Common use of Information Security Plan Clause in Contracts

Information Security Plan. (1) Contractor acknowledges that the Department is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as the Department’s internal security program for information and systems protection. (2) Contractor shall develop, implement, and maintain a comprehensive Information Security Plan that contains administrative, technical, and physical safeguards designed to ensure the privacy, security, integrity, availability, and confidentiality of the Confidential Information. (3) Annually, Contractor shall submit a SOC 2, Type 2 audit report and letter of attestation indicating Contractor’s receipt of management’s assertion of control compliance from Contractor’s subcontractors as described in Section 6.0 Audit Provision. (4) Annually, or upon a significant change in risk posture, Contractor will review its Information Security Plan and update and revise it as needed. If at any time there are any material reductions to Contractor’s Information Security Plan, Contractor will notify the Department within two weeks of the completion of the review and prior to implementation. In such instances, the Department will require an explanation of the reductions. At the Department’s request, Contractor will make modifications to its Information Security Plan or to the procedures and practices thereunder to conform to the Department’s security requirements as defined herein. (5) Annually, or upon change in Subservice Organizations, Contractor will demonstrate oversight of Subservice Organizations involved in the delivery of Services under the Contract. To demonstrate oversight, the Contractor shall submit one of the following documents to the Department: a. Policy and procedure regarding monitoring the compliance of Subservice Organizations handling of Department data; b. Document(s) showing oversight of Contractor’s Subservice Organizations' security posture through annual reviews of Contractor’s vendors’ SOC 2, Type 2 audit reports; annual plans of actions and milestones; or annual reviews of information technology controls; or c. Letter of attestation assuming the Contractors’ full liability for its Subservice Organizations.

Information Security Plan. (1) Contractor acknowledges that the Department is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as the Department’s internal security program for information and systems protection. (2) Contractor shall develop, implement, and maintain a comprehensive Information Security Plan that contains administrative, technical, and physical safeguards designed to ensure the privacy, security, integrity, availability, and confidentiality of the Confidential Information. (3) Annually, if the Contractor shall submit is required to provide an independent service auditor’s report, such as a SOC 2, Type 2 audit report and letter report, Contractor will furnish the Department’s designated staff person as directed with a copy of attestation indicating Contractor’s receipt of management’s assertion of control compliance from Contractor’s subcontractors as described in Section 6.0 Audit Provisionrequired report. (4) Annually, or upon a significant change in risk posture, Contractor will review its Information Security Plan and update and revise it as needed. If at any time there are any material reductions to Contractor’s Information Security Plan, Contractor will notify the Department within two weeks of the completion of the review and prior to implementation. In such instances, the Department will require an explanation of the reductions. At the Department’s request, Contractor will make modifications to its Information Security Plan or to the procedures and practices thereunder to conform to the Department’s security requirements as defined herein. (5) Annually, or upon change in Subservice Organizations, Contractor will demonstrate oversight of Subservice Organizations involved in the delivery of Services under the Contract. To demonstrate oversight, the Contractor shall submit one of the following documents to the Department: a. Policy and procedure regarding monitoring the compliance of Subservice Organizations handling of Department data; b. Document(s) Documentation showing oversight of Contractor’s Subservice Organizations' security posture through annual reviews of Contractor’s vendors’ SOC 2, Type 2 audit independent service auditor’s reports; annual plans of actions and milestonescorrective action plans; or annual reviews of information technology controls; or c. Letter of attestation assuming the Contractors’ full liability for its Subservice Organizations.

Information Security Plan. (1) . Contractor acknowledges that the Department is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as the Department’s internal security program for information and systems protection. (2) . Contractor shall develop, implement, and maintain a comprehensive Information Security Plan that contains administrative, technical, and physical safeguards designed to ensure the privacy, security, integrity, availability, and confidentiality of the Confidential Information. (3) . Annually, if the Contractor shall submit is required to provide an independent service auditor’s report, such as a SOC 2, Type 2 audit report and letter report, Contractor will furnish the Department’s designated staff person as directed with a copy of attestation indicating Contractor’s receipt of management’s assertion of control compliance from Contractor’s subcontractors as described in Section 6.0 Audit Provisionrequired report. (4) . Annually, or upon a significant change in risk posture, Contractor will review its Information Security Plan and update and revise it as needed. If at any time there are any material reductions to Contractor’s Information Security Plan, Contractor will notify the Department within two weeks of the completion of the review and prior to implementation. In such instances, the Department will require an explanation of the reductions. At the Department’s request, Contractor will make modifications to its Information Security Plan or to the procedures and practices thereunder to conform to the Department’s security requirements as defined herein. (5) . Annually, or upon change in Subservice Organizations, Contractor will demonstrate oversight of Subservice Organizations involved in the delivery of Services under the Contract. To demonstrate oversight, the Contractor shall submit one of the following documents to the Department: a. Policy and procedure regarding monitoring the compliance of Subservice Organizations handling of Department data; b. Document(s) Documentation showing oversight of Contractor’s Subservice Organizations' security posture through annual reviews of Contractor’s vendors’ SOC 2, Type 2 audit independent service auditor’s reports; annual plans of actions and milestonescorrective action plans; or annual reviews of information technology controls; or c. Letter of attestation assuming the Contractors’ full liability for its Subservice Organizations.

Information Security Plan. (1) Contractor acknowledges that the Department is required to comply with information security standards for the protection of Confidential Information as required by law, regulation and regulatory guidance, as well as the Department’s internal security program for information and systems protection. (2) . Contractor shall develop, implement, and maintain a comprehensive Information Security Plan that contains administrative, technical, and physical safeguards designed to ensure the privacy, security, integrity, availability, and confidentiality of the Confidential Information. (3) . Annually, if the Contractor shall submit is required to provide an independent service auditor’s report, such as a SOC 2, Type 2 audit report and letter report, Contractor will furnish the Department’s designated staff person as directed with a copy of attestation indicating Contractor’s receipt of management’s assertion of control compliance from Contractor’s subcontractors as described in Section 6.0 Audit Provision. (4) required report. Annually, or upon a significant change in risk posture, Contractor will review its Information Security Plan and update and revise it as needed. If at any time there are any material reductions to Contractor’s Information Security Plan, Contractor will notify the Department within two weeks of the completion of the review and prior to implementation. In such instances, the Department will require an explanation of the reductions. At the Department’s request, Contractor will make modifications to its Information Security Plan or to the procedures and practices thereunder to conform to the Department’s security requirements as defined herein. (5) . Annually, or upon change in Subservice Organizations, Contractor will demonstrate oversight of Subservice Organizations involved in the delivery of Services under the Contract. To demonstrate oversight, the Contractor shall submit one of the following documents to the Department: a. : Policy and procedure regarding monitoring the compliance of Subservice Organizations handling of Department data; b. Document(s) ; Documentation showing oversight of Contractor’s Subservice Organizations' security posture through annual reviews of Contractor’s vendors’ SOC 2, Type 2 audit independent service auditor’s reports; annual plans of actions and milestonescorrective action plans; or annual reviews of information technology controls; or c. or Letter of attestation assuming the Contractors’ full liability for its Subservice Organizations.