Common use of Privileged Access Clause in Contracts

Privileged Access. Compliance with this section of the VISR is required for the entire duration of the engagement if Vendor (i) manages IT systems (hardware or software) for VEIC or (ii) is responsible for any aspect of Identity and Access Management (IAM) related to VEIC systems, including Privileged Access controls. For purposes of clarity, this Section 7 will apply only if Vendor is providing services pursuant to Sections 4, 5 or 6 above. “Privileged Access” is defined as access that provides a capability to alter the properties, behavior, or control of an information resource, change system control parameters, alter other users’ access to data, or bypass or change system and security controls. In these situations, Vendor shall: a) Maintain and disseminate to Vendor employees a written access control policy based on reputable industry standards and the least privileged access principle. b) Include formal instructions for the following in Vendor’s IAM procedures: 1. Approval for, creation of and providing entitlements for privileged accounts; and 2. Removal of Privileged Access upon termination of the engagement with Vendor, when Vendor personnel change functions and no longer require access, when Vendor personnel are no longer assigned to the VEIC account or, for any reason, Privileged Access is no longer required. c) Maintain a recertification cycle (validation of permissions granted) for privileged accounts that includes: 1. Maintaining a list of Vendor personnel with Privileged Access to VEIC Systems or other IT resources that support VEIC Systems or operations; 2. Reviewing Vendor personnel’s access rights at regular intervals (at least quarterly) and after any changes, such as promotion, demotion, or termination of employment; 3. Taking immediate action to correct any discrepancies discovered during this review; and 4. Upon request by Company, providing reporting related to this review. d) Monitor and adequately log creation of and changes to privileged accounts for systems used by, accessed by, or in-place to support Company and, upon discovery of anomalies, notify Company; e) Monitor and adequately log all actions performed by Vendor personnel with Privileged Access to systems used by, accessed by or in-place to support Company, report any anomalies to Company and, upon request, provide a history of all system management actions performed by Vendor personnel that could impact the confidentiality, integrity or availability of services or systems; f) Implement procedures for emergency access (e.g., a “break glass” account) and ensure that passwords are properly secured and changed after each use; g) Ensure that all Vendor personnel (including technical and functional support personnel, operators, network administrators, system programmers, and database administrators) have an individually- assigned unique identifier (user ID) that can be traced to the accountable individual; h) Implement controls to ensure secure log-on procedures, quality passwords, a secure authentication method, and session time-outs for inactive sessions at the network, operating system and database level; i) Ensure that non-personal accounts (e.g., Admin or Root, service accounts, batch accounts, and back-up accounts) cannot be used by an individual for system access; and j) Where technically feasible, integrate solutions provided by Vendor with the VEIC privileged access management (▇▇▇) solution.

Privileged Access. Compliance with this section of the VISR is required for the entire duration of the engagement if Vendor (i) manages IT systems (hardware or software) for VEIC or (ii) is responsible for any aspect of Identity and Access Management (IAM) related to VEIC systems, including Privileged Access controls. For purposes of clarity, this Section 7 will apply only if Vendor is providing services pursuant to Sections 4, 5 or 6 above. “Privileged Access” is defined as access that provides a capability to alter the properties, behavior, or control of an information resource, change system control parameters, alter other users’ access to data, or bypass or change system and security controls. In these situations, Vendor shall: a) Maintain and disseminate to Vendor employees a written access control policy based on reputable industry standards and the least privileged access principle. b) Include formal instructions for the following in Vendor’s IAM procedures: 1. Approval for, creation of and providing entitlements for privileged accounts; and; 2. Removal of Privileged Access upon termination of the engagement with Vendor, when Vendor personnel change functions and no longer require access, when Vendor personnel are no longer assigned to the VEIC account or, for any reason, Privileged Access is no longer required. c) Maintain a recertification cycle (validation of permissions granted) for privileged accounts that includes: 1. Maintaining a list of Vendor personnel with Privileged Access to VEIC Systems or other IT resources that support VEIC Systems or operations; 2. Reviewing Vendor personnel’s access rights at regular intervals (at least quarterly) and after any changes, such as promotion, demotion, or termination of employment; 3. Taking immediate action to correct any discrepancies discovered during this review; andand VEIC Vendor Information Security Requirements 6 4. Upon request by Company, providing reporting related to this review. d) Monitor and adequately log creation of and changes to privileged accounts for systems used by, accessed by, or in-place to support Company and, upon discovery of anomalies, notify Company;. e) Monitor and adequately log all actions performed by Vendor personnel with Privileged Access to systems used by, accessed by or in-place to support Company, report any anomalies to Company and, upon request, provide a history of all system management actions performed by Vendor personnel that could impact the confidentiality, integrity or availability of services or systems;. f) Implement procedures for emergency access (e.g., a “break glass” account) and ensure that passwords are properly secured and changed after each use; g) Ensure that all Vendor personnel (including technical and functional support personnel, operators, network administrators, system programmers, and database administrators) have an individually- assigned unique identifier (user ID) that can be traced to the accountable individual; h) Implement controls to ensure secure log-on procedures, quality passwords, a secure authentication method, and session time-outs for inactive sessions at the network, operating system and database level; i) Ensure that non-personal accounts (e.g., Admin or Root, service accounts, batch accounts, and back-up accounts) cannot be used by an individual for system access; and j) Where technically feasible, integrate solutions provided by Vendor with the VEIC privileged access management (▇▇▇) solution.