Common use of Information Security Requirements Clause in Contracts

Information Security Requirements. a) Vendor shall comply with all applicable state and federal laws and regulations regarding confidentiality, privacy, and security pertaining to TSLAC confidential information. b) Access to sensitive or confidential TSLAC information. Vendor represents and warrants that it will take all necessary and appropriate action within its abilities to safeguard sensitive or confidential TSLAC information and to protect it from unauthorized disclosure. If communications with Vendor necessitate the release of confidential TSLAC information, the Confidential Treatment of Information Acknowledgement form (CTIA) must be signed by each individual who will require access to or may be exposed to that information. Vendor shall access TSLAC’s systems and sensitive or confidential TSLAC information only for the purposes for which it is authorized. Vendor shall ensure that any sensitive or confidential TSLAC information in the custody of Vendor is properly sanitized or destroyed when the information is no longer required to be retained by TSLAC or Vendor in accordance with this agreement. Electronic media used for storing any confidential TSLAC information must be sanitized by clearing, purging or destroying in accordance with NIST Special Publication 800-88 Guidelines for Media Sanitization. Vendor must maintain a record documenting the removal and completion of all sanitization procedures with the following information: 1) Date and time of sanitization/destruction, 2) Description of the item(s) and serial number(s) if applicable, 3) Inventory number(s), and 4) Procedures and tools used for sanitization/destruction. No later than sixty (60) days from Purchase Order expiration or termination or as otherwise specified in this agreement, Vendor must complete the sanitization and destruction of the data and provide to TSLAC all sanitization documentation. Vendor shall not access, process, store or transmit IRS Federal Taxpayer Information unless expressly authorized by this agreement. Vendor shall comply with IRS Publication 1075 requirements if it accesses, processes, stores, or transmits IRS Federal Taxpayer Information.

Information Security Requirements. a) Vendor shall comply with all applicable state and federal laws and regulations regarding confidentiality, privacy, and security pertaining to TSLAC confidential information. b) Access to sensitive or confidential TSLAC information. Vendor represents and warrants that it will take all necessary and appropriate action within its abilities to safeguard sensitive or confidential TSLAC information and to protect it from unauthorized disclosure. If communications with Vendor necessitate the release of confidential TSLAC information, the Confidential Treatment of Information Acknowledgement form (CTIA) must be signed by each individual who will require access to or may be exposed to that information. Vendor shall access TSLAC’s systems and sensitive or confidential TSLAC information only for the purposes for which it is authorized. Vendor shall ensure that any sensitive or confidential TSLAC information in the custody of Vendor is properly sanitized or destroyed when the information is no longer required to be retained by TSLAC or Vendor in accordance with this agreement. Electronic media used for storing any confidential TSLAC information must be sanitized by clearing, purging or destroying in accordance with NIST Special Publication 800-88 Guidelines for Media Sanitization. Vendor must maintain a record documenting the removal and completion of all sanitization procedures with the following information: 1) Date and time of sanitization/destruction, 2) Description of the item(s) and serial number(s) if applicable, 3) Inventory number(s), and 4) Procedures and tools used for sanitization/destruction. No later than sixty (60) days from Purchase Order contract expiration or termination or as otherwise specified in this agreement, Vendor must complete the sanitization and destruction of the data and provide to TSLAC all sanitization documentation. Vendor shall not access, process, store or transmit IRS Federal Taxpayer Information unless expressly authorized by this agreement. Vendor shall comply with IRS Publication 1075 requirements if it accesses, processes, stores, or transmits IRS Federal Taxpayer Information.

Information Security Requirements. a) Vendor shall comply with all applicable state and federal laws and regulations regarding confidentiality, privacy, and security pertaining to TSLAC confidential information. b) Access to sensitive or confidential TSLAC information. Vendor represents and warrants that it will take all necessary and appropriate action within its abilities to safeguard sensitive or confidential TSLAC information and to protect it from unauthorized disclosure. If communications with Vendor necessitate the release of confidential TSLAC information, the Confidential Treatment of Information Acknowledgement form (CTIA) must be signed by each individual who will require access to or may be exposed to that information. Vendor shall access TSLAC’s systems and sensitive or confidential TSLAC information only for the purposes for which it is authorized. Vendor shall ensure that any sensitive or confidential TSLAC information in the custody of Vendor is properly sanitized or destroyed when the information is no longer required to be retained by TSLAC or Vendor in accordance with this agreement. Electronic media used for storing any confidential TSLAC information must be sanitized by clearing, purging or destroying in accordance with NIST Special Publication 800-88 800‐88 Guidelines for Media Sanitization. Vendor must maintain a record documenting the removal and completion of all sanitization procedures with the following information: 1) Date and time of sanitization/destruction, 2) Description of the item(s) and serial number(s) if applicable, 3) Inventory number(s), and 4) Procedures and tools used for sanitization/destruction. No later than sixty (60) days from Purchase Order contract expiration or termination or as otherwise specified in this agreement, Vendor must complete the sanitization and destruction of the data and provide to TSLAC all sanitization documentation. Vendor shall not access, process, store or transmit IRS Federal Taxpayer Information unless expressly authorized by this agreement. Vendor shall comply with IRS Publication 1075 requirements if it accesses, processes, stores, or transmits IRS Federal Taxpayer Information.

Information Security Requirements. a) Vendor Library/Legal Entity shall comply with all applicable state and federal laws and regulations regarding confidentiality, privacy, and security pertaining to TSLAC confidential information. b) Access to sensitive or confidential TSLAC information. Vendor Library/Legal Entity represents and warrants that it will take all necessary and appropriate action within its abilities to safeguard sensitive or confidential TSLAC information and to protect it from unauthorized disclosure. If communications with Vendor Library/Legal Entity necessitate the release of confidential TSLAC information, the Confidential Treatment of Information Acknowledgement form (CTIA) must be signed by each individual who will require access to or may be exposed to that information. Vendor Library/Legal Entity shall access TSLAC’s systems and sensitive or confidential TSLAC information only for the purposes for which it is authorized. Vendor Library/Legal Entity shall ensure that any sensitive or confidential TSLAC information in the custody of Vendor Library/Legal Entity is properly sanitized or destroyed when the information is no longer required to be retained by TSLAC or Vendor Library/Legal Entity in accordance with this agreementAgreement. Electronic media used for storing any confidential TSLAC information must be sanitized by clearing, purging or destroying in accordance with NIST Special Publication 800-88 Guidelines for Media Sanitization. Vendor Library/Legal Entity must maintain a record documenting the removal and completion of all sanitization procedures with the following information: 1) Date and time of sanitization/destruction, 2) Description of the item(s) and serial number(s) if applicable, 3) Inventory number(s), and 4) Procedures and tools used for sanitization/destruction. No later than sixty (60) days from Purchase Order Agreement expiration or termination or as otherwise specified in this agreementAgreement, Vendor Library/Legal Entity must complete the sanitization and destruction of the data and provide to TSLAC all sanitization documentation. Vendor Library/Legal Entity shall not access, process, store or transmit IRS Federal Taxpayer Information unless expressly authorized by this agreementAgreement. Vendor Library/Legal Entity shall comply with IRS Publication 1075 requirements if it accesses, processes, stores, or transmits IRS Federal Taxpayer Information.

Information Security Requirements. Contractor shall: (a) Vendor shall use appropriate legal, organizational, physical, administrative and technical measures, and security procedures, including, without limitation, ensuring TEA Confidential Information will be encrypted at rest and in motion, to safeguard and ensure the security of TEA Confidential Information and to protect TEA Confidential Information from unauthorized access, hacking, disclosure, duplication, theft, use, modification and/or loss; (b) comply with all applicable state and federal laws and regulations regarding confidentialitygoverning the handling of TEA Confidential Information; (c) process all TEA Confidential Information solely within the contiguous United States and limit access to the TEA Confidential Information to employees, privacy, subcontractors and staff of Contractor who have passed reasonable security clearance checks; and (d) implement physical security and access controls at any of its facilities (including any data centers) that house TEA Confidential Information. Contractor shall comply with rules pertaining to TSLAC confidential information. b) Access to sensitive or confidential TSLAC information. Vendor represents and warrants that it will take all necessary and appropriate action within its abilities to safeguard sensitive or confidential TSLAC information and to protect it from unauthorized disclosure. If communications with Vendor necessitate the release of confidential TSLAC informationtechnology security standards found at 1 TAC, the Confidential Treatment of Information Acknowledgement form (CTIA) must be signed by each individual who will require access to or Chapter 202, as may be exposed amended from time to that informationtime. Vendor TEA shall access TSLAChave the right to review Contractor’s systems and sensitive or confidential TSLAC information only for the purposes for which it is authorized. Vendor shall security measures to ensure that any sensitive data that is in Contractor’s possession is secure. For any Contractor or confidential TSLAC information in the custody of Vendor is properly sanitized or destroyed when the information is no longer required to be retained by TSLAC or Vendor in accordance with this agreement. Electronic media used for storing any confidential TSLAC information must be sanitized by clearing, purging or destroying in accordance with NIST Special Publication 800-88 Guidelines for Media Sanitization. Vendor must maintain a record documenting the removal and completion of all sanitization procedures with the following information: 1) Date and time of sanitization/destruction, 2) Description of the item(s) and serial number(s) if applicable, 3) Inventory number(s), and 4) Procedures and tools used for sanitization/destruction. No later than sixty (60) days from Purchase Order expiration or termination or as otherwise specified in this agreement, Vendor must complete the sanitization and destruction of the data and provide to TSLAC all sanitization documentation. Vendor shall not access, process, store or transmit IRS Federal Taxpayer Information unless expressly authorized by this agreement. Vendor shall comply with IRS Publication 1075 requirements if it accessessubcontractor that transmits, processes, storesor stores TEA Confidential Information, TEA may require Contractor or subcontractor to periodically provide evidence of its information security policies, procedures and controls. Contractor shall cooperate fully by providing such evidence and by making resources, personnel, and systems access available to TEA and TEA’s authorized representative(s), if requested by TEA. TEA shall have the right to scan Contractor websites and mobile applications for vulnerabilities and to audit the security measures in effect on Contractor’s connected systems without prior warning. TEA shall also have the right to immediately terminate network and system connections that do not meet the requirements herein. For any information security risks of the Contractor identified by TEA throughout the Term of this Contract, TEA may require an action plan to mitigate or remediate the security risk and Contractor agrees to provide such action plan promptly upon request. In accordance with Texas Government Code, Sec. 2054.516, Contractor shall conduct and provide results of penetration tests, at Contractor’s sole expense, of Contractor developed websites and/or mobile applications for specific TEA use that process, transmit, or transmits IRS Federal Taxpayer Informationstore TEA Confidential Information prior to launch and annually thereafter. TEA shall have the right to conduct a penetration scan and/or vulnerability testing through a third party periodically during the Term of the Contract without prior warning. Contractor shall resolve all identified issues to TEA’s satisfaction in a timely manner not to exceed 30 days from the date such issues are identified, provided that for any issues which cannot be resolved within 30 days, Contractor and TEA shall agree upon a plan for resolving such issues as promptly as practical, not to exceed three months. Websites that process, transmit, or store TEA Confidential Information shall be accessible through a secure connection (HTTPS- only, with HTTP Strict Transport Security (HSTS)), utilizing Transport Layer Security (TLS) version 1.2 or higher. If Contractor is providing TEA software goods or services and/or data processing goods or services, Contractor agrees to provide secure configuration guidelines that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security.