General Security Requirements. (a) SPECIAL AGENT will maintain a written, information security program designed to protect the confidentiality, integrity and availability of Confidential Information in paper or other records and within its information system, including computers, devices, applications, and any wireless systems, and designed to perform the following core information security functions: (i) identify and assess both internal and external information security risks (“Risk Assessment”); (ii) utilize a defensive infrastructure; (iii) implement policies and procedures that protect Confidential Information from unauthorized Use; (iv) detect, respond to, and mitigate, Information Security Breaches and Security Incidents, restoring normal operations and services; and (v) fulfill regulatory reporting obligations. (b) The Risk Assessment performed by SPECIAL AGENT will be: (i) sufficient to inform the design of the information security program; (ii) updated as reasonably necessary to address changes to SPECIAL AGENT’s information systems, records, Confidential Information, and business operations; and (iii) documented and carried out in accordance with written policies and procedures. (c) SPECIAL AGENT will designate a qualified individual responsible for overseeing and implementing its information security program and enforcing its information security policy initiatives. (d) SPECIAL AGENT will assess the effectiveness of its information security program through continuous monitoring, periodic penetration testing and vulnerability assessments, or similar actions, all as dictated by its Risk Assessment. (e) SPECIAL AGENT, or SPECIAL AGENT’s designated third party, will: (i) utilize qualified information security personnel to manage its information security risks and perform or oversee the performance of SPECIAL AGENT’s core information security functions; and (ii) provide or verify that such personnel have obtained periodic information security training to maintain up-to-date knowledge of changing information security threats and countermeasures. (f) SPECIAL AGENT will provide regular information security awareness training for all personnel. (g) SPECIAL AGENT will have written policies, implemented and approved by senior management for the protection of its information systems and Confidential Information, addressing the following: (i) data governance and classification; (ii) asset inventory and device management; (iii) access controls and identity management; (iv) business continuity and disaster recovery planning; (v) system security and monitoring; (vi) network security and monitoring; (vii) physical security and environmental controls; (viii) customer data privacy; and (ix) vendor and third-party service provider (“TPSP”) management, to include the following topics: (A) identification and risk assessment of TPSPs; (B) minimum information security practices required of TPSPs; (C) due diligence processes for assessing the information security practices of TPSPs; and (D) periodic assessment of TPSPs, based on the risk and the continued adequacy of the TPSPs’ information security practices. (h) The following information systems’ controls will be utilized by SPECIAL AGENT, to the extent prescribed by its written information security program: (i) limited user access privileges to information systems providing access to Confidential Information and periodical review of such access privileges, as dictated by SPECIAL AGENT’s Risk Assessment; (ii) multi-factor authentication for any individual accessing SPECIAL AGENT’s internal networks from an external network, and for all privileged access to SPECIAL AGENT’s cloud-based systems; (iii) implementation of risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized Use or tampering with Confidential Information; and (iv) implementation of encryption to protect Confidential Information, both in transit over external networks, and at rest. (i) To the extent dictated by SPECIAL AGENT’s Risk Assessment, and for a duration specified by its records retention standards, SPECIAL AGENT will maintain audit trails: (i) for material financial transactions; and (ii) sufficient to recreate Security Incidents. (j) SPECIAL AGENT will have written procedures, guidelines and standards for the secure development of applications created in-house, and procedures for evaluating and testing the security of externally-developed applications used on SPECIAL AGENT’s information systems. (k) SPECIAL AGENT will have a written Security Incident response plan designed to promptly respond to, and recover from, any Information Security Breach or successful Security Incident materially affecting the confidentiality, integrity or availability of the Confidential Information or the continuing functionality of any aspect of Company’s business or operations. The plan will address the following areas: (i) internal processes for responding to an Information Security Breach or successful Security Incident; (ii) goals of the plan; (iii) definition and clear roles, responsibilities and levels of decision-making authority; (iv) external and internal communications and information sharing; (v) identification or requirements for the remediation of any identified weaknesses in information systems and associated controls; (vi) documentation and reporting regarding Information Security Breaches or successful Security Incidents and related incident response activities; and (vii) evaluation and revision as necessary of the plan following an Information Security Breach or successful Security Incident. (l) No transfer of Confidential Information may be made by SPECIAL AGENT outside of the United States without the prior, express written authorization of Company. (m) Company may require SPECIAL AGENT to have an annual review and/or an annual technical audit of its security policies and practices by Company, or, at SPECIAL AGENT’s option and expense, an independent auditor, to ensure compliance with this Addendum. The third-party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by SPECIAL AGENT. SPECIAL AGENT will have thirty (30) calendar days to implement remedies to any identified deficiencies and notify Company that such deficiencies have been addressed. SPECIAL AGENT’s failure to remedy the identified deficiencies will be considered in breach of this Section 5.
Appears in 2 contracts
Sources: Special Agent Agreement, Medicare Advantage/Part D Plan Sales Agreement
General Security Requirements. (a) SPECIAL AGENT GA will maintain a written, information security program designed to protect the confidentiality, integrity and availability of Confidential Information in paper or other records and within its information system, including computers, devices, applications, and any wireless systems, and designed to perform the following core information security functions:
(i) identify and assess both internal and external information security risks (“Risk Assessment”);
(ii) utilize a defensive infrastructure;
(iii) implement policies and procedures that protect Confidential Information from unauthorized Use;
(iv) detect, respond to, and mitigate, Information Security Breaches and Security Incidents, restoring normal operations and services; and
(v) fulfill regulatory reporting obligations.
(b) The Risk Assessment performed by SPECIAL AGENT GA will be:
(i) sufficient to inform the design of the information security program;
(ii) updated as reasonably necessary to address changes to SPECIAL AGENTGA’s information systems, records, Confidential Information, and business operations; and
(iii) documented and carried out in accordance with written policies and procedures.
(c) SPECIAL AGENT GA will designate a qualified individual responsible for overseeing and implementing its information security program and enforcing its information security policy initiatives.
(d) SPECIAL AGENT GA will assess the effectiveness of its information security program through continuous monitoring, periodic penetration testing and vulnerability assessments, or similar actions, all as dictated by its Risk Assessment.
(e) SPECIAL AGENTGA, or SPECIAL AGENTGA’s designated third party, will:
(i) utilize qualified information security personnel to manage its information security risks and perform or oversee the performance of SPECIAL AGENTGA’s core information security functions; and
(ii) provide or verify that such personnel have obtained periodic information security training to maintain up-to-date knowledge of changing information security threats and countermeasures.
(f) SPECIAL AGENT GA will provide regular information security awareness training for all personnel.
(g) SPECIAL AGENT GA will have written policies, implemented and approved by senior management for the protection of its information systems and Confidential Information, addressing the following:
(i) data governance and classification;
(ii) asset inventory and device management;
(iii) access controls and identity management;
(iv) business continuity and disaster recovery planning;
(v) system security and monitoring;
(vi) network security and monitoring;
(vii) physical security and environmental controls;
(viii) customer data privacy; and
(ix) vendor and third-party service provider (“TPSP”) management, to include the following topics:
(A) identification and risk assessment of TPSPs;
(B) minimum information security practices required of TPSPs;
(C) due diligence processes for assessing the information security practices of TPSPs; and
(D) periodic assessment of TPSPs, based on the risk and the continued adequacy of the TPSPs’ information security practices.
(h) The following information systems’ controls will be utilized by SPECIAL AGENTGA, to the extent prescribed by its written information security program:
(i) limited user access privileges to information systems providing access to Confidential Information and periodical review of such access privileges, as dictated by SPECIAL AGENTGA’s Risk Assessment;
(ii) multi-factor authentication for any individual accessing SPECIAL AGENTGA’s internal networks from an external network, and for all privileged access to SPECIAL AGENTGA’s cloud-based systems;
(iii) implementation of risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized Use or tampering with Confidential Information; and
(iv) implementation of encryption to protect Confidential Information, both in transit over external networks, and at rest.
(i) To the extent dictated by SPECIAL AGENTGA’s Risk Assessment, and for a duration specified by its records retention standards, SPECIAL AGENT GA will maintain audit trails:
(i) for material financial transactions; and
(ii) sufficient to recreate Security Incidents.
(j) SPECIAL AGENT GA will have written procedures, guidelines and standards for the secure development of applications created in-house, and procedures for evaluating and testing the security of externally-developed applications used on SPECIAL AGENTGA’s information systems.
(k) SPECIAL AGENT GA will have a written Security Incident response plan designed to promptly respond to, and recover from, any Information Security Breach or successful Security Incident materially affecting the confidentiality, integrity or availability of the Confidential Information or the continuing functionality of any aspect of Company’s business or operations. The plan will address the following areas:
(i) internal processes for responding to an Information Security Breach or successful Security Incident;
(ii) goals of the plan;
(iii) definition and clear roles, responsibilities and levels of decision-making authority;
(iv) external and internal communications and information sharing;
(v) identification or requirements for the remediation of any identified weaknesses in information systems and associated controls;
(vi) documentation and reporting regarding Information Security Breaches or successful Security Incidents and related incident response activities; and
(vii) evaluation and revision as necessary of the plan following an Information Security Breach or successful Security Incident.
(l) No transfer of Confidential Information may be made by SPECIAL AGENT GA outside of the United States without the prior, express written authorization of Company.
(m) Company may require SPECIAL AGENT GA to have an annual review and/or an annual technical audit of its security policies and practices by Company, or, at SPECIAL AGENTGA’s option and expense, an independent auditor, to ensure compliance with this Addendum. The third-party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by SPECIAL AGENTGA. SPECIAL AGENT GA will have thirty (30) calendar days to implement remedies to any identified deficiencies and notify Company that such deficiencies have been addressed. SPECIAL AGENTGA’s failure to remedy the identified deficiencies will be considered in breach of this Section 5.
Appears in 2 contracts
Sources: General Agent Agreement, Contract
General Security Requirements. (a) SPECIAL AGENT General Agent will maintain a written, information security program designed to protect the confidentiality, integrity and availability of Confidential Information in paper or other records and within its information system, including computers, devices, applications, and any wireless systems, and designed to perform the following core information security functions:
(i) identify and assess both internal and external information security risks (“Risk Assessment”);
(ii) utilize a defensive infrastructure;
(iii) implement policies and procedures that protect Confidential Information from unauthorized Use;
(iv) detect, respond to, and mitigate, Information Security Breaches and Security Incidents, restoring normal operations and services; and
(v) fulfill regulatory reporting obligations.
(b) The Risk Assessment performed by SPECIAL AGENT General Agent will be:
(i) sufficient to inform the design of the information security program;
(ii) updated as reasonably necessary to address changes to SPECIAL AGENTGeneral Agent’s information systems, records, Confidential Information, and business operations; and
(iii) documented and carried out in accordance with written policies and procedures.
(c) SPECIAL AGENT General Agent will designate a qualified individual responsible for overseeing and implementing its information security program and enforcing its information security policy initiatives.
(d) SPECIAL AGENT General Agent will assess the effectiveness of its information security program through continuous monitoring, periodic penetration testing and vulnerability assessments, or similar actions, all as dictated by its Risk Assessment.
(e) SPECIAL AGENTGeneral Agent, or SPECIAL AGENTGeneral Agent’s designated third party, will:
(i) utilize qualified information security personnel to manage its information security risks and perform or oversee the performance of SPECIAL AGENTGeneral Agent’s core information security functions; and
(ii) provide or verify that such personnel have obtained periodic information security training to maintain up-to-date knowledge of changing information security threats and countermeasures.
(f) SPECIAL AGENT General Agent will provide regular information security awareness training for all personnel.
(g) SPECIAL AGENT General Agent will have written policies, implemented and approved by senior management for the protection of its information systems and Confidential Information, addressing the following:
(i) data governance and classification;
(ii) asset inventory and device management;
(iii) access controls and identity management;
(iv) business continuity and disaster recovery planning;
(v) system security and monitoring;
(vi) network security and monitoring;
(vii) physical security and environmental controls;
(viii) customer data privacy; and
(ix) vendor and third-party service provider (“TPSP”) management, to include the following topics:
(A) identification and risk assessment of TPSPs;
(B) minimum information security practices required of TPSPs;
(C) due diligence processes for assessing the information security practices of TPSPs; and
(D) periodic assessment of TPSPs, based on the risk and the continued adequacy of the TPSPs’ information security practices.
(h) The following information systems’ controls will be utilized by SPECIAL AGENTGeneral Agent, to the extent prescribed by its written information security program:
(i) limited user access privileges to information systems providing access to Confidential Information and periodical review of such access privileges, as dictated by SPECIAL AGENTGeneral Agent’s Risk Assessment;
(ii) multi-factor authentication for any individual accessing SPECIAL AGENTGeneral Agent’s internal networks from an external network, and for all privileged access to SPECIAL AGENTGeneral Agent’s cloud-based systems;
(iii) implementation of risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized Use or tampering with Confidential Information; and
(iv) implementation of encryption to protect Confidential Information, both in transit over external networks, and at rest.
(i) To the extent dictated by SPECIAL AGENTGeneral Agent’s Risk Assessment, and for a duration specified by its records retention standards, SPECIAL AGENT General Agent will maintain audit trails:
(i) for material financial transactions; and
(ii) sufficient to recreate Security Incidents.
(j) SPECIAL AGENT General Agent will have written procedures, guidelines and standards for the secure development of applications created in-house, and procedures for evaluating and testing the security of externally-developed applications used on SPECIAL AGENTGeneral Agent’s information systems.
(k) SPECIAL AGENT General Agent will have a written Security Incident response plan designed to promptly respond to, and recover from, any Information Security Breach or successful Security Incident materially affecting the confidentiality, integrity or availability of the Confidential Information or the continuing functionality of any aspect of Company’s business or operations. The plan will address the following areas:
(i) internal processes for responding to an Information Security Breach or successful Security Incident;
(ii) goals of the plan;
(iii) definition and clear roles, responsibilities and levels of decision-decision- making authority;
(iv) external and internal communications and information sharing;
(v) identification or requirements for the remediation of any identified weaknesses in information systems and associated controls;
(vi) documentation and reporting regarding Information Security Breaches or successful Security Incidents and related incident response activities; and
(vii) evaluation and revision as necessary of the plan following an Information Security Breach or successful Security Incident.
(l) No transfer of Confidential Information may be made by SPECIAL AGENT General Agent outside of the United States without the prior, express written authorization of Company.
(m) Company may require SPECIAL AGENT General Agent to have an annual review and/or an annual technical audit of its security policies and practices by Company, or, at SPECIAL AGENTGeneral Agent’s option and expense, an independent auditor, to ensure compliance with this Addendum. The third-party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by SPECIAL AGENTGeneral Agent. SPECIAL AGENT General Agent will have thirty (30) calendar days to implement remedies to any identified deficiencies and notify Company that such deficiencies have been addressed. SPECIAL AGENT’s failure to remedy the identified deficiencies will be considered in breach of this Section 5.thirty
Appears in 1 contract
Sources: Medicare Part D Prescription Drug Plan Sales Agreement