• Security Accountability. Provider shall assign one or more security officers who will be responsible for coordinating and monitoring Provider’s information security function, policies, and procedures.
• Security Roles and Responsibility. Provider personnel, contractors and agents who are involved in providing Provider Services shall be subject to confidentiality agreements with Provider.
• Risk Management. Appropriate information security risk assessments shall be performed by Provider as part of an ongoing risk governance program that is established with the objective to recognize risk; to assess the impact of risk; and where risk reducing or mitigation strategies are identified and implemented, to effectively manage the risk with recognition that the threat landscape constantly changes.

• Security Training. Appropriate security awareness, education and training shall be provided to all Provider personnel and contractors.

• Asset Inventory. Provider shall maintain an asset inventory of all media and equipment where DataQuel Data is stored. Access to such media and equipment shall be restricted to authorized personnel of Provider. Provider will ensure that no software or hardware that is past its End of Life (EOL) will be used in the scope of Provider Services without a mutually agreed risk management process for such items.
• Asset Handling.
  • Provider shall classify DataQuel Data so that it is properly identified and access to DataQuel Data shall be appropriately restricted.
  • Provider shall maintain an acceptable use policy with restrictions on printing DataQuel Data and procedures for appropriately disposing of printed materials that contain DataQuel Data when such data is no longer needed to provide the Provider Services under the Agreement.
  • Provider shall maintain an appropriate approval process whereby such approval is provided to personnel, contractors, and agents prior to storing DataQuel Data on portable devices; remotely accessing DataQuel Data; or processing such data outside of Provider facilities. If storing DataQuel Data on portable devices is approved and granted, Provider shall enforce the use of current Industry Standard encryption on the portable device. If mobile devices are used to access or store DataQuel Data, Provider personnel, contractors and agents shall use a mobile device management (MDM)/mobile application management (MAM) solution that enforces encryption, passcode, and remote wipe settings to secure DataQuel Data. Provider will prohibit the enrollment of mobile devices that have been “jail broken.”

• Operational Policy. DataQuel will maintain security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Client Data.
• Authorization.
  • Provider shall maintain user account creation and deletion procedures for granting and revoking access to all assets, DataQuel Data, and all internal applications while providing Provider Services under the Agreement. The Provider will assign an appropriate authority to approve creation of user accounts or elevated levels of access for existing accounts.
  • Provider shall maintain and update records of personnel who are authorized to access Provider systems that are involved in providing Provider Services and review such records at least quarterly.
  • Provider shall ensure the uniqueness of user accounts and passwords for each individual. Individual user accounts must not be shared.
  • Provider shall remove access rights to assets that store DataQuel Data for personnel, contractors and agents upon termination of their employment, contract or agreement within two (2) business days, or access shall be appropriately adjusted upon change (e.g., change of personnel role).
  • Provider will perform periodic access reviews for system users at least quarterly for all supporting systems requiring access control.
• Least Privilege Access
  • Provider shall restrict access to Provider systems involved in providing Provider Services, to only those individuals who require such access to perform their duties using the principle of least privilege access.
  • Administrative and technical support personnel, agents or contractors shall only be permitted to have access to such data when required.
  • Provider shall support segregation of duties between its environments so that no individual person has access to perform tasks that create a security conflict of interest (e.g., programming/administrator, developer/operations).
• Authentication
  • Provider will use current, and at a minimum, Industry Standard capabilities to identify and authenticate personnel, agents and contractors who attempt to access information systems and assets.
  • Provider shall maintain current Industry Standard practices to deactivate passwords that have been corrupted or disclosed.
  • Provider shall monitor for repeated access attempts to information systems and assets.
  • Provider shall maintain current Industry Standard password protection practices that are designed and in effect to maintain the confidentiality and integrity of passwords generated, assigned, distributed, and stored in any form.
  • Provider shall provide an Industry Standards based single sign-on (SSO) capability (SAML, Open Authorization (Oauth v2), etc.) which will support integration with DataQuel’s SSO solutions to enable authentication to access any Provider web-based application(s) provided as part of the Provider Services, unless the requirement is explicitly waived by DataQuel. Details of how the single sign-on integration must be implemented are available from DataQuel upon request. If SSO is not implemented due to technical limitations or DataQuel requirements, multi-factor authentication will be required for access to Provider web-based application(s) provided as part of the Provider Services.
  • Provider shall maintain and enforce a password policy that is aligned to current Industry Standards (e.g., NIST Cyber Security Framework, PCI DSS (Payment Card Industry Data Security Standard), Center for Internet Security) and default passwords must be changed before deploying any new asset. In the event that Provider Services includes the management of DataQuel or its client infrastructure and environments, account lockout thresholds must be consistent with DataQuel or its client account lockout standards, whichever is most strict.
  • Provider personnel, agents and contractors shall use multi-factor authentication and encrypted sessions for access to Provider systems. In the event that Provider Services require external connections to DataQuel or DataQuel client project dedicated environments, DataQuel must provide approval of the connections.

• Physical Access to Facilities. Provider shall limit access to facilities (where systems that are involved in providing the Provider Services are located) to identified personnel, agents and contractors.
• Physical Access to Components. Provider shall maintain records of incoming and outgoing media containing DataQuel Data, including the type of media, the authorized sender/recipient, the date and time, the number of media, and the type of data the media contains. Provider shall ensure that backups (including remote and cloud service backups) are properly protected via physical security or encryption when stored, as well as when they are moved across the network. In the event that backup media of DataQuel and/or DataQuel client data is stored / shipped offsite, DataQuel must provide approval of the storage location.
• Protection from Disruptions. The Provider shall protect equipment from power failures and other disruptions caused by failures in supporting utilities. Telecommunications and network cabling must be protected from interception, interference, and/or damage.
• Secure Disposal or Reuse of Equipment. Provider shall verify equipment containing storage media, to confirm that all DataQuel Data has been deleted or securely overwritten using Industry Standard processes, prior to disposal or re-use.
• Clear Desk and Clear Screen Policy. Provider shall adopt a clear desk policy for papers and removable storage media and a clear screen policy.

DataQuel will

• Operations Policy. Provider shall maintain appropriate operational and security operating procedures and such procedures shall be made available to all personnel who require them.
• Logging and Monitoring of Events
  • Provider must enable logging and monitoring on all operating systems, databases, applications, and security and network devices that are involved in providing Provider Services. Logs must be kept for a minimum of 6 months or as long as legally required, whichever is longer. Logs must capture the access ID, the authorization granted or denied, the date and time, the relevant activity, and be regularly reviewed. All relevant information processing systems shall synchronize time to a single reference time source.
  • Logging capabilities shall be protected from alteration and unauthorized access.
• Protections from Malware. Provider shall maintain anti-malware controls that are designed to protect systems from malicious software, including malicious software that originates from public networks. Provider shall maintain software at the then current major release for Provider owned anti-malware software and shall maintain appropriate maintenance and support for new releases and versions of such software.
• Encrypted Backup. Provider shall maintain an encrypted backup and restoration policy that also protects DataQuel Data from exposure to ransomware attacks, and shall back up DataQuel Data, software, and system images in accordance with Provider policy unless other such requirements are agreed upon. Provider shall regularly test restoration procedures.
• Control of Software and Utilities. Provider shall enforce policies and procedures that govern the installation of software and utilities by personnel.
• Change Management. Provider shall maintain and implement procedures to ensure that only approved and secure versions of code, configurations, systems, utilities, and applications will be deployed for use.
• Encryption of Data at Rest. Provider shall encrypt data at rest, including data at rest in cloud instances and storage buckets, using current Industry Standard encryption solutions or shall provide the capability with instructions to DataQuel so that DataQuel may enable further encryption, at DataQuel’s discretion.

• Information Transfer and Storage
  • Provider shall use current Industry Standard encryption, TLS (Transport Layer Security) minimum version 1.2, to encrypt DataQuel Data that is in transit.
  • Provider shall use TLS, minimum version 1.2, over SMTP (Simple Mail Transfer Protocol) when exchanging emails as a standard practice to encrypt emails in transit.
  • Provider shall implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy of reject to lower the chance of spoofed or modified emails from valid domains. This is required for email that is sent from Provider applications.
  • In the event that Provider Services include the management of DataQuel client email systems, such systems must be configured and implemented to agreed-upon standards.
  • Provider shall utilize a secure collaboration platform that is enabled to restrict access and encrypt communications and DataQuel Data.
  • Provider shall restrict access through encryption to DataQuel Data stored on media that is physically transported from Provider facilities.
• Security of Network Services. Provider shall ensure that Industry Standard security controls and procedures for all network services and components are implemented whether such services are provided in-house or outsourced. In the event that Provider Services include the management of network services and components owned by DataQuel or its client, such services and components must be configured and implemented to agreed-upon standards.
• Intrusion Detection. Provider shall deploy intrusion detection and intrusion prevention systems to provide continuous surveillance for intercepting and responding to security events as they are identified and update the signature database as soon as new releases become available for commercial distribution.
• Firewalls. Provider shall have appropriate firewalls in place which will only allow documented and approved ports and services to be used. All other ports will be in a deny all mode.
• Web Filtering. Provider shall have a Web filtering policy in place to control the content that users can access over the Internet. This includes restricting the use of personal emails and file sharing sites.
• Data Loss Prevention. Provider shall have a data loss prevention policy in place to monitor for or restrict the unauthorized movement of DataQuel Data.

• Workstation Encryption. Provider will require Industry Standard full disk encryption on all workstations and/or laptops used by personnel, contractors and agents where such personnel are accessing or processing DataQuel Data.
• Application Hardening
  • Provider will maintain and implement secure application development policies, procedures, and standards that are aligned to Industry Standard practices such as the SANS Top 25 Software Errors, the OWASP Top Ten project and the NIST Secure Software Development Framework (SSDF). This applies to web application, mobile application, embedded software, and firmware development as appropriate.
  • All personnel responsible for secure application design, development, configuration, testing, and deployment will be qualified to perform the Provider Services and receive appropriate training regarding Provider’s secure application development practices.
• System Configuration and Hardening.
  • Provider will establish and ensure the use of Industry Standard secure configurations of technology infrastructure. Images should represent hardened versions of the underlying operating system and the applications installed on the system. These images should be validated on a regular basis to update their security configuration as appropriate.
  • Provider will perform periodic access reviews for system administrators at least quarterly for all supporting systems requiring access control.
  • Provider will implement patching tools and processes for operating systems and applications installed on the system. Provider shall have a defined process to remediate findings and will ensure that emergency/critical issues are addressed urgently and as soon as practicable within fourteen (14) days; high-risk issues are addressed within thirty (30) days; and medium-risk issues are addressed within ninety (90) days. When outdated systems can no longer be patched, Provider will update to the latest supported version of the operating system and applications installed on the system. If this is not possible, Provider shall purchase extended support and notify DataQuel so that an appropriate risk assessment can be conducted. Provider will remove outdated, older, and unused software from the system. In the event that Provider Services include patch management for operating systems and applications owned by DataQuel or its client, Provider shall document and implement an appropriate patching plan that includes agreed-upon remediation service level obligations.
  • Provider will limit administrative privileges to only those personnel who have both the knowledge necessary to administer the operating system and a business need to modify the configuration of the underlying operating system.
• Infrastructure Vulnerability Scanning. Provider shall use Industry Standard and up-to-date products to scan its internal and external environment (e.g., servers, network devices, etc.) related to Provider Services on a quarterly basis. Provider shall have a defined process to remediate findings and will ensure that emergency/critical issues are addressed urgently and as soon as practicable within fourteen (14) days; high-risk issues are addressed within thirty (30) days; and medium-risk issues are addressed within ninety (90) days. In the event that Provider Services include infrastructure vulnerability management for infrastructure owned by DataQuel or its client, Provider shall document and implement an infrastructure scanning and vulnerability remediation plan that is to be approved by DataQuel.
• Application Vulnerability Assessment. Provider will perform application security vulnerability assessments prior to any release and on a recurring basis. The assessments must cover all web application, mobile application, stand-alone application, embedded software, and firmware vulnerabilities defined by the Open Web Application Security Project (OWASP) or those listed in the SANS Top 25 Software Errors or its successor current at the time of the test. Provider will ensure all critical and high-risk vulnerabilities are remediated prior to release. On a recurring basis, Provider shall ensure that emergency/critical vulnerabilities are addressed urgently and as soon as practicable within fourteen (14) days; high-risk vulnerabilities are addressed within thirty (30) days; and medium-risk vulnerabilities are addressed within ninety (90) days. This applies to web application, mobile application, stand-alone application, embedded software, and firmware development as appropriate to the Agreement. In the event that Provider Services include application vulnerability management for applications owned by DataQuel or its client, Provider shall document and implement an application vulnerability assessment and remediation plan that is to be approved by DataQuel.
• Penetration Tests and Security Evaluations of Websites. Provider shall use an established Industry Standard program to perform external and internal penetration tests and security evaluations of all systems and websites involved in providing Provider Services prior to use and on a recurring basis no less frequently than once in a twelve (12)-month period by an industry recognized independent third party. Provider shall have a defined process to remediate findings and will ensure that emergency/critical issues are addressed urgently and as soon as practicable within fourteen (14) days; high-risk vulnerabilities are addressed within thirty (30) days; and medium-risk issues are addressed within ninety (90) days.
• Supporting Documentation. Upon DataQuel request, Provider shall provide a summary of vulnerability scans, penetration tests and/or any security evaluations conducted, including any open remediation points. In the absence of such summaries, documentation sufficient to prove that such scans have been conducted shall be provided.
• Separation of Environments. Provider shall maintain separate environments for production and non-production systems and developers should not have unmonitored access to production environments.

• Where other third-party applications or services must be engaged by Provider, Provider’s contract with any third-party must clearly state appropriate security requirements substantially similar to this Information Security Schedule. In addition, service level agreements with the third party must be clearly defined.
• Any external third-party or resources gaining access to systems must be covered by a signed agreement containing confidentiality language consistent with the confidentiality and security requirements of the Agreement.
• Provider shall regularly conduct security reviews of third-party suppliers to address physical and logical security requirements, privacy protection, breach reporting, and contractual requirements. Provider shall ensure that all findings from such security reviews are promptly remediated.
• Provider will perform quality control and security management oversight of outsourced software development.

• Incident Response Process
  • Provider shall maintain a record of Security Incidents noting the description of the Security Incident, the applicable time periods, the impact, the person reporting and to whom the Security Incident was reported, and the procedures to remediate the incident.
  • In the event of a Security Incident identified by Provider, DataQuel, or other third party, Provider will: (a) promptly investigate the Security Incident; (b) promptly provide DataQuel with all relevant detailed information as reasonably requested by DataQuel about the Security Incident; and (c) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
  • The Provider shall track disclosures of DataQuel Data, including what type of data was disclosed, to whom, and the time of the disclosure.

• Legal and Contractual Requirements
  • Provisions regarding compliance with laws, intellectual property and data privacy are contained in the body of the Agreement and applicable schedules.