Common use of Detection and Response Clause in Contracts

Detection and Response. Supplier shall monitor its system for security breaches, violations and suspicious external activity or unauthorized internal system activity. Supplier shall notify Bank of America (promptly within twenty-four (24) hours or as soon thereafter as practicable) through the defined security escalation channel of Bank of America, the Bank of America Computing Incident Response Team (“BACIRT”), in the event of a breach of security or the detection of suspicious activity. Such notification to Bank of America shall precede notifications to any other Party. Supplier shall cooperate fully with all Bank of America security investigation activities and abide by the BACIRT guidelines for escalation and control of significantly security incidents. Bank of America will provide a copy of the guidelines to Supplier, and such guidelines shall be treated as the Confidential Information of Bank of America. Supplier shall maintain for a mutually agreed-upon length of time, and afford Bank of America reasonable access to, all records and logs of that portion of Supplier’s network that stores or processes Confidential Information. Bank of America may review and inspect any record of system activity or Confidential Information handling upon reasonable prior notice. Supplier acknowledges and agrees that records of system activity and of Confidential Information handling may be evidence (subject to appropriate chain of custody procedures) in the event of a security breach or other inappropriate activity. Upon the request of Bank of America, Supplier shall deliver the original copies of such records to Bank of America for use in any legal, investigatory or regulatory proceeding. Supplier shall monitor industry-standard information channels (bugtraq, CERT, OEMs, etc.) for newly identified system vulnerabilities regarding the technologies and services provided to Bank of America and fix or patch any identified security problem in an adequate and timely manner. Unless otherwise expressly agreed in writing, “timely” shall mean that Supplier shall introduce such fix or patch as soon as commercially reasonable after Supplier becomes aware of the security problem. This obligation extends to all devices that comprise Supplier’s system, e.g., application software, databases, servers, firewalls, routers and switches, hubs, etc., and to all of Supplier’s other Confidential Information handling practices. Bank of America may perform vulnerability testing of Supplier’s system to test the remediation measures implemented after a security incident or event to protect Confidential Information. At the request of Bank of America, Supplier shall meet with the Bank of America information security team to discuss information security issues in much greater detail at mutually agreeable times and locations. Bank of America acknowledges and agrees that the information Supplier so provides is Supplier’s Confidential Information, as defined in this Agreement, and is valuable proprietary information of Supplier. Supplier shall provide detailed information including, but not limited to, the following topics, which also shall be addressed in Supplier’s Program.