Common use of Security Operations Clause in Contracts

Security Operations. Supplier shall maintain operational security policies, procedures, and controls in accordance with industry standard practices. At a minimum, such policies and procedures shall cover and such controls shall include: (i) ensuring Buyer Information is logically and/or physically segregated; (ii) firewalls; (iii) network intrusion detection; (iv) regularly updated anti-virus software; (v) application of security patches in accordance with industry standards; (vi) commercially reasonable vulnerability scans; (vii) continuously assessing and tracking vulnerabilities on network assets; (viii) monitoring for unauthorized access, within Supplier’s network and/or applications, to ensure that unauthorized persons, computers, computer programs or networks do not have access to or use of Buyer Information; (ix) an annual penetration test of Supplier’s key systems and applications carried out by an independent third-party; (x) collecting, alerting, and reviewing audit logs of events that could help detect, understand, or recover from an adverse event; (xi) protect and detect against threats from email and web vectors, and (xii) monitoring public and private industry sources for new threat and vulnerability information. Upon request, Supplier shall provide a copy of the penetration test results to Buyer.

Security Operations. Supplier shall maintain operational security policies, procedures, and controls in accordance with industry standard practices. At a minimum, such policies and procedures shall cover and such controls shall include: (i) ensuring Buyer Information is logically logi- cally and/or physically segregated; (ii) firewalls; (iii) network intrusion detection; (iv) regularly updated anti-virus software; (v) application of security patches in accordance with industry standards; (vi) commercially reasonable vulnerability scans; (vii) continuously assessing and tracking vulnerabilities on network assets; (viii) monitoring for unauthorized access, within Supplier’s network and/or applications, to ensure that unauthorized persons, computers, computer programs or networks do not have access to or use of Buyer Information; (ix) an annual penetration test of Supplier’s key systems and applications carried out by an independent third-party; (x) collecting, alerting, and reviewing audit logs of events that could help detect, understand, or recover from an adverse event; (xi) protect and detect against threats from email and web vectors, and (xii) monitoring public and private industry sources for new threat and vulnerability information. Upon request, Supplier shall provide a copy of the penetration test results to Buyer.