Specific Security Requirements. In addition to the foregoing, Seller shall implement and adhere to the following specific Raytheon security requirements, receipt of which Seller hereby acknowledges: Seller shall monitor access and security logs using commercially acceptable practices and tools for unusual activity including the following: • Excessive unauthorized/failed logon attempts, • Use of admin accounts at unusual times, • Unusual activity at any time, • Missing activity date/time ranges within the logs, • Failed backups Seller should support integration with Raytheon’s Simplified Sign-On (SSO) infrastructure, enabling Raytheon users to login to the service with their Raytheon SSO credentials. Where user authentication via Raytheon SSO is not a current capability and is performed with reusable passwords, adherence to Raytheon Password Requirements is mandatory. At a minimum: • Passwords are not easily guessed. Password complexity checking is enabled with minimum password length of eight characters. • Initial passwords are changed by the user on first use. • Passwords are changed immediately if compromise is suspected and are expired every 90 days. • Passwords are not reused for a period of one year (e.g., history is 4 where supported). • Passwords are not shared with others. • Passwords are not displayed, stored, or transmitted in plain text or readable form. • Passwords are disabled after the fifth failed authentication attempt in succession. • Additions and changes to access levels of users must be approved by appropriate Raytheon management. • Accounts to be disabled will be communicated by Raytheon and must be enacted by supplier in a timely manner. • Automated authentication Processes such as logon scripts, are protected from unauthorized access and do not contain unencrypted passwords. • Support procedures for remotely “resetting” a forgotten, lost or compromised means of user identity authentication must at a minimum: 1) Incorporate multiple means of proving the user’s identity when the user is not present to display positive photo identification. 2) These means must be something that has a high probability of only being known to the user and not general knowledge or easily guessable. 3) Identity verification data should only be viewable by authorized personnel. 4) Provide a confirmation of the "reset" to the user via a method other than the method of access reset. Seller's Information Security Program shall include, but not be limited, to the following safeguards to ensure the protection of Raytheon Data:
Appears in 2 contracts