Common use of Security Plan Clause in Contracts

Security Plan. 3.1 The Contractor shall develop, implement and maintain a Security Plan to apply during the Contract Period (and after the end of the term as applicable) which will be approved by the Authority, tested, periodically updated and audited in accordance with this Schedule 5. 3.2 A draft Security Plan provided by the Contractor as part of its bid is set out herein. 3.3 Prior to the Commencement Date the Contractor will deliver to the Authority for approval the final Security Plan which will be based on the draft Security Plan set out herein. 3.4 If the Security Plan is approved by the Authority it will be adopted immediately. If the Security Plan is not approved by the Authority the Contractor shall amend it within 10 Working Days of a notice of non-approval from the Authority and re-submit to the Authority for approval. The Parties will use all reasonable endeavours to ensure that the approval process takes as little time as possible and in any event no longer than 15 Working Days (or such other period as the Parties may agree in writing) from the date of its first submission to the Authority. If the Authority does not approve the Security Plan following its resubmission, the matter will be resolved in accordance with clause 19 (Dispute Resolution). No approval to be given by the Authority pursuant to this paragraph 3.4 may be unreasonably withheld or delayed. However any failure to approve the Security Plan on the grounds that it does not comply with the requirements set out in paragraphs 3.1 to 3.4 shall be deemed to be reasonable. 3.5 The Security Plan will set out the security measures to be implemented and maintained by the Contractor in relation to all aspects of the Services and all processes associated with the delivery of the Services and shall at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with: 3.5.1 the provisions of this Schedule 5; 3.5.2 the provisions of Schedule 1 relating to security; 3.5.3 the Information Assurance Standards; 3.5.4 the data protection compliance guidance produced by the Authority; 3.5.5 the minimum set of security measures and standards required where the system will be handling Protectively Marked or sensitive information, as determined by the Security Policy Framework; 3.5.6 any other extant national information security requirements and guidance, as provided by the Authority’s IT security officers; and 3.5.7 appropriate ICT standards for technical countermeasures which are included in the Contractor System. 3.6 The references to Quality Standards, guidance and policies set out in this Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such Quality Standards, guidance and policies, from time to time. 3.7 If there is any inconsistency in the provisions of the above standards, guidance and policies, the Contractor should notify the Authorised Representative of such inconsistency immediately upon becoming aware of the same, and the Authorised Representative shall, as soon as practicable, advise the Contractor which provision the Contractor shall be required to comply with. 3.8 The Security Plan will be structured in accordance with ISO/IEC27002 and ISO/IEC27001 or other equivalent policy or procedure, cross-referencing if necessary to other schedules of the Contract which cover specific areas included within that standard. 3.9 The Security Plan shall not reference any other documents which are not either in the possession of the Authority or otherwise specified in this Schedule 5.

Security Plan. 3.1 The Contractor shall develop, implement and maintain a Security Plan to apply during the Contract Period (and after the end of the term as applicable) which will be approved by the Authority, tested, periodically updated and audited in accordance with this Schedule 5. 3.2 A draft Security Plan provided by the Contractor as part of its bid is set out herein. 3.3 Prior to the Commencement Date the Contractor will deliver to the Authority for approval the final Security Plan which will be based on the draft Security Plan set out herein. 3.4 If the Security Plan is approved by the Authority it will be adopted immediately. If the Security Plan is not approved by the Authority the Contractor shall amend it within 10 Working Days of a notice of non-approval from the Authority and re-submit to the Authority for approval. The Parties will use all reasonable endeavours to ensure that the approval process takes as little time as possible and in any event no longer than 15 Working Days (or such other period as the Parties may agree in writing) from the date of its first submission to the Authority. If the Authority does not approve the Security Plan following its resubmission, the matter will be resolved in accordance with clause 19 (Dispute Resolution). No approval to be given by the Authority pursuant to this paragraph 3.4 may be unreasonably withheld or delayed. However any failure to approve the Security Plan on the grounds that it does not comply with the requirements set out in paragraphs 3.1 to 3.4 shall be deemed to be reasonable. 3.5 The Security Plan will set out the security measures to be implemented and maintained by the Contractor in relation to all aspects of the Services and all processes associated with the delivery of the Services and shall at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with:and 3.5.1 the provisions of this Schedule 5; 3.5.2 the provisions of Schedule 1 relating to security; 3.5.3 the Information Assurance Standards; 3.5.4 the data protection compliance guidance produced by the Authority; 3.5.5 the minimum set of security measures and standards required where the system will be handling Protectively Marked or sensitive information, as determined by the Security Policy Framework; 3.5.6 any other extant national information security requirements and guidance, as provided by the Authority’s IT security officers; and 3.5.7 appropriate ICT standards for technical countermeasures which are included in the Contractor System. 3.6 The references to Quality Standards, guidance and policies set out in this Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such Quality Standards, guidance and policies, from time to time. 3.7 If there is any inconsistency in the provisions of the above standards, guidance and policies, the Contractor should notify the Authorised Representative of such inconsistency immediately upon becoming aware of the same, and the Authorised Representative shall, as soon as practicable, advise the Contractor which provision the Contractor shall be required to comply with. 3.8 The Security Plan will be structured in accordance with ISO/IEC27002 and ISO/IEC27001 or other equivalent policy or procedure, cross-referencing if necessary to other schedules of the Contract which cover specific areas included within that standard. 3.9 The Security Plan shall not reference any other documents which are not either in the possession of the Authority or otherwise specified in this Schedule 5.

Security Plan. 3.1 The Contractor Supplier shall develop, implement and maintain a Security Plan to apply during the Contract Period (and after the end of the term as applicable) which will be approved by the AuthorityCustomer, tested, periodically updated and audited in accordance with this Schedule 56. 3.2 A draft Security Plan provided by the Contractor Supplier as part of its bid is set out herein. 3.3 Prior to the Commencement Date the Contractor Supplier will deliver to the Authority Customer for approval the final Security Plan which will be based on the draft Security Plan set out herein. 3.4 If the Security Plan is approved by the Authority Customer it will be adopted immediately. If the Security Plan is not approved by the Authority Customer the Contractor Supplier shall amend it within 10 Working Days of a notice of non-approval from the Authority Customer and re-submit to the Authority Customer for approval. The Parties will use all reasonable endeavours to ensure that the approval process takes as little time as possible and in any event no longer than 15 Working Days (or such other period as the Parties may agree in writing) from the date of its first submission to the AuthorityCustomer. If the Authority Customer does not approve the Security Plan following its resubmission, the matter will be resolved in accordance with clause 19 I2 (Dispute Resolution). No approval to be given by the Authority Customer pursuant to this paragraph 3.4 may be unreasonably withheld or delayed. However any failure to approve the Security Plan on the grounds that it does not comply with the requirements set out in paragraphs 3.1 to 3.4 shall be deemed to be reasonable. 3.5 The Security Plan will set out the security measures to be implemented and maintained by the Contractor Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and shall at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with: 3.5.1 the provisions of this Schedule 56; 3.5.2 the provisions of Schedule 1 relating to security; 3.5.3 the Information Assurance Standards; 3.5.4 the data protection compliance guidance produced by the AuthorityCustomer; 3.5.5 the minimum set of security measures and standards required where the system will be handling Protectively Marked or sensitive information, as determined by the Security Policy Framework; 3.5.6 any other extant national information security requirements and guidance, as provided by the AuthorityCustomer’s IT security officers; and 3.5.7 appropriate ICT standards for technical countermeasures which are included in the Contractor Supplier System. 3.6 The references to Quality Standards, guidance and policies set out in this Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such Quality Standards, guidance and policies, from time to time. 3.7 If there is any inconsistency in the provisions of the above standards, guidance and policies, the Contractor should notify the Authorised Representative of such inconsistency immediately upon becoming aware of the same, and the Authorised Representative shall, as soon as practicable, advise the Contractor which provision the Contractor shall be required to comply with. 3.8 The Security Plan will be structured in accordance with ISO/IEC27002 and ISO/IEC27001 or other equivalent policy or procedure, cross-referencing if necessary to other schedules of the Contract which cover specific areas included within that standard. 3.9 The Security Plan shall not reference any other documents which are not either in the possession of the Authority or otherwise specified in this Schedule 5.

Security Plan. 3.1 The Contractor shall developSupplier shall, implement and maintain a Security Plan to apply during the Contract Period (and after the end within 30 Working Days of the term as applicable) which will be approved by the AuthorityCommencement Date, tested, periodically updated and audited in accordance with this Schedule 5. 3.2 A draft Security Plan provided by the Contractor as part of its bid is set out herein. 3.3 Prior to the Commencement Date the Contractor will deliver submit to the Authority for approval the final a Security Plan which will be based on complies with paragraph 3.2. 3.2 The Supplier shall effectively implement the draft Security Plan which shall: 3.2.1 comply with the Baseline Security Requirements; 3.2.2 identify the organisational roles for those responsible for ensuring the Supplier’s compliance with this Schedule 6; 3.2.3 detail the process for managing any security risks from those with access to Information Assets and/or Authority Data, including where these are held in the ICT Environment; 3.2.4 set out hereinthe security measures and procedures to be implemented by the Supplier, which are sufficient to ensure compliance with the provisions of this Schedule 6; 3.2.5 set out plans for transition from the information security arrangements in place at the Commencement Date to those incorporated in the ISMS; 3.2.6 set out the scope of the Authority System that is under the control of the Supplier; 3.2.7 be structured in accordance with ISO/IEC 27001: 2013 or equivalent unless otherwise Approved; 3.2.8 be written in plain language which is readily comprehensible to all Staff and to Authority personnel engaged in the Services and reference only those documents which are in the possession of the Parties or whose location is otherwise specified in this Schedule 6; and 3.2.9 comply with the Security Policy Framework and any other relevant Government security standards. 3.3 The Authority shall review the Security Plan submitted pursuant to paragraph 3.1 and notify the Supplier, within 10 Business Days of receipt, whether it has been approved. 3.4 If the Security Plan is approved Approved, it shall be adopted by the Authority it will be adopted immediately. Supplier immediately and thereafter operated and maintained throughout the Term in accordance with this Schedule 6. 3.5 If the Security Plan is not approved by Approved, the Authority the Contractor Supplier shall amend it within 10 Working Days of a notice of non-approval from the Authority and re-submit it to the Authority for approval. The Authority shall notify the Supplier within a further 10 Business Days whether it has been approved. 3.6 The Parties will shall use all reasonable endeavours to ensure that the approval process takes as little time as possible and in any event no longer than 15 30 Working Days (or such other period as the Parties may agree in writing) from the date of its first submission to the Authority. If the Authority does not approve the Security Plan following its resubmission, the matter will shall be resolved in accordance with clause 19 I1 (Dispute Resolution). No approval to be given . 3.7 Approval by the Authority pursuant to this paragraph 3.4 may be unreasonably withheld or delayed. However any failure to approve of the Security Plan on pursuant to paragraph 3.3 or of any change to the grounds that it does not comply with the requirements set out in paragraphs 3.1 to 3.4 shall be deemed to be reasonable. 3.5 The Security Plan will set out the security measures to be implemented and maintained by the Contractor in relation to all aspects of the Services and all processes associated with the delivery of the Services and shall at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with: 3.5.1 the provisions of this Schedule 5; 3.5.2 the provisions of Schedule 1 relating to security; 3.5.3 the Information Assurance Standards; 3.5.4 the data protection compliance guidance produced by the Authority; 3.5.5 the minimum set of security measures and standards required where the system will be handling Protectively Marked or sensitive information, as determined by the Security Policy Framework; 3.5.6 any other extant national information security requirements and guidance, as provided by the Authority’s IT security officers; and 3.5.7 appropriate ICT standards for technical countermeasures which are included in the Contractor System. 3.6 The references to Quality Standards, guidance and policies set out in this Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such Quality Standards, guidance and policies, from time to time. 3.7 If there is any inconsistency in the provisions of the above standards, guidance and policies, the Contractor should notify the Authorised Representative of such inconsistency immediately upon becoming aware of the same, and the Authorised Representative shall, as soon as practicable, advise the Contractor which provision the Contractor shall be required to comply with. 3.8 The Security Plan will be structured in accordance with ISO/IEC27002 and ISO/IEC27001 or other equivalent policy or procedure, cross-referencing if necessary to other schedules of the Contract which cover specific areas included within that standard. 3.9 The Security Plan shall not reference any other documents which are not either in relieve the possession Supplier of the Authority or otherwise specified in its obligations under this Schedule 56.