Information Security and Assurance Requirements Clause Samples

Information Security and Assurance Requirements. 2.15.1 The DWP requires all IDPs to provide structured and formal assurance of the scope and effectiveness of their IDP and related Trust services, and of the security control measures implemented to protect those services including all personal data held. 2.15.2 In recognition that IDP services are still a maturing industry, the DWP is providing an assurance framework against which IDP security capabilities and assurance assessment regimes may be characterised and asserted to DWP by IDPs, and valued by degrees in the IDP services payment model. 2.15.3 The DWP IDP Security and Assurance Framework (illustrated in the diagram) is built upon a broad foundation of international standard security and assurance. The model adds increasingly specific assurance profiles across a narrower scope at each tier, covering in turn industry, HMG and DWP profiles, guidelines and requirements. 2.15.4 The DWP solution represents the first implementation of the Government Digital Service (GDS) - Identity Assurance Architecture. Cabinet Office GDS is leading development of the supporting management, standards and accreditation processes required for the operation of pan-government Identity Assurance services. Under current proposals, IDPs wishing to provide identity services to OGDs will need to obtain certification under a recognised certification regime. 2.15.5 For the foundation security and assurance tier, all IDPs must hold and maintain a current independent certification to ISO 27001 for their corporate information security management system (ISMS). The IDPs must include all aspects of their IDP and related trust services within the scope of all applicable controls in their ISMS. The IDP’s ISMS must be independently audited once in any 12 month period, and achieve the conditions required for award of a new ISO 27001 certificate. IDPs must provide a copy of all current ISO27001 certificates that cover the scope of their IDP and related trust services. 2.15.6 All IDPs are required to provide in their response a summary of their intended ISO 27001 Security Plan. This should provide DWP with some assurance that the scope of their key implemented ISO 27001 security controls will protect their IDP and related trust services, including all personal customer data. The summary Security Plan must illustrate the IDPs approach to key measures from all the major ISO 27001 control groups, including:  Personnel SecuritySecure Information Handling and Transfers  Physical Premises Se...
View SourceView Similar (8)

Related to Information Security and Assurance Requirements

  • INFORMATION SECURITY SCHEDULE All capitalized terms not defined in this Information Security Schedule (this “Security Schedule”) shall have the meanings ascribed to them in the Transfer Agency and Service Agreement by and between DST and each of the funds listed on Exhibit A thereto (each such fund, or series thereof, severally, and not jointly, the “Fund”) dated March 1, 2022 (the “Agreement”). DST and Fund hereby agree that DST shall maintain and comply with an information security policy (“Security Policy”) that satisfies the requirements set forth below; provided, that, because information security is a highly dynamic space (where laws, regulations and threats are constantly changing), DST reserves the right to make changes to its information security controls at any time and at the sole discretion of DST in a manner that it believes does not materially reduce the protection it applies to Fund Data. From time to time, DST may subcontract services performed under the Agreement (to the extent provided for under the Agreement) or provide access to Fund Data or its network to a subcontractor or other third party; provided, that, such subcontractor or third party implements and maintains security measures DST believes are at least as stringent as those described in this Security Schedule. For the purposes of this Schedule “prevailing industry practices and standards” refers to standards among financial institutions, including mutual funds, and third parties providing financial services to financial institutions.

  • Information Security IET information security management practices, policies and regulatory compliance requirements are aimed at assuring the confidentiality, integrity and availability of Customer information. The UC ▇▇▇▇▇ Cyber-safety Policy, UC ▇▇▇▇▇ Security Standards Policy (PPM Section 310-22), is adopted by the campus and IET to define the responsibilities and key practices for assuring the security of UC ▇▇▇▇▇ computing systems and electronic data.

  • Security and Access The Executive agrees and covenants (a) to comply with all Company security policies and procedures as in force from time to time including without limitation those regarding computer equipment, telephone systems, voicemail systems, facilities access, monitoring, key cards, access codes, Company intranet, internet, social media and instant messaging systems, computer systems, e-mail systems, computer networks, document storage systems, software, data security, encryption, firewalls, passwords and any and all other Company facilities, IT resources and communication technologies (“Facilities Information Technology and Access Resources”); (b) not to access or use any Facilities and Information Technology Resources except as authorized by the Company; and (iii) not to access or use any Facilities and Information Technology Resources in any manner after the termination of the Executive’s employment by the Company, whether termination is voluntary or involuntary. The Executive agrees to notify the Company promptly in the event he learns of any violation of the foregoing by others, or of any other misappropriation or unauthorized access, use, reproduction or reverse engineering of, or tampering with any Facilities and Information Technology Access Resources or other Company property or materials by others.

  • Personal Information security breach a) Each Party shall notify the other party in writing as soon as possible after it becomes aware of or suspects any loss, unauthorised access or unlawful use of any personal information and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal information and to restore the integrity of the affected personal information as quickly as is possible. The Parties shall also be required to provide each other with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal information. b) The Parties shall provide on-going updates on the progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved. c) Where required, the Parties must notify the South African Police Service; and/or the State Security Agency and the Information Regulator and the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise. d) The Parties undertake to co‑operate in any investigations relating to security which is carried out by or on behalf of the other including providing any information or material in its possession or control and implementing new security measures.

  • PERSONAL INFORMATION PRIVACY AND SECURITY CONTRACT 11 Any reference to statutory, regulatory, or contractual language herein shall be to such language as in 12 effect or as amended. 13 A. DEFINITIONS