Common use of PROCEDURES FOR SECURITY Clause in Contracts

PROCEDURES FOR SECURITY. In order to safeguard the Confidential Data shared under this Agreement, and any derivative data or files, ENTITY agrees: To maintain proper security controls to protect the Confidential Data collected, processed, managed, and/or stored during completion of the proposed purpose of the Agreement; To maintain written policies and procedures including breach notification and incident response, which protect the Confidential Information throughout the information lifecycle, from creation, transformation, use, storage, and secure destruction regardless of the media used to store the data (i.e., tape, disk, paper, etc.); To maintain appropriate authentication and role based access controls to DHHS systems that collect, transmit, or store the Confidential Data or to ENTITY’s systems that collect, transmit, or store the Confidential Data. ENTITY shall not subcontract the collection, transmission, or maintenance of the data without prior approval from the DHHS Information Security Office consistent with this Agreement; To ensure proper security monitoring capabilities are in place to detect potential security events that can affect State of NH systems and/or Department Confidential Information for ENTITY provided systems; In the event of any security breach by ENTITY, that all efforts shall be made to contain and investigate the causes of the breach, promptly take measures to prevent future breach, and minimize any damage or loss resulting from the breach. ENTITY is responsible for all costs of response and recovery from the breach, including but not limited to, credit monitoring services, mailing costs, and costs associated with website and telephone call center services necessary due to the breach; To comply with all applicable statutes and regulations regarding the privacy and security of Confidential Information, and maintain the privacy and security of PI and PHI at a level and scope that is not less than the level and scope of requirements applicable to federal agencies, including, but not limited to, provisions of the Privacy Act of 1974 (5 U.S.C. § ▇▇▇▇), ▇▇▇▇ Privacy Act Regulations (45 C.F.R. §5b), HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164) and all other laws that govern protections for individually identifiable health information as applicable under State law; To establish and maintain appropriate administrative, technical, and physical safeguards to protect the confidentiality of the Confidential Data and to prevent unauthorized use or access to it. The safeguards must provide a level and scope of security that is not less than the level and scope of security requirements established by federal law; To act in compliance with section two (2) of NIST Publication 800-61, Computer Security Incident Handling Guide, National Institute of Standards and Technology, U.S. Department of Commerce. ENTITY agrees that if any individual inadvertently identified, ENTITY and End User(s) shall notify DHHS, and refrain from contacting the individual, or further disclosing the identity of the individual for any purpose, and prevent any other person, contractor, subcontractor, or third party to this Agreement from having direct contact with the individual;

PROCEDURES FOR SECURITY. In order to safeguard the Confidential Data shared under this Agreement, and any derivative data or files, ENTITY agrees: : 1. To maintain proper security controls to protect the Confidential Data collected, processed, managed, and/or stored during completion of the proposed purpose of the Agreement; ; 2. To maintain written policies and procedures including breach notification and incident response, which protect the Confidential Information throughout the information lifecycle, from creation, transformation, use, storage, and secure destruction regardless of the media used to store the data (i.e., tape, disk, paper, etc.); ; 3. To maintain appropriate authentication and role based access controls to DHHS systems that collect, transmit, or store the Confidential Data or to ENTITY’s systems that collect, transmit, or store the Confidential Data. ENTITY shall not subcontract the collection, transmission, or maintenance of the data without prior approval from the DHHS Information Security Office consistent with this Agreement; ; 4. To ensure proper security monitoring capabilities are in place to detect potential security events that can affect State of NH systems and/or Department Confidential Information for ENTITY provided systems; ; 5. In the event of any security breach by ENTITY, that all efforts shall be made to contain and investigate the causes of the breach, promptly take measures to prevent future breach, and minimize any damage or loss resulting from the breach. ENTITY is responsible for all costs of response and recovery from the breach, including but not limited to, credit monitoring services, mailing costs, and costs associated with website and telephone call center services necessary due to the breach; ; 6. To comply with all applicable statutes and regulations regarding the privacy and security of Confidential Information, and maintain the privacy and security of PI and PHI at a level and scope that is not less than the level and scope of requirements applicable to federal agencies, including, but not limited to, provisions of the Privacy Act of 1974 (5 U.S.C. § ▇▇▇▇), ▇▇▇▇ Privacy Act Regulations (45 C.F.R. §5b), HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164) and all other laws that govern protections for individually identifiable health information as applicable under State law; ; 7. To establish and maintain appropriate administrative, technical, and physical safeguards to protect the confidentiality of the Confidential Data and to prevent unauthorized use or access to it. The safeguards must provide a level and scope of security that is not less than the level and scope of security requirements established by federal law; ; 8. To act in compliance with section two (2) of NIST Publication 800-61, Computer Security Incident Handling Guide, National Institute of Standards and Technology, U.S. Department of Commerce. ENTITY agrees that if any individual inadvertently identified, ENTITY and End User(s) shall notify DHHS, and refrain from contacting the individual, or further disclosing the identity of the individual for any purpose, and prevent any other person, contractor, subcontractor, or third party to this Agreement from having direct contact with the individual;