Information Security Plan Clause Samples

Information Security Plan. Contractor acknowledges that the Department is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as the Department’s internal security program for information and systems protection. Contractor shall develop, implement, and maintain a comprehensive Information Security Plan that contains administrative, technical, and physical safeguards designed to ensure the privacy, security, integrity, availability, and confidentiality of the Confidential Information. Contractor must provide evidence to the Department of one or more of the following for the plan: Certification in, or compliance with, generally accepted information risk management security control frameworks, standards or guidelines such as: ISO/IEC 27000-series; NIST800-53; CIS Critical Security Controls for Effective Cyber Defense; or HIPAA Security Rule - 45 CFR Part 160 and Subparts A and C of Part 164; and Compliance with any state or federal regulations by which the person or entity who owns or licenses such information may be regulated; or At a minimum, include the elements listed in the Information Security Plan Requirements set forth below. Upon the Department’s request, Contractor shall submit one of the following documents to the Department: Independent attestation of certification; Information Security Plan scope statement; Information Security Plan statement of applicability; or SOC 2, Type 2 audit and letter of attestation indicating Contractor’s receipt of management’s assertion of control compliance from Contractor’s subcontractors as described in Section 6 Audit Provision. The Department reserves the right to require the Contractor to provide more than one of the above documents. If Contractor is unable to produce one of the above documents, Contractor may satisfy the requirement by providing the assurances in Section 28.0(h) below. Annually, or upon a significant change in risk posture, Contractor will review its Information Security Plan and update and revise it as needed. If at any time there are any material reductions to Contractor’s Information Security Plan, Contractor will notify the Department within two weeks of the completion of the review and prior to implementation. In such instances, the Department will require an explanation of the reductions. At the Department’s request, Contractor will make modifications to its Information Security Plan or to the procedure...

Information Security Plan. Contractor shall implement and maintain a written information security program (“WISP”) that contains physical, administrative and technical safeguards necessary to ensure the confidentiality, integrity and availability of District Information, including such physical, administrative and technical safeguards as are necessary to ensure that District Information disclosed between Contractor and District is not used or disclosed by Contractor, or by any of Contractor’s subcontractors, affiliates, agents or third parties, except as provided in the Agreement.

Information Security Plan. Supplier acknowledges that UC is required to comply with information security standards for the protection of Protected Information as required by law, regulation and regulatory guidance, as well as UC’s internal security program for information and systems protection.

Information Security Plan. Contractor shall establish, implement, and at all times during the term of the Agreement, maintain administrative, physical and technical safeguards that reasonably and appropriately protect the privacy, confidentiality, integrity and availability of CalSTRS Information (hereinafter, “Information Security Plan”). When requested by CalSTRS, Contractor shall provide a copy of its Information Security Plan to CalSTRS. Contractor’s Information Security Plan shall: (i) comply with applicable state, federal and international laws; (ii) meet or exceed the Federal Information Processing Standards Publication 199 protection levels, and (iii) include each of the Center for Internet Security’s Critical Security Controls (available at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/▇▇▇▇▇▇▇▇-▇▇▇▇▇▇▇▇.▇▇▇).

Information Security Plan. (1) Contractor acknowledges that ETF is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as ETF’s internal security program for information and systems protection. (2) Contractor will establish, maintain and comply with an information security plan (Information Security Plan), which will contain, at a minimum, such elements as those set forth in this Agreement. (3) Contractor’s Information Security Plan will be designed to: a. Ensure the privacy, security, integrity, availability, and confidentiality of Confidential Information; b. Protect against any anticipated threats or hazards to the security or integrity of such information; c. Protect against unauthorized access to or use of such information that could result in harm or inconvenience to the person that is the subject of such information; d. Reduce risks associated with Contractor having access to ETF Information Resources; and e. Comply with all applicable legal and regulatory requirements for data protection. (4) On at least an annual basis, Contractor will review its Information Security Plan, update and revise it as needed, and make available to ETF upon request. At ETF’s request, Contractor will make modifications to its Information Security Plan or to the procedures and practices thereunder to conform to ETF’s security requirements as they exist from time to time. If there are any significant modifications to Contractor’s Information Security Plan, Contractor will notify ETF within a reasonable period of time, not to exceed two weeks. Any significant modification

Information Security Plan. (1) Contractor acknowledges that the Department is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as the Department’s internal security program for information and systems protection. (2) Contractor shall develop, implement, and maintain a comprehensive Information Security Plan that contains administrative, technical, and physical safeguards designed to ensure the privacy, security, integrity, availability, and confidentiality of the Confidential Information. (3) Annually, Contractor shall submit a SOC 2, Type 2 audit report and letter of attestation indicating Contractor’s receipt of management’s assertion of control compliance from Contractor’s subcontractors as described in Section 6.0 Audit Provision. (4) Annually, or upon a significant change in risk posture, Contractor will review its Information Security Plan and update and revise it as needed. If at any time there are any material reductions to Contractor’s Information Security Plan, Contractor will notify the Department within two weeks of the completion of the review and prior to implementation. In such instances, the Department will require an explanation of the reductions. At the Department’s request, Contractor will make modifications to its Information Security Plan or to the procedures and practices thereunder to conform to the Department’s security requirements as defined herein. (5) Annually, or upon change in Subservice Organizations, Contractor will demonstrate oversight of Subservice Organizations involved in the delivery of Services under the Contract. To demonstrate oversight, the Contractor shall submit one of the following documents to the Department: a. Policy and procedure regarding monitoring the compliance of Subservice Organizations handling of Department data; b. Document(s) showing oversight of Contractor’s Subservice Organizations' security posture through annual reviews of Contractor’s vendors’ SOC 2, Type 2 audit reports; annual plans of actions and milestones; or annual reviews of information technology controls; or c. Letter of attestation assuming the Contractors’ full liability for its Subservice Organizations.

Information Security Plan. Domestic Communications Companies shall develop, document, implement, and maintain an information security plan to: (i) maintain appropriately secure facilities (e.g., offices) within the United States for the handling and storage of any Classified, Sensitive or Controlled Unclassified Information; (ii) take appropriate measures to prevent unauthorized access to data or facilities that might contain Classified, Sensitive, or Controlled Unclassified Information; (iii) assign U.S. citizens to positions for which screening is contemplated pursuant to Section 3.12; (iv) upon request from the DOJ, FBI, DOD or DHS provide the name, social security number and date of birth of each person who regularly handles or deals with Sensitive Information; (v) require that personnel handling Classified Information shall have been granted appropriate security clearances pursuant to Executive Order 12968; (vi) provide that the points of contact described in Section 3.8 of this Agreement shall have sufficient authority over any of Domestic Communications Companies' employees who may handle Classified, Sensitive, or Controlled Unclassified Information to maintain the confidentiality and security of such information in accordance with applicable U.S. legal authority and the terms of this Agreement; (vii) ensure that the disclosure of or access to Classified, Sensitive, or Controlled Unclassified Information is limited to those who have the appropriate security clearances and authority; (viii) establish a formal incident response capability with reference to OMB Circular A- 130 and NIST Special Publications 800-3, 800-18 and 800-47; and (ix) identify the types of positions that require screening pursuant to Section 3.12, the required rigor of such screening by type of position, and the criteria by which Domestic Communications Companies will accept or reject screened persons (“Screened Personnel”).

Information Security Plan. 3(a) Contractor acknowledges that the CSU is required to comply with information security standards for the protection of CSU Protected Data Information required by law, regulation and regulatory guidance, as well as the CSU’s internal security policy for information and systems protection. Within 30 days of the Effective Date of the Agreement, Contractor shall establish, maintain and comply with an information security plan (“Information Security Plan”), which shall contain such elements that are materially similar to elements the CSU may require after consultation with Contractor. On at least an annual basis, Contractor shall review, update and revise its Information Security Plan Contractor’s Information Security Plan shall be designed to: • Ensure the security, integrity and confidentiality of the CSU Protected Data; • Protect against any anticipated threats or hazards to the security or integrity of such information; • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to the person that is the subject of such information; • Protect against unauthorized changes to or use of CSU Protected Data; and • Comply with all applicable legal and regulatory requirements for data protection. • Include business continuity and disaster recovery plans. Contractor’s Information Security Plan shall include a written response program addressing the appropriate remedial measures it shall undertake in the event that there is an information security breach. Contractor shall cause all Subcontractors and other persons and entities whose services are part of the Services which Contractor delivers to the CSU or who hold CSU Protected Data, to implement an information security program and plan substantially equivalent to Contractor’s. The parties expressly agree that Contractor’s security procedures shall require that any CSU Protected Level 1 Data transmitted or stored by Contractor only be transmitted or stored in an encrypted form. In addition, Contractor represents and warrants that in performing the Services, it will comply with all applicable privacy and data protection laws and regulations of the United States including, as applicable, the provisions in the ▇▇▇▇▇-▇▇▇▇▇-▇▇▇▇▇▇ Act, 15 U.S.C. Section 6801 et seq., the Family Education Rights and Privacy Act (“FERPA”), 20 USC Section 1232(g) et seq., and of any other applicable non-U.S. jurisdiction, including the European Union Directives, and that it w...

Information Security Plan. Vendor is required to maintain an Information Security Plan sufficient to protect the sensitive and/or confidential CSU data to which they have access.