Common use of END USER DEVICES Clause in Contracts

END USER DEVICES. The Provider must manage, and must ensure that all Sub-Contractors manage, all end-user devices used by the Provider on which HSE Data is Processed in accordance the following requirements: the operating system and any applications that Process or have access to HSE Data must be in current support by the vendor, or the relevant community in the case of open source operating systems or applications; users must authenticate before gaining access; all HSE Data must be encrypted using an encryption tool agreed to by HSE; the end-user device must lock and require any user to re-authenticate after a period of time that is proportionate to the risk environment, during which the end-user device is inactive; the end-user device must be managed in a way that allows for the application of technical policies and controls over applications that have access to HSE Data; the Suppler or Sub-Contractor, as applicable, can, without physical access to the end-user device, remove or make inaccessible all HSE Data on the device and prevent any user or group of users from accessing the device; and all end-user devices are within in the scope of any current Cyber Essentials Plus certificate held by the Provider, or any ISO/IEC 27001 (at least ISO/IEC 27001:2013) certification issued by a UKAS-approved certification body, where the scope of that certification includes the Services. The Provider must comply, and ensure that all Sub-Contractors comply, with the recommendations in NCSC Device Guidance, as updated, amended or replaced from time to time, as if those recommendations were incorporated as specific obligations under this Agreement. Where there any conflict between the requirements of this Schedule and the requirements of the NCSC Device Guidance, the requirements of this Schedule will take precedence.

END USER DEVICES. The Provider must manage, and must ensure that all Sub-Contractors manage, all end-user devices used by the Provider on which HSE Data is Processed in accordance the following requirements: the operating system and any applications that Process or have access to HSE Data must be in current support by the vendor, or the relevant community in the case of open source operating systems or applications; users must authenticate before gaining access; all HSE Data must be encrypted using an encryption tool agreed to by the HSE; the end-user device must lock and require any user to re-authenticate after a period of time that is proportionate to the risk environment, during which the end-user device is inactive; the end-user device must be managed in a way that allows for the application of technical policies and controls over applications that have access to HSE Data; the Suppler Provider or Sub-Contractor, as applicable, can, without physical access to the end-user device, remove or make inaccessible all HSE Data on the device and prevent any user or group of users from accessing the device; and all end-user devices are within in the scope of any current Cyber Essentials Plus certificate held by the Provider, or any ISO/IEC 27001 (at least ISO/IEC 27001:2013) certification issued by a UKAS-approved certification body, where the scope of that certification includes the Services. The Provider must comply, and ensure that all Sub-Contractors comply, with the recommendations in NCSC Device Guidance, as updated, amended or replaced from time to time, as if those recommendations were incorporated as specific obligations under this Agreement. Where there any conflict between the requirements of this Schedule and the requirements of the NCSC Device Guidance, the requirements of this Schedule will take precedence.

END USER DEVICES. The Provider must Supplier shall manage, and must shall ensure that all Sub-Contractors contractors manage, all end-user devices used by the Provider Supplier on which HSE Authority Data is Processed in accordance with the following requirements: the operating system and any applications that Process or have access to HSE Authority Data must be in current support by the vendor, or the relevant community in the case of open source Open Source operating systems or applications; users must authenticate before gaining access; all HSE Authority Data must be encrypted using an encryption tool agreed to by HSEthe Authority; the end-user device must lock and require any user to re-authenticate after a period of time that is proportionate to the risk environment, during which the end-user device is inactive; the end-user device must be managed in a way that allows for the application of technical policies and controls over applications that have access to HSE Authority Data; the Suppler or Sub-Contractorcontractor, as applicable, can, without physical access to the end-user device, remove or make inaccessible all HSE Authority Data on the device and prevent any user or group of users from accessing the device; and all end-user devices are within in the scope of any current Cyber Essentials Plus certificate held by the ProviderSupplier, or any ISO/IEC 27001 or later (at least ISO/IEC 27001:2013) certification issued by a UKAS-approved certification body, where the scope of that certification includes the Services. The Provider must Supplier shall comply, and ensure that all Sub-Contractors contractors comply, with the recommendations in NCSC Device Guidance and Authority Technical Security Guidance, as updated, amended or replaced from time to time, as if those recommendations were incorporated as specific obligations under this Agreement. Where there any conflict between the requirements of this Schedule 6 and the requirements of the NCSC Device Guidance, the requirements of this Schedule will take 6 takes precedence.