Common use of Security Standards and Controls Clause in Contracts

Security Standards and Controls. (a) Voya will establish and maintain: (i) administrative, technical, and physical safeguards against the destruction, loss, or alteration of confidential Information; and (ii) Appropriate security measures to protect Confidential Information, which measures meet or exceed the requirements of all applicable Laws relating to personal information security. (b) In addition, Voya will implement and maintain the following information security controls: (i) Privileged access rights will be restricted and controlled; (ii) An inventory of assets relevant to the lifecycle of information will be maintained; (iii) Network security controls will include, at a minimum, firewall and intrusion prevention services; (iv) Detection, prevention and recovery controls to protect against malware will be implemented; (v) Information about technical vulnerabilities of Voya’s information systems will be obtained and evaluated in a timely fashion and appropriate measures taken to address the risk; (vi) Detailed event logs recording user activities, exceptions, faults, access attempts, operating system logs, and information security events will be produced, retained and regularly reviewed as needed;and (vii) Development, testing and operational environments will be separated to reduce the risks of unauthorized access or changes to the operational environment.

Security Standards and Controls. (a) Voya will establish and maintain: (i) administrative, technical, and physical safeguards against the destruction, loss, or alteration of confidential Information; and (ii) Appropriate security measures to protect Confidential Information, which measures meet or exceed the requirements of all applicable Laws relating to personal information security. (b) In addition, Voya will implement and maintain the following information security controls: (i) Privileged access rights will be restricted and controlled; (ii) An inventory of assets relevant to the lifecycle of information will be maintained; (iii) Network security controls will include, at a minimum, firewall and intrusion prevention services; (iv) Detection, prevention and recovery controls to protect against malware will be implemented; (v) Information about technical vulnerabilities of Voya’s information systems will be obtained and evaluated in a timely fashion and appropriate measures taken to address the risk; (vi) Detailed event logs recording user activities, exceptions, faults, access attempts, operating system logs, and information security events will be produced, retained and regularly reviewed as needed;andneeded; and (vii) Development, testing and operational environments will be separated to reduce the risks of unauthorized access or changes to the operational environment.