Common use of Technical Security Requirements Clause in Contracts

Technical Security Requirements. The Service will:  Ensure that any Council data which resides on a mobile, removable or physically uncontrolled device is stored encrypted using a product which has been formally assured through a recognised certification process.  Ensure that any Council data which it causes to be transmitted over any public network (including the Internet, mobile networks or un-protected enterprise network) or to a mobile device shall be encrypted when transmitted.  Must operate an appropriate access control regime to ensure users and administrators are uniquely identified.  Ensure that any device which is used to process Council data meets all of the security requirements set out in the National Cyber Security Centre (NCSC) End User Devices Platform Security Guidance.  At their own cost and expense, procure an IT Health Check from a certified supplier and penetration test performed prior to any live data being transferred into their systems.  Perform a technical information risk assessment on the service supplied and be able to demonstrate what controls are in place to address those risks.  Collect audit records which relate to security events in delivery of the Service or that would support the analysis of potential and actual compromises. The retention period for audit records and event logs shall be a minimum of 6 months.  Must be able to demonstrate they can supply a copy of all data on request or at termination, and must be able to securely erase or destroy all data and media that the Council data has been stored and processed on.  Not, and will procure that none of its sub-contractors, process the Council’s data outside the European Economic Area (EEA).  Implement security patches to vulnerabilities in accordance with the timescales specified in the NCSC Cloud Security Principle 5.  Ensure that the service is designed in accordance with NCSC principles, security design principles for digital services, bulk data and cloud security principle.  Implement such additional measures as agreed with the Council from time to time in order to ensure that such information is safeguarded in accordance with the applicable legislative and regulatory obligations.