective corrections are implemented). (viii) As requested by Customer, communicate to Customer the occurrence of penetration test and that all vulnerabilities have been remediated. (viiv) As requested by Customer, provide to Customer an executive summary certified by a member of CSG’s security team after each penetration testing cycle that all identified such vulnerabilities have been adequately remediated. (c) CSG will update any third party assets, systems, and software included in or used in conjunction with CSG’s operating systems/platform, network, or hardware/software (“Third Party Element(s)”) that are utilized to provide any Products, Services, other services, or any deliverable under this Agreement to the current or to the prior major release of such Third Party Element, unless otherwise agreed in writing between the Parties. CSG shall not use a version of any such Third Party Elements for which support is no longer available from any entity or for which code fixes addressing vulnerabilities are no longer developed. (d) For any software development processes related to this Agreement, CSG must address common coding vulnerabilities as follows: (i) Use secure coding guidelines and latest industry accepted practices for vulnerability management such as the Open Web Application Security Project (“OWASP”) Guide, the SANS CWE Top 25 Most Dangerous Software Errors, and CERT Secure Coding. (ii) Train developers at least annually in up-to-date secure coding techniques, including, but not limited to, how to avoid common coding vulnerabilities. (iii) CSG must have industry-accepted controls on the source code to detect and prevent any unauthorized modifications, deletions, or insertions of code. This should include industry-accepted security controls covering all development workstations (including, but not limited to, malware, anti-phishing, and logical access controls) and processes that include validation code reviews. (iv) CSG will not undertake any code development with any resource that is a Restricted Party. (e) CSG must ensure that Customer’s use of the Products and Services will not impede Customer’s ability to mitigate vulnerabilities in the systems used for accessing the Products and Services.