Common use of System Hardening Clause in Contracts

System Hardening. Information-processing equipment is protected against malware and hardened. Suitable software (e.g., virus scanners, IDS) are installed and kept up-to-date to protect the systems. When hardening a system, the following points must be taken into account at the minimum: • The patch level is up-to-date. • When a system is installed, only those software components are installed or activated that are required for the system’s operation and proper functioning. • Apart from software functions, any hardware functions that are not required for the system’s operation also remain deactivated after the system installation. Functions such as interfaces that are not required are permanently deactivated, ensuring that they remain deactivated even when the system is restarted. • All unnecessary services in a system and in the interfaces were and remain deactivated even when the system is restarted. • The accessibility of a service via the necessary interfaces was also restricted to legitimate communication partners. • Preconfigured service accounts that are not required were deleted and default passwords were changed. • It is common practice for manufacturers, developers, or suppliers to preconfigure authentication features such as passwords and cryptographic keys in systems. Such authentication features were changed to separate features that third parties are not aware of. • If the system is operated on a cloud platform, it has been safeguarded to prevent it (or the entire client/tenant with all of its services and data) from being deleted accidentally or by unauthorized persons.

System Hardening. Information-processing equipment is protected against malware and hardened. Suitable software (e.g., virus scanners, IDS) are installed and kept up-to-date to protect the systems. When hardening a system, the following points must be taken into account at the minimum: • The patch level is up-to-dateup to date in accordance with the specifications of the manufacturer/supplier. • When a system is installed, only those software components are installed or activated that are required for the system’s operation and proper functioning. • Apart from software functions, any hardware functions that are not required for the system’s operation also remain deactivated after the system installation. Functions such as interfaces that are not required are permanently deactivated, ensuring that they remain deactivated even when the system is restarted. • All unnecessary services in a system and in the interfaces were and remain deactivated even when the system is restarted. • The accessibility of a service via the necessary interfaces was also restricted to legitimate communication partners. • Preconfigured service accounts that are not required were deleted and default passwords were changed. • It is common practice for manufacturers, developers, or and suppliers to preconfigure authentication features such as passwords and cryptographic keys in systems. Such authentication features were changed to separate features that third parties are not aware of. • If the system is operated on a cloud platform, it has been safeguarded to prevent it (or the entire client/tenant with all of its services and data) from being deleted accidentally or by unauthorized persons.