Skip to main content

Uploaded: 1 Jun 2023

PEGUS Baseline Security Requirements



     1.1.      Capitalized terms shall have the meanings set out below. Any capitalized terms not defined below or elsewhere in these Requirements shall have the meanings ascribed to them in the PISA and Agreement.

     1.2.      “PEGUS Information” means any information disclosed by or on behalf of PEGUS to the Processor, including Intellectual Property, PEGUS Confidential Information, Personal Data, Sensitive Personal Information, Financial Personal Information and Government Identifier Personal Information.

     1.3.      “Process” or “Processing” means any operation or set of operations which are performed upon PEGUS Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, access, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, blocking, return, erasure or destruction. “Processed” shall be construed consistent with this definition.

     1.4.      “Personal Data” has the meaning given by Applicable Data Protection Law and includes any information relating to an identified or identifiable natural person (hereinafter “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

     1.5.      “Sensitive Personal Information” means Personal Data pertaining to the racial or ethnic origin, physical or mental health condition or sexual life, offences and/or criminal convictions, trade union membership, religious or similar beliefs or political or ideological opinions of an identified or identifiable individual, or biometric data for the purpose of uniquely identifying a natural person.

     1.6.      “Financial Personal Information” means Personal Data consisting of financial information including but not limited to bank account numbers, credit card numbers and debit card numbers (whether with or without expiry dates and pin numbers), income and credit histories.

     1.7.      “Government Identifier Personal Information” means Personal Data consisting of national insurance numbers, social security numbers, tax identifications, passport numbers, driver’s license numbers or other equivalent government issued identifiers.

     1.8.      “Information System(s)” means all systems, including, but not limited to, electronic equipment and storage media, used by the Data Processor to access, store or otherwise Process PEGUS Information.

     1.9.      “Security Incident” means the unauthorized and/or unlawful access, acquisition, use, disclosure, modification, processing, destruction or loss of PEGUS Information or Information Systems Processing PEGUS Information whether in electronic or hard copy form, or interference with system operations in an information system, that compromises or which reasonably is anticipated would compromise the privacy, security, confidentiality, integrity or availability of PEGUS Information, including but not limited to (i) incidents resulting from or arising out of the Data Processor’s internal use, Processing, or Transfer of PEGUS Information, whether between or among Contractor’s subsidiaries and affiliates, subcontractors or any other person or entity acting on behalf of the Data Processor; (ii) any other similar incident as may be so defined by Applicable Data Protection Law; provided that trivial attempts to penetrate the Data Processor’s networks or systems that occur on a daily basis, such as scans, “pings” or other unsuccessful attempts to penetrate computer networks or systems maintained by the Data Processor, will not be considered a Security Incident.

     1.10.    “Processor” means the entity Processing the PEGUS Information on behalf of PEGUS and may include a PEGUS Affiliate where it Processes PEGUS Information under the instructions from PEGUS or another PEGUS Affiliate.

     1.11.    “Affiliate” means in relation to a Party, any entity which (directly or indirectly) controls, is controlled by and/or under common control with that Party. Affiliates of PEGUS shall additionally include parties for which Contractor is acting as a sub-contractor on behalf of PEGUS.

     1.12.    “Applicable Data Protection Law” means all national, state, regional and/or local laws, rules, regulations, security requirements and regulatory guidance applicable to either Party’s performance under these Requirements or the Agreement, Service Agreement, or the PEGUS Privacy and Information Security Addendum (herein, the “PISA”), located at These may include, but are not limited to, the requirements of the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, hereinafter “HIPAA”), as well as those applicable to the Processing of Personal Data such as the General Data Protection Regulation (EU) 2016-679 (hereinafter “GDPR”), together with applicable legislation implementing or supplementing the same or otherwise relating to the Processing of Personal Data of natural persons, as well as the Payment Card Industry Data Security Standards and other applicable standards issued by the Payment Card Industry Security Standards Counsel, LLC, VISA, MasterCard, Discover, American Express, JCB and all other relevant credit card brands.

     1.13.    “Trusted Connection” means PEGUS, in its absolute discretion, has determined that unrestricted access to the PEGUS network through a PEGUS firewall for a specific Processor facility or location (hereinafter referred to as “Secured Processor Facility) is required.


     2.1.      These Requirements shall be applied by all external entities that Process PEGUS Information on behalf of PEGUS and its Affiliates.

     2.2.      These Requirements aim to ensure that the Processor of PEGUS Information maintains the confidentiality, integrity and security of PEGUS Information in accordance with the requirements imposed by Applicable Data Protection Law and applicable industry standards and best practices.

     2.3.      These Requirements aim to provide for a minimum level of information security, however, information security threats come from a wide range of sources and are continually developing; therefore, security measures shall be reviewed regularly.

     2.4.      Where necessary, having regard to the state of the art, industry best practice and cost of their implementation, measures that compensate for or are additional to those detailed in these Requirements may be needed. Such compensating measures shall be subject to the prior written approval of PEGUS. In any event such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the information to be protected.


     3.1.      These Requirements are categorized into those that are Basic Level Requirements and Enhanced Level Requirements.

     3.2.      Basic Level Requirements shall be applied to all PEGUS Information.

     3.3.      Enhanced Level Requirements shall be applied in addition to the Basic Level Requirements for Personal Data, Sensitive Personal Information, Financial Personal Information, and Government Identifier Personal Information, and where otherwise specifically indicated in these Requirements.

     3.4.      Where PEGUS has agreed to specific additional security measures with a relevant Processor in addition to those set out herein, generally or in relation to a specific service or platform, those measures providing the highest level of protection to PEGUS Information shall be applied by the Processor.



Basic Level Requirements

     4.1.      The Processor shall ensure that senior management of the Processor accepts ultimate responsibility for ensuring that information security is properly managed and that these Requirements are implemented and adhered to by the Processor and its staff.

     4.2.      The Processor shall put into place a management structure to oversee the effective implementation and continuing development of security procedures. At a minimum, this shall consist of an individual from senior management with the necessary authority to implement these Requirements and other necessary security procedures (“Information Security Officer” (or other Processor staff duly authorized in the security document(s))).

     4.3.      The Information Security Officer’s responsibilities shall include:

          4.3.1. reviewing implementation and adherence to these Requirements; and

          4.3.2. acting as a point of contact in relation to information security issues raised by PEGUS.


Basic Level Requirements

     5.1.      The Processor shall document its security policy and procedures which address all the activities relating to the handling and management of data. Security policies and procedures shall be reviewed and/or updated at reasonable intervals and/or whenever there are material changes to the Information Systems, including those Processing PEGUS Information.

     5.2.      The security documents shall clearly identify those technical and organizational measures and practices to be implemented and followed by the Processor to adequately protect the security of information Processed by the Processor.

     5.3.      The security documents and/or guidance stipulating the procedures to be followed and measures to be implemented to satisfy the requirements contained therein, shall be published and communicated as relevant to the Processor’s employees, Affiliates, and any other relevant external parties directly or indirectly involved in the Processing of PEGUS Information.

     5.4.      The Processor shall, on request, provide PEGUS with access to copies of the security documents and any future updated versions of such documents.


Basic Level Requirements

     6.1.      The Processor will conduct and complete appropriate background and/or verification checks of its employees, contractors and/or third parties to ensure their suitability for handling PEGUS Information prior to their Processing of any such PEGUS Information.

     6.2.      Responsibilities and instructions in relation to protecting the confidentiality, integrity and security of PEGUS Information shall be defined and communicated in writing to employees/contractors/third parties.

     6.3.      Employment contracts, contracts with contractors, and contracts with third-party users shall contain terms setting out obligations and responsibilities in relation and appropriate to maintaining the confidentiality, integrity and security of PEGUS Information.

     6.4.      A formal disciplinary process shall be in place for employees who violate Processor policy and procedures relating to the Processing of PEGUS Information.

     6.5.      Upon termination of employment/engagement, an employee/contractor/third party shall return all PEGUS Information in his/her possession on whatever medium it is stored, and access rights to Information Systems Processing PEGUS Information shall be terminated.


Basic Level Requirements

     7.1.      Regular information security awareness, education and training suitable to an individual’s role and responsibility shall be undertaken. This shall begin with a formal induction to security procedures and policies and continue throughout employment.

     7.2.      Where PEGUS network account and/or PEGUS email access is granted, PEGUS’ applicable policies and procedures shall be followed by Processor personnel. Applicable policies, procedures, and training will be provided as part of the provisioning process.


Basic Level Requirements

     8.1.      Media, servers, and equipment containing PEGUS Information shall be labeled in a way that protects the confidentiality of PEGUS Information and does not expressly expose the actual content.

     8.2.      An inventory shall be maintained in a way that provides traceability to those media, servers, and equipment containing PEGUS Information.

     8.3.      When PEGUS Information and/or media containing it are being transferred between parties, a system for recording incoming and outgoing media containing PEGUS Information shall be set up which permits direct or indirect identification of the kind of media, the date and time, the sender, the number of media, the kind of PEGUS Information contained, how they are sent and the authorized person responsible for receiving them.


Basic Level Requirements

     9.1.      The Processor shall only use portable devices where there is a genuine business need and where the PEGUS Information on the device is appropriately erased or destroyed when the defined business need has expired.

     9.2.      PEGUS Information stored on portable devices (including laptops and PDAs, external hard drives, flash drives, CDs, DVDs, tapes and other mass storage devices) shall be adequately protected from unauthorized access, loss and destruction using industry recognized mechanisms, such as encryption, inactivity timeout, and/or power on passwords.

     9.3.      Policies and procedures for using portable devices shall be maintained by the Processor and training on these procedures shall be provided to all Processor staff.

Enhanced Level Requirements

     9.4.      Any portable device containing PEGUS Information shall be encrypted.


Basic Level Requirements

     10.1.    Testing prior to the implementation or modification of a relevant Information System shall not use real or ‘live’ PEGUS Information unless there is no reasonable alternative and such use has been approved by PEGUS. Where real or ‘live’ PEGUS Information is used, it shall be limited to the extent necessary for the purposes of testing and provide evidence that the level of security corresponding to the type of PEGUS Information Processed is implemented.


Basic Level Requirements

     11.1.    Controls shall be in place to ensure that PEGUS Information transmitted by the Processor across any unsecured network is transferred between authorized Information Systems and resources only, and is only exchanged through industry recognized secure transfer mechanisms.

     11.2.    Procedures and policies shall be in place to prevent the unauthorized transfer of PEGUS Information by email and web-based applications.

     11.3.    All remote access and access via non-trusted networks (e.g. ISPs, cable, application service Contractors, DSL connections, etc.) to Information Systems Processing PEGUS Information, shall use at least two-factor authentication methods (e.g. Remote Access Server (RAS), SecureID, etc.) and only take place where there is a justifiable business need.

     11.4.    Wireless LAN products (e.g. NIC cards and access point devices) shall not be attached to networks permitting access to Information Systems Processing PEGUS Information or to a device connected to Information Systems Processing PEGUS Information without appropriate approvals from the Information Security Officer, or other Processor staff duly authorized in the security document(s). All wireless LAN products shall:

          11.4.1.  use secure identification, authentication, and encryption mechanisms; and

          11.4.2.  where feasible, have “peer” networking connectivity settings disabled.

Enhanced Level Requirements

     11.5.    PEGUS Information, when at rest, in transit, and/or when stored on portable media or portable devices shall be encrypted so that data elements are rendered unusable, unreadable and/or indecipherable to unauthorized individuals.


Basic Level Requirements

     12.1.    Processes and procedures shall be in place to ensure copies of PEGUS Information are retained to facilitate timely retrieval or reconstruction following loss or destruction of primary production information. Such processes and procedures shall be conducted on a regular basis and at least weekly.

     12.2     The correct functioning of the back-up system must be tested periodically to confirm that it performs an accurate and complete reconstruction of the Information Systems Processing PEGUS Information.

     12.3.    Backed-up PEGUS Information or Information Systems Processing PEGUS Information held off the Processor’s premises shall be appropriately protected from unauthorized access following documented policy and procedures.

     12.4.    Back-up copies shall be kept at a different secure location from the site of the equipment housing Information Systems Processing PEGUS Information.

Enhanced Level Requirements

     12.5.    Backed-up PEGUS Information or Information Systems Processing PEGUS Information held on tapes, disks or other media off PEGUS’ or the Processor’s premises shall be encrypted.


Basic Level Requirements

     13.1.    When Processor equipment, physical documents and files, and physical media are disposed of or reused, recognized industry or government standard measures shall be taken to prevent subsequent retrieval of PEGUS Information originally stored in them.

     13.2.    The procedures for ensuring the secure destruction/erasure of PEGUS Information held on Processor equipment, in physical documents and files, and in physical media shall be formally documented and implemented.

     13.3.    The Processor shall identify the roles of the persons disposing of PEGUS Information, including third-party services, and shall provide evidence of destruction.


Basic Level Requirements

     14.1.    Equipment and/or media used for Processing PEGUS Information shall be protected from physical and environmental threats to prevent interruption to the Processor’s activities and loss of PEGUS Information. For example, this might be achieved by considering the following: citing equipment; physically securing power and telecommunications cabling; ensuring equipment is properly maintained and protected from power failures.

     14.2.    Equipment and/or media containing PEGUS Information shall be placed in secure areas to prevent unauthorized physical access, damage, and interference to the information. Measures corresponding with the nature of PEGUS Information being Processed shall be taken to limit physical access to that information. For example, this may include access control, CCTV, and intrusion detection systems; implementing visitor entry control procedures; securing offices, rooms, and facilities; protecting against external and environmental threats; and controlling all access points including delivery and loading areas.

     14.3.    Equipment and media (including printed materials) containing PEGUS Information shall only be removed from PEGUS’ or the Processor’s premises following a prescribed procedure/plan that prevents unauthorized access to or retrieval of PEGUS Information.

     14.4.    Where hardcopy records containing PEGUS Information are to be retained in manual filing systems, they shall be stored and filed according to appropriate criteria which enable the Processor to locate the relevant records where necessary to facilitate the access, amendment or destruction of the relevant records and facilitate the exercise of the Data Subject rights at the request of PEGUS or the individual to whom those records relate. The making of copies of such documents must be under the control of persons authorized in accordance with the relevant security document(s).

Enhanced Level Requirements

     14.5. Containers with locks or equivalent devices to prevent tampering and/or unauthorized access shall be used to store or transport hardcopy records.

     14.6. Tracking of back-up and/or mass storage media containing PEGUS Information during transport (for example by Radio Frequency Identification (RFID) or GPS) and/or bonded courier services shall be used.


Basic Level Requirements

     15.1.    The Processor shall not make PEGUS Information publicly available without PEGUS’ prior written consent.

     15.2.    The Processor shall not make any PEGUS Information available via a publicly available, restricted access website (i.e. URL available from outside of the PEGUS network), without providing evidence of successful completion of a security vulnerability test acceptable to PEGUS.

     15.3.    Further technical measures shall be put in place to prevent unauthorized electronic access to PEGUS Information.  Expectations are that these measures include, but are not limited to, firewalls, logical separation (no co-mingled data) and/or intrusion prevention and detection systems.

     15.4.    Authorization to access Information Systems Processing PEGUS Information shall be granted on a need to know or do basis. Authorized users shall only have access to that PEGUS Information necessary for them to perform their duties.

     15.5.    The Processor shall restrict access to Information Systems Processing PEGUS Information through use of adequate and appropriate identification, authentication and authorization mechanisms.

     15.6.    Formal procedures to control the authorization of access rights to Information Systems and services shall be developed. The procedures shall cover:

          15.6.1.   user registration and revocation;

          15.6.2.   privilege management;

          15.6.3.   user password management; and

          15.6.4.   review of user access rights.

     15.7.    As part of the user registration procedures, the Processor shall:

          15.7.1. Ensure every authorized user is issued a unique user identification code prior to accessing PEGUS Information or Information Systems Processing PEGUS Information.

          15.7.2. Maintain a list of all individuals authorized to access Information Systems Processing PEGUS Information that includes the unique user identification code and the level of information to which the individual has access.

          15.7.3 The Processor may disable but shall not delete or reassign such user identification codes so long as a historical list of user identification code assignments is maintained for the life of the underlying Information System.

     15.8.    At yearly intervals, the Processor shall review those individuals that it has authorized to access Information Systems Processing PEGUS Information and verify whether the individual still requires access and the present access level.

     15.9.    Only the Information Security Officer, or other Processor staff duly authorized in the security document(s), shall be permitted to grant, alter or cancel authorized access to PEGUS Information.

     15.10.  Authorized users shall only be allowed to access Information Systems Processing PEGUS Information after completing authentication procedures. Authentication procedures for access to electronic PEGUS Information shall be based on a password, or other authentication method (such as biometrics, passphrases, PINs, etc.) associated with the user identification code but only known to the authorized user.

     15.11.  Passwords shall meet prevailing legal and/or industry standards for strength and complexity, and confidentiality.

          15.11.1. Password strength and complexity shall include a length not less than 6 characters and numbers, with password composition allowing upper and lower-case letters, numbers and/or special characters.

          15.11.2. Password must be changed by the user upon first access to the Information System and shall be changed at regular intervals appropriate to the information accessible via the systems to which they relate, and in accordance with Processor security documents, prevailing industry standards and with any legal requirements applicable to the Processor in the country in which the PEGUS Information is Processed.

          15.11.3. Passwords shall be maintained in a location and/or format that do not compromise the security of the data they protect. Passwords will be rendered unreadable or unusable by unauthorized individuals, i.e., encrypted, when stored and transmitted electronically.

          15.11.4. Access of a user identification code shall be blocked after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system. Prior to reactivation of access or replacement of lost/forgotten authentication credentials, user identity must be verified.


Basic Level Requirements

     16.1.    An audit trail of access, or access logs, to Information System Processing PEGUS Information shall be maintained for a minimum period of one (1) year. At minimum, the audit trail shall be able to reasonably determine the files/databases accessed, user ID of the individual accessing the files/databases, the date, time and type (e.g. remote, local etc.) of access, and whether access was authorized or denied.

     16.2.    Access record mechanisms for producing the audit trail shall be under the direct control of the Information Security Officer, or other Processor staff duly authorized in the security document(s), and under no circumstances can they be de-activated or manipulated.

     16.3     The Information Security Officer, or other Processor staff duly authorized in the security document(s), shall ensure that procedures are in place to detect suspicious and irregular access and requests for access to Information Systems (“Irregular Access”). Irregular Access shall be reviewed periodically and any action arising from that review shall be documented. Any Irregular Access issues affecting PEGUS Information or services shall be reported to PEGUS.

Enhanced Level Requirements

     16.4.    Audit trails of access to Information Systems housing PEGUS Information shall be retained for a minimum period of two (2) years, and shall include any Sensitive Personal Information categories accessed.


Basic Level Requirements

     17.1.    Anti-virus software shall be installed on all Information Systems Processing PEGUS Information and updated on a regular basis, having regard to the state of the art and relevant industry best practice.

     17.2.    The Processor shall follow a documented security patching policy, process, and schedule for the infrastructure and layered application products that includes the assessment of security vulnerabilities and deployment of updates or upgrades in accordance with industry best practice.

     17.3.    Only licensed copies of commercial software which comply with and do not compromise security standards shall be used.

     17.4.    The Processor shall notify PEGUS promptly (and in any event within 24 hours of becoming aware) of the actual or potential transmission of any identified computer virus by the Processor to PEGUS.

     17.5.    No newly acquired discs/media/programs/executables from whatever source shall be loaded on to Information Systems Processing PEGUS Information unless they have been previously vulnerability scanned and virus checked by a suitable vulnerability scanning and virus checking package.

     17.6.    Appropriate controls to prohibit the download and use of file sharing (e.g. peer- to-peer) and other software that can open security vulnerabilities to Information Systems shall be implemented by the Processor.


Basic Level Requirements

     18.1.    The Processor shall have a documented procedure for identifying, reporting, responding to and managing Security Incidents that affect PEGUS Information and/or Information Systems Processing PEGUS Information.

     18.2.    Recovery of PEGUS Information or Information Systems Processing PEGUS Information following a Security Incident shall adhere to documented procedures.

19.      AUDIT

Basic Level Requirements

     19.1.    The Processor shall carry out periodic audits to ensure the ability to comply with these Requirements.

Enhanced Level Requirements

     19.2.    Information Systems or non-automated means of (i.e. hardcopy filing systems) Processing PEGUS Information constituting Personal Data, Sensitive Personal Information, Financial Information, shall undergo an internal or external audit at least once every two (2) years to assess compliance with these Requirements, and the findings delivered in the form of an audit report.

     19.3.    In addition to this bi-annual audit, extraordinary audits must be carried out whenever material changes to the Processing are introduced which may affect PEGUS Information or Information Systems Processing PEGUS Information. The carrying out of any such extraordinary audit will reset the period of two years until the following audit.

     19.4.    An audit report shall include: a compliance assessment; identify any shortcomings; propose corrective or supplementary measures; and include the information upon which the recommendations are based.

     19.5.    The Information Security Officer, or other Processor staff duly authorized in the security document(s), shall analyze the audit report and refer any conclusions to PEGUS and the Processor so that appropriate corrective steps can be taken.

     19.6.    PEGUS shall be permitted access to the audit report and it will be permitted to disclose it to relevant authorities with jurisdiction upon their request where legally required to do so.


In addition to the requirements set forth in Section B, the following requirements must be met in order to be granted a Trusted Connection and would only apply if triggered by this type of connection. These requirements must continue to be met as long as the Trusted Connection remains in effect. PEGUS reserves the right to terminate the Trusted Connection if the Processor fails to meet the minimum requirements.

     20.1.    A Trusted Connection (such as a site-to-site VPN) shall only be established with a specific Processor facility. A Trusted Connection established at one Secured Processor Facility is not transferable to other Contractor locations or facilities without subsequent approval.

     20.2.    Physical access to the Secured Processor Facility must be restricted to those individuals working for the Processor on PEGUS contracts supported by the Trusted Connection. Any other individuals requiring entry to the facility must be escorted at all times by one of the individuals described above.

     20.3.    The Secured Processor Facility shall provide an isolated network that connects directly to PEGUS and does not connect back to the Processor’s own internal network or any other network including the Internet. Internet access will be provided via the PEGUS Internet gateways.

     20.4.    End user computing devices used in the Secured Processor Facility shall be either PEGUS provided devices with a PEGUS Desktop Management Services (hereinafter
“DMS”) image or Processor provided devices with a PEGUS DMS image. Said devices will be managed and supported in accordance with PEGUS supplied processes.

     20.5.    The Contractor agrees to an initial site survey at the Secured Processor Facility and subsequent assessments conducted by PEGUS, which includes, but is not limited to, monitoring of the following:

          20.5.1. Restricted physical and logical access to devices connecting to the PEGUS network;

          20.5.2. Connectivity between Secured Processor Facility and other networks (including supplier network and the Internet) to ensure that there is no additional connectivity outside of the established Trusted Connection;

          20.5.3. End user computing devices to ensure that all are either PEGUS machines with PEGUS DMS images or Processor machines with PEGUS DMS image, and that all devices will be managed and supported in accordance with PEGUS supplied processes.

     20.6.    The Processor agrees that PEGUS may employ Intrusion Prevention Systems (IPS) or other tools to monitor network traffic or the flow of sensitive intellectual property between the Secured Processor Facility and PEGUS, specifically to detect malicious traffic on the wire.