PEGUS PRIVACY AND INFORMATION SECURITY ADDENDUM
This Privacy and Information Security Addendum (“Addendum”), is attached as Exhibit B to the Independent Contractors Agreement (the “Agreement”) between PEGUS Research, Inc. (“PEGUS”) and the independent contractor. (“Contractor”).
WHEREAS, PEGUS and Contractor have entered into the Agreement pursuant to which Contractor performs certain Services (as such term is defined in the Agreement) for or on behalf of PEGUS and/or other PEGUS Affiliates;
WHEREAS, in performing such Services, Contractor may “Process” (defined below) “Personal Information” (defined below) from or on behalf of PEGUS and/or other PEGUS Affiliates;
WHEREAS, the parties wish to set forth in this Addendum the additional requirements applicable to Personal Information Processed by Contractor in connection with providing the Services;
NOW, THEREFORE, in consideration of the mutual covenants contained herein and for other good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, and intending to be legally bound, the parties agree as follows:
Capitalized terms shall have the meanings set out below. Any capitalized terms not defined below or elsewhere in this Addendum shall have the meanings ascribed to them in the Agreement:
“Affiliate” means in relation to a party, any entity which (directly or indirectly) controls, is controlled by and/or under common control with that party. Affiliates of PEGUS shall additionally include parties for which Contractor is acting as a sub-contractor for on behalf of PEGUS.
“Event” means the unauthorized and/or unlawful Processing of Personal Information whether in electronic, hard copy or other form including but not limited to interference with information system operations; provided, however that trivial attempts to penetrate Contractor’s networks or systems that occur on a daily basis, such as scans, and “pings,” will not be considered an Event.
“Laws” means all national, state, regional and/or local laws, rules, regulations, security requirements and regulatory guidance applicable to the either party’s performance under the Agreement (including, without limitation the requirements of the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, “HIPAA”), which may include but are not limited to those applicable to the Processing of Personal Information such as the Regulation (EU) 2016/679 (“GDPR”) together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons, as well as the Payment Card Industry Data Security Standards and other applicable standards issued by the Payment Card Industry Security Standards Council, LLC, VISA, MasterCard, Discover, American Express, JCB and all other relevant credit card brands.
“Personal Information” has the meaning given by the applicable Laws and shall include, without limitation, any data or information (regardless of the medium in which it is contained and whether alone or in combination) which may be supplied to or Processed by or on behalf of Contractor in connection with the provision of the Services, that relates to an identified or identifiable person (“Data Subject”) including, without limitation, name, postal address, email address, telephone number and information about the Data Subject’s health, opinions or beliefs.
“Process” means any operation which is performed upon Personal Information, whether or not by automatic means, including but not limited to the access, acquisition, collection, recording, organization, storage, alteration, retrieval, consultation, use, disclosure, combination, “Transfer” (defined below), blocking, return or destruction of Personal Information. “Processed”, or “Processing” shall be construed accordingly.
“Remediation Efforts” means activities related to the investigation of, response to and remediation of an Event including, without limitation, forensic investigations, breach notification, establishment and operation of toll-free phone support for affected individuals, provision of credit protection services and identity theft insurances for affected individuals, cooperation with regulatory authorities and management and response to litigation and other legal or regulatory actions including but not limited to engaging attorneys and the payment of fines, settlements and damages.
“Security Issue” means any material weakness reasonably likely to give rise to an Event.
“Transfer” means both (a) the moving of Personal Information from one location or person to another, whether by physical or electronic means and (b) the granting of access to Personal Information by one location or person to another, whether by physical or electronic means. “Transferred”, or “Transferring” shall be construed accordingly.
“Vendor Assessment” means any Privacy and Security Practices Vendor Assessment or similar document or process completed or performed by Contractor at PEGUS’s request. No more than one Vendor Assessment may be competed in a given 365-day period.
1.1 Limitations on Contractor’s use of Personal Information
Contractor shall maintain all Personal Information in strict confidence and shall only Process the Personal Information to perform the Services and for no other purpose unless otherwise provided in the Agreement or authorized in advance in writing by PEGUS.
1.2 Notice and Consent
1.2.1 Provided by PEGUS. PEGUS shall be solely responsible for providing and obtaining any legally-required notice and consent from individuals with respect to Personal Information supplied by or on behalf of PEGUS to Contractor
1.2.2 Provided by Contractor. When Contractor collects Personal Information from Data Subjects in connection with the provision of the Services it shall provide notice and/or collect consent in the form set forth in the Agreement or applicable Exhibit A to the Agreement (a “Statement of Work” or “SOW”) or in such other form as reasonably specified to Contractor by PEGUS. Contractor shall record and retain for a minimum of two (2) years after the expiration or termination of the Agreement the notice provided to, and the written, electronic or verbal consent obtained from, each individual. Contractor shall provide such records to PEGUS upon request and upon the expiration or termination of the Agreement.
1.3 Access and Other Requests
1.3.1 Notification of Requests
Contractor shall, where not legally prohibited from doing so, notify PEGUS as soon as reasonably practicable, and in any event within three (3) business days, of receiving any request or complaint related to any Personal Information.
1.3.2 Responses to Requests
Contractor shall not respond to any requests described above in Section 1.3, unless this Agreement, including any applicable Statement of Work, provides otherwise; Contractor is explicitly authorized by PEGUS in writing to do so; or where Contractor has a mandatory obligation under applicable Laws to respond directly, in which case Contractor shall notify PEGUS as soon as possible and, at a minimum, at the same time as making the initial notification under Section 1.3.1 and shall comply with PEGUS’s reasonable requests in responding to, and dealing with, such request.
1.3.3 Assistance with requests
With respect to requests from governmental or regulatory bodies, Contractor shall cooperate fully with PEGUS, at PEGUS’s cost, in any effort led by PEGUS to intervene and quash or limit such requests or respond to a governmental authority in the course of any investigation or claim by any governmental authority relating to the Personal Information Processed by Contractor under the Agreement. Should Contractor be legally required to respond to a request from governmental or regulatory bodies, Contractor, after consultation with PEGUS, shall only disclose the minimum amount of Personal Information necessary to comply with law or judicial process.
1.4 Data Quality
Contractor shall preserve the accuracy and integrity of Personal Information, Contractor shall update, amend, correct or delete Personal Information that is inaccurate or incomplete at the request of PEGUS or the Data Subject, consistent with the provisions set forth in Section 1.3.
1.5 International Transfers
1.5.1 Unless specifically authorized in the Agreement or applicable SOW, Contractor shall not Process, nor permit any Subcontractor (as defined in Section 1.7), to Process Personal Information across any national borders without PEGUS’s prior written consent. In any event, Contractor shall be responsible for ensuring that any Processing of Personal Information across national borders (whether performed by itself or a Subcontractor) complies with all applicable Laws including but not limited to any cross-border data transfer requirements or prohibitions.
1.5.2 Where requested by PEGUS to do so, Contractor shall, and shall compel its Subcontractors to, enter into additional data transfer or data processing agreements or contractual clauses (including where applicable the EC approved standard clauses for international transfer of personal data or, where applicable, contractual clauses required by other countries for international transfers of personal data), in connection with any international transfers of Personal Information approved by PEGUS pursuant to Section 1.5.1.
1.6 Contractor Employees
1.6.1 Contractor shall take all reasonable steps to ensure the reliability of its employees or other personnel having access to the Personal Information, including the conducting of appropriate background and/or verification checks.
1.6.2 Contractor will ensure that access to, and use of, the Personal Information is limited to those of its employees or personnel who require access to it to perform the Services and that such individuals:
184.108.40.206 have undertaken training in relation to data protection principles and the applicable Laws that apply to their handling of Personal Information;
220.127.116.11 are aware of Contractor’s duties and their personal duties under all applicable Laws and the Agreement (including this Addendum); and
18.104.22.168 are permitted access to the Personal Information only to the extent necessary to perform their role in providing the Services.
1.7 Subcontractors and Other Third Parties
1.7.1 Contractor shall not engage any third parties or non-employees (“Subcontractors”) to Process Personal Information unless PEGUS has expressly consented in writing in advance to the use of such Subcontractor(s).
1.7.2 Where PEGUS has provided such prior written consent Contractor shall:
22.214.171.124 carry out adequate due diligence on each Subcontractor to ensure that it is capable of providing the level of protection for the Personal Information that is required by the Agreement (including this Addendum), and provide evidence of such due diligence to PEGUS where requested by PEGUS;
126.96.36.199 execute a written agreement with each Subcontractor that includes provisions that are no less protective of Personal Information than the level of protection required by the obligations set forth in this Agreement (including this Addendum); and
188.8.131.52 remain liable for all the acts and/or omissions of the Subcontractor.
1.8 General Cooperation
Contractor shall cooperate fully with, and assist, PEGUS and the PEGUS Affiliates, at PEGUS and such PEGUS Affiliate’s expense, in relation to any notifications or prior approvals that PEGUS or the PEGUS Affiliates may be required to effect or obtain from a governmental or regulatory body in connection with the Personal Information, including without limitation the preparation of supporting documentation to be submitted to the relevant governmental or regulatory body and provision of supporting documentation sufficient to evidence that Contractor is legally bound by the terms of this Agreement.
1.9 Return of Personal Information
To the extent not otherwise prohibited by applicable Laws, the Agreement or this Addendum, at any time upon PEGUS’s request, including at termination of the Agreement, Contractor shall immediately return or securely destroy all originals and copies of Personal Information (whether in electronic or hard copy form) in its, or its Subcontractor’s, possession, custody, or control or in accordance with the requirements of the Agreement, this Addendum and applicable Laws. Contractor shall provide a certification confirming that all Personal Information Processed under the Agreement has been returned or securely destroyed within ten (10) business days of PEGUS’s request.
1.10 Security Standards
Contractor shall ensure that appropriate technical, physical and organizational measures, commensurate with the sensitivity of the Personal Information to be Processed by Contractor hereunder, are taken against unauthorized or unlawful Processing, acquisition, access, or accidental loss, destruction, alteration, or damage to the Personal Information. Without limiting the generality of the foregoing, Contractor shall implement the measures specified in Appendix A to this Addendum (“PEGUS Baseline Third Party Security Requirements”) and incorporated herein by this reference thereto, binding on Contractor and PEGUS, as well as any other minimum-security requirements of the applicable Laws and/or generally accepted industry standards and best practices communicated to Contractor from time to time.
1.10.1 Vendor Assessment
184.108.40.206 Contractor acknowledges and agrees that PEGUS shall have the right, no more than once in a given 365-day period during the term of the Agreement, including any renewal thereof, and for as long as Contractor holds or otherwise Processes Personal Information, to request that Contractor complete a security practices Vendor Assessment and Contractor will cooperate with such request.
220.127.116.11 With respect to any Vendor Assessment, Contractor represents and warrants that for as long as the Agreement remains in effect or Contractor holds or otherwise Processes Personal Information: (i) the responses provided by Contractor in the Vendor Assessment (or as remediated in conformance with the terms of this Addendum and with written notice of such remediation to PEGUS) are and shall be true, accurate and complete to the best of the Contractor’s knowledge; (ii) the privacy, security, Processing and Transfer practices adopted and maintained by Contractor as stated in the Vendor Assessment shall be in effect and consistently applied; (iii) Contractor shall notify PEGUS in writing promptly (and in all cases within five (5) business days) in the event of any adverse material change in Contractor’s privacy, security, Processing or Transfer practices from those represented by Contractor in the Vendor Assessment; and (iv) upon written request from PEGUS no more than once in a given 365 day period during the term of the Agreement, Contractor shall complete a new Vendor Assessment or certify as to the absence of changes from any prior Vendor Assessment.
18.104.22.168 Following the completion of any Vendor Assessment, PEGUS shall have the right to notify Contractor, in writing, of any alleged risks, threats or Security Issues identified during any Vendor Assessment or any non-conformance to generally accepted trade practice in the industry.
22.214.171.124 Contractor shall maintain all necessary documentation to evidence its compliance with this Addendum for a period of six (6) years after the expiration or termination of this Agreement, or for such longer period as otherwise may be required by applicable Laws, whichever occurs latest. Contractor shall provide PEGUS with access to such documentation upon request.
126.96.36.199 Contractor shall provide PEGUS, PEGUS’s authorized representatives and/or applicable regulatory authorities having the right to carry out an audit of PEGUS or PEGUS Affiliates, on reasonable notice no more than once every year, the right to audit Contractor’s business processes and practices involving the privacy, security and/or Processing of Personal Information in the performance of the Services, on at least an annual basis and following each occurrence of an Event. PEGUS shall bear the full cost and expense of any such audit, unless such audit discloses a Security Issue or was triggered by an Event, in which case Contractor shall bear the full cost and expense of such audit or re-audit (if reasonably required).
1.10.3 Security Issues
To the extent that a Security Issue is identified by a Vendor Assessment, audit or otherwise discovered by or made known to Contractor, Contractor shall immediately notify PEGUS in writing and, within ten (10) business days thereafter, either remediate such Security Issue or provide PEGUS with a plan acceptable to PEGUS for Contractor to remediate the Security Issue. If (i) the Security Issue is not remediated within such period; or (ii) an acceptable plan for remediating such Security Issue is not agreed to by the parties during such time period, or (iii) if an acceptable plan is not executed according to the terms of such plan, then PEGUS may, by giving Contractor written notice thereof, immediately terminate the Agreement and/or exercise such rights and remedies it deems appropriate under the circumstances. In connection with such termination, PEGUS may exercise all rights and remedies available to it in the event of breach. Contractor shall bear all reasonable costs for re-testing performed to verify the remediation of any Security Issue.
Contractor shall notify PEGUS in writing of an Event in the most expedient time possible under the circumstances, and in any event within two (2) days of discovery of the Event. An Event shall be deemed discovered by Contractor or its Subcontractors as of the first day on which the Event is known to Contractor or Subcontractor (including an individual employee or officer or other agent of Contractor or Subcontractor) or should reasonably have been known to have occurred. Such notice shall summarize in reasonable detail the timing and nature of the Event, the impact on PEGUS, PEGUS Affiliates and/or the Data Subjects affected by such Event and the corrective action taken or proposed to be taken by Contractor.
As soon as reasonably practicable after any Event, PEGUS and Contractor shall consult in good faith regarding Remediation Efforts and Contractor shall cooperate fully with PEGUS in all reasonable and lawful efforts to prevent, mitigate or rectify such Event. However, Remediation Efforts required by applicable Laws must be carried out and are not dependent upon the completion of the consultation process, provided however that to the extent the circumstances and timeframe permit, the parties shall use good faith efforts to discuss and coordinate Remediation Efforts required by applicable Laws during the consultation process. Failure by Contractor to engage in substantive or meaningful discussions regarding an Event reasonably believed by PEGUS to have occurred or failure by Contractor to take Remediation Efforts shall be deemed an immediate and material breach of the Agreement.
Pursuant to the consultation described in Section 1.11.2 immediately above, Contractor shall undertake Remediation Efforts at its sole expense, or reimburse PEGUS for PEGUS’s reasonable costs and expenses incurred in connection with Remediation Efforts.
Contractor shall keep PEGUS apprised of, and cooperate reasonably with PEGUS in connection with, Contractor’s, PEGUS’s or any regulatory or government authority’s investigation of any Event. Contractor shall not make any public announcement (including, without limitation, website postings and press releases) or notify affected individuals regarding such Event without PEGUS’s prior written approval (which approval shall not be unreasonably withheld, conditioned or delayed) unless it is required to do so pursuant to applicable Laws in which such case it shall provide PEGUS reasonable prior notice where not prohibited by Laws from doing so.
Without limitation to the other provisions of this Agreement, Contractor represents and warrants that it shall, at all times, comply with all laws applicable to Contractor in relation to its processing of Personal Information including but not limited to Laws.
3. INDEMNITY AND LIABILITY
Contractor shall indemnify, defend and hold harmless PEGUS and/or relevant PEGUS Affiliates from and against any and all liability, loss, claim, injury, damage, penalty, fine, settlement or expense (including, without limitation, fines, damage awards, costs of Remediation Efforts and reasonable attorneys’ fees and costs arising from or relating to any action, claim or allegation of a third party (including, without limitation, any regulatory or government authority)) of or with respect to any Event or breach of this Addendum.
3.2 Liability and Remedies
Contractor’s indemnification obligations under Section 3.1 shall be in addition to any indemnification or similar obligations Contractor may have under the Agreement, including, without limitation, the obligation to pay for Remediation Efforts as provided in Section 1.11.3). The rights and remedies of PEGUS pursuant to this Addendum shall not be subject to any limitation of actions, arbitration provisions or any other similar limiting provisions stated in the Agreement. Without limiting the foregoing: (i) PEGUS shall not be precluded from immediately pursuing any rights or remedies it may have under or relating to this Addendum and (ii) Contractor shall be liable for all indemnification obligations under Section 3.1 and for reimbursement of costs and expenses for Remediation Efforts under Section 1.11.3 regardless of whether such amounts are characterized by any party, regulatory or government body or other third party as direct, indirect, consequential, special, punitive or other damages or as contractually-agreed preventative measures designed to limit future damages.
4. MISCELLANEOUS PROVISIONS
4.1 Method of Notice.
Notice shall be given in accordance with the Agreement.
4.2 Conflicts with Obligations Under the Agreement
In the event Contractor believes that it cannot satisfy its other obligations under the Agreement while complying fully with this Addendum, Contractor must notify PEGUS immediately and shall not proceed with any act that would violate this Addendum until the issue is resolved to PEGUS’s reasonable satisfaction.
Notwithstanding anything to the contrary in the Agreement, the obligations pursuant to this Addendum shall survive termination of the Agreement.
4.4 Authority to Execute
The parties represent and warrant to each other that each has the legal power and authority to enter into this Addendum.
4.5 Entire Agreement
Except as expressly set forth in this Amendment, the terms, provisions and conditions of the Agreement are hereby ratified and confirmed and shall remain unchanged and in full force and effect without interruption or impairment of any kind.
In the event of any conflict between the provisions of the Agreement and the provisions of this Addendum, the provisions which provide greater protection for Personal Information shall take precedence.
If any provision of this Addendum shall be unlawful, void, or for any reason unenforceable, then that provision shall be deemed severable from these terms and shall not affect the validity and enforceability of any remaining provisions of this Addendum or the Agreement.
This Addendum cannot be modified, amended, or changed except in writing and signed by the parties.
Neither the rights nor the obligations of either party may be assigned or delegated in whole or in part without the prior written consent of the other party unless otherwise expressly permitted under the Agreement. Any delegation without written permission shall be null and void and of no effect unless otherwise expressly permitted under the Agreement.
4.10 Third Party Beneficiaries
4.10.1 Subject to Section 4.10.2, nothing in this Addendum shall confer any benefits or rights on any person or entity other than the parties to this Addendum.
4.10.2 Where the Services include the Processing by or on behalf of Contractor of the Personal Information of PEGUS Affiliates, each such PEGUS Affiliate may enforce the terms of this Addendum as a third-party beneficiary against Contractor in respect its Personal Information as if it were a party to this Addendum and the Agreement.
4.11 No Waiver
A waiver by a Party of any term or condition of this Addendum in any instance shall not be deemed or construed to be a waiver of such term or condition for the future, or of any subsequent breach thereof.
4.12 Further Assurance
Contractor acknowledges that one or more PEGUS Affiliates may, pursuant to applicable Laws, be required to enter into a direct Processing agreement with Contractor, to address the indirect Processing of its Personal Information by Contractor as facilitated by PEGUS. Contractor agrees that in the aforementioned circumstances and where requested by PEGUS, Contractor shall enter into a Processing agreement with such PEGUS Affiliate on terms equivalent to this Addendum modified as necessary to comply with local Laws as soon as is reasonably possible.
BASELINE THIRD PARTY SECURITY REQUIREMENT
REQUIREMENTS INTRODUCTION AND BACKGROUND
1.1. These Baseline Third Party Security Requirements (“Requirements”) shall be applied by all external entities that Process PEGUS Information on behalf of PEGUS and its Affiliates.
1.2. These Requirements aim to ensure that the Processor of PEGUS Information maintains the confidentiality, integrity and security of PEGUS Information in accordance with the requirements imposed by Data Protection Laws and applicable industry standards and best practices.
1.3. These Requirements aim to provide for a minimum level of information security, however, information security threats come from a wide range of sources and are continually developing; therefore, security measures shall be reviewed regularly.
1.4. Where necessary, having regard to the state of the art, industry best practice and cost of their implementation, measures that compensate for or are additional to those detailed in these Requirements may be needed. Such compensating measures shall be subject to the prior written approval of PEGUS. In any event such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the information to be protected.
2.1. Within these Requirements the following terms have the following meanings:
2.1.1. “Affiliate” means in relation to a party, any entity which (directly or indirectly) controls, is controlled by and/or under common control with that party. Affiliates of PEGUS shall additionally include parties for which Contractor is acting as a sub-contractor for on behalf of PEGUS.
2.1.2. “Data Protection Laws” means all Laws applicable to the Processing of Personal Information (including but not limited to Data Privacy or Data Security Laws) used or obtained by the Contractor in the performance of the Services including, without limitation to, those national, state, regional and/or local laws and regulations governing privacy, security, confidentiality and protection of Personal Information.
2.1.3. “Information Systems” means all systems, including, but not limited to, electronic, equipment, and storage media, used by the Processor to access, store or otherwise Process PEGUS Information.
2.1.4. “Intellectual Property” means and include patents, trademarks, service marks, trade dress, logos, trade names, domain names and corporate names, copyrights, trade secrets, know-how, and all other intangible, industrial and intellectual property rights, by whatever name known, and all registrations thereof and applications to register the same.
2.1.5. “Financial Personal Information” means Personal Information consisting of financial information including but not limited to bank account numbers, credit card numbers and debit card numbers (whether with or without expiry dates and pin numbers), income and credit histories.
2.1.6 “Government Identifier Personal Information” means Personal Information consisting of national insurance numbers, social security numbers, tax identifications, passport numbers, drivers license numbers or other equivalent government issued identifiers.
2.1.7. “Personal Information” has the meaning given by the relevant Laws and shall include, without limitation, any data or information (regardless of the medium in which it is contained and whether alone or in combination) which may be supplied to or Processed by or on behalf of Contractor in connection with the provision of the Services, that relates to an identified or identifiable person (“Data Subject”) including, without limitation, name, postal address, email address, telephone number and information about the Data Subject’s health, opinions or beliefs.
2.1.8. “PEGUS” the PEGUS entity, including Affiliate entities, that decides the purposes for which the PEGUS Information is Processed.
2.1.9. “PEGUS Information” means any information disclosed by or on behalf of PEGUS to the Processor, including Intellectual Property, PEGUS Confidential Information, Personal Information, Sensitive Personal Information, Financial Personal Information and Government Identifier Personal Information.
2.1.10. “Processing” means any operation or set of operations which is performed upon PEGUS Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, access, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction, and “Process” and “Processed” shall have the appropriate corresponding meanings.
2.1.11. “Processor” means the entity Processing the PEGUS Information on behalf of PEGUS and may include a PEGUS entity where it Processes PEGUS Information under the instructions of another PEGUS entity.
2.1.12. “Security Incident” means the unauthorized and/or unlawful access, acquisition, use, disclosure, modification, processing, destruction or loss of PEGUS Information or Information Systems Processing PEGUS Information whether in electronic or hard copy form, or interference with system operations in an information system, that compromises or which reasonably is anticipated would compromise the privacy, security, confidentiality, integrity or availability of PEGUS Information, including but not limited to (i) incidents resulting from or arising out of Processor’s internal use, Processing, or Transfer of PEGUS Information, whether between or among Contractor’s subsidiaries and affiliates, subcontractors or any other person or entity acting on behalf of Processor; (ii) any other similar incident as may be so defined by relevant data protection laws that apply to PEGUS; provided that trivial attempts to penetrate Processor’s networks or systems that occur on a daily basis, such as scans, “pings” or other unsuccessful attempts to penetrate computer networks or systems maintained by Processor, will not be considered a Security Incident.
2.1.13. “Sensitive Personal Information” means Personal Information pertaining to the racial or ethnic origin, physical or mental health condition or sexual life, offences and/or criminal convictions, trade union membership, religious or similar beliefs or political or ideological opinions of an identified or identifiable individual.
2.1.14. “Trusted Connection” means PEGUS, in its absolute discretion, has determined that unrestricted access to the PEGUS network through a PEGUS firewall for a specific Processor facility or location (hereinafter referred to as secured Processor facility) is required.
3. INFORMATION CLASSIFICATION AND SECURITY LEVELS
3.1. These Requirements are categorized into those that are Basic Level Requirements and Enhanced Level Requirements.
3.2. Basic Level Requirements shall be applied to all PEGUS Information.
3.3. Enhanced Level Requirements shall be applied in addition to the Basic Level Requirements for Personal Information, Sensitive Personal Information, Financial Personal Information, and Government Identifier Personal Information, and where otherwise specifically indicated in these Requirements.
3.4. Where PEGUS has agreed to specific additional security measures with a relevant Processor in addition to those set out herein, generally or in relation to a specific service or platform, those measures providing the highest level of protection to PEGUS Information shall be applied by the Processor.
MINIMUM SECURITY REQUIREMENTS
1. MANAGEMENT OF INFORMATION SECURITY
Basic Level Requirements
1.1. The Processor shall ensure that senior management of the Processor accepts ultimate responsibility for ensuring that information security is properly managed and that these Requirements are implemented and adhered to by the Processor and its staff.
1.2. The Processor shall put into place a management structure to oversee the effective implementation and continuing development of security procedures. At a minimum, this shall consist of an individual from senior management with the necessary authority to implement these Requirements and other necessary security procedures (“Information Security Officer” (or other Processor staff duly authorized in the security document(s))).
1.3. The Information Security Officer’s responsibilities shall include:
1.3.1. reviewing implementation and adherence to these Requirements; and
1.3.2. acting as a point of contact in relation to information security issues raised by PEGUS.
2. DOCUMENTED SECURITY POLICY
Basic Level Requirements
2.1. The Processor shall document its security policy and procedures which address all the activities relating to the handling and management of data. Security policies and procedures shall be reviewed and/or updated at reasonable intervals and/or whenever there are material changes to the Information Systems, including those Processing PEGUS Information.
2.2. The security documents shall clearly identify those technical and organizational measures and practices to be implemented and followed by the Processor to adequately protect the security of information Processed by the Processor.
2.3. The security documents and/or guidance stipulating the procedures to be followed and measures to be implemented to satisfy the requirements contained therein, shall be published and communicated as relevant to the Processor’s employees and relevant external parties directly or indirectly involved in the Processing of PEGUS Information.
2.4. The Processor shall, on request, provide PEGUS with access to copies of the security documents and any future updated versions of such documents.
3. HUMAN RESOURCE SECURITY
Basic Level Requirements
3.1. Processor will conduct and complete appropriate background and/or verification checks of its employees, contractors and/or third parties to ensure their suitability for handling PEGUS Information prior to their Processing of any such PEGUS Information.
3.2. Responsibilities and instructions in relation to protecting the confidentiality, integrity and security of PEGUS Information shall be defined and communicated in writing to employees/contractors/third parties.
3.3. Employment contracts, contracts with contractors and contracts with third party users shall contain terms setting out obligations and responsibilities in relation and appropriate to maintaining the confidentiality, integrity and security of PEGUS Information.
3.4. A formal disciplinary process shall be in place for employees who violate Processor policy and procedures relating to the Processing of PEGUS Information.
3.5. Upon termination of employment/engagement, an employee/contractor/third party shall return all PEGUS Information in his/her possession on whatever medium it is stored, and access rights to Information Systems Processing PEGUS Information shall be terminated.
4. TRAINING AND AWARENESS
Basic Level Requirements
4.1. Regular information security awareness, education and training suitable to an individual’s role and responsibility shall be undertaken. This shall begin with a formal induction to security procedures and policies and continue throughout employment.
4.2. Where PEGUS network account and/or PEGUS email access is granted, PEGUS’s applicable policies and procedures shall be followed by Processor personnel. Applicable policies, procedures, and training will be provided as part of the provisioning process.
5. INVENTORY OF INFORMATION
Basic Level Requirements
5.1. Media, servers, and equipment containing PEGUS Information shall be labeled in a way that protects the confidentiality of PEGUS Information and does not expressly expose the actual content.
5.2. An inventory shall be maintained in a way that provides traceability to those media, servers, and equipment containing PEGUS Information.
5.3. When PEGUS Information and/or media containing it are being transferred between parties, a system for recording incoming and outgoing media containing PEGUS Information shall be set up which permits direct or indirect identification of the kind of media, the date and time, the sender, the number of media, the kind of PEGUS Information contained, how they are sent and the authorized person responsible for receiving them.
6. PORTABLE MEDIA DEVICES
Basic Level Requirements
6.1. The Processor shall only use portable devices where there is a genuine business need and where the PEGUS Information on the device is appropriately erased or destroyed when the defined business need has expired.
6.2. PEGUS Information stored on portable devices (including laptops and PDAs, external hard drives, flash drives, CDs, DVDs, tapes and other mass storage devices) shall be adequately protected from unauthorized access, loss and destruction using industry recognized mechanisms, such as encryption, inactivity timeout, or power on passwords.
6.3. Policies and procedures for using portable devices shall be maintained by the Processor and training on these procedures shall be provided to all Processor staff.
Enhanced Level Requirements
6.4. Any portable device containing PEGUS Information shall be encrypted.
7. TESTS WITH REAL PEGUS INFORMATION
Basic Level Requirements
7.1. Testing prior to the implementation or modification of a relevant Information System shall not use real or ‘live’ PEGUS Information unless there is no reasonable alternative and such use has been approved by PEGUS. Where real or ‘live’ PEGUS Information is used, it shall be limited to the extent necessary for the purposes of testing and provide evidence that the level of security corresponding to the type of PEGUS Information Processed is implemented.
8. ELECTRONIC STORAGE AND TRANSFER OF PEGUS INFORMATION
Basic Level Requirements
8.1. Controls shall be in place to ensure that PEGUS Information transmitted by the Processor across any unsecured network is transferred between authorized Information Systems and resources only, and is only exchanged through industry recognized secure transfer mechanisms.
8.2. Procedures and policies shall be in place to prevent the unauthorized transfer of PEGUS Information by email and web-based applications.
8.3. All remote access and access via non-trusted networks (e.g. ISPs, cable, application service Contractors, DSL connections, etc.) to Information Systems Processing PEGUS Information, shall use at least two-factor authentication methods (e.g. Remote Access Server (RAS), SecureID, etc.) and only take place where there is a justifiable business need.
8.4. Wireless LAN products (e.g. NIC cards and access point devices) shall not be attached to networks permitting access to Information Systems Processing PEGUS Information or to a device connected to Information Systems Processing PEGUS Information without appropriate approvals from the Information Security Officer, or other Processor staff duly authorized in the security document(s). All wireless LAN products shall:
8.4.1. use secure identification, authentication, and encryption mechanisms; and
8.4.2. where feasible, have “peer” networking connectivity settings disabled.
Enhanced Level Requirements
8.5. PEGUS Information, when at rest, in transit, and/or when stored on portable media or portable devices shall be encrypted so that data elements are rendered unusable, unreadable or indecipherable to unauthorized individuals.
9. BACK-UP AND RECOVERY
Basic Level Requirements
9.1. Processes and procedures shall be in place to ensure copies of PEGUS Information are retained to facilitate retrieval or reconstruction following loss or destruction of primary production information. Such processes and procedures shall be conducted on a regular basis and at least weekly.
9.2 The correct functioning of the back-up system must be tested periodically to confirm that it performs an accurate and complete reconstruction of the Information Systems Processing PEGUS Information.
9.3. Backed-up PEGUS Information or Information Systems Processing PEGUS Information held off the Processor’s premises shall be appropriately protected from unauthorized access following documented policy and procedures.
9.4. Back-up copies shall be kept at a different secure location from the site of the equipment housing Information Systems Processing PEGUS Information.
Enhanced Level Requirements
9.5. Backed-up PEGUS Information or Information Systems Processing PEGUS Information held on tapes, disks or other media off PEGUS’s or the Processor’s premises shall be encrypted.
10. DISPOSAL OF INFORMATION
Basic Level Requirements
10.1. When Processor equipment, physical documents and files, and physical media are disposed of or reused, recognized industry or government standard measures shall be taken to prevent subsequent retrieval of PEGUS Information originally stored in them.
10.2. The procedures for ensuring the secure destruction/erasure of PEGUS Information held on Processor equipment, in physical documents and files, and in physical media shall be formally documented and implemented.
10.3. The Processor shall identify the roles of the persons disposing of PEGUS Information, including third party services, and shall provide evidence of destruction.
11. PHYSICAL AND ENVIRONMENTAL SECURITY
Basic Level Requirements
11.1. Equipment and/or media used for Processing PEGUS Information shall be protected from physical and environmental threats to prevent interruption to the Processor’s activities and loss of PEGUS Information. For example, this can be achieved by considering the following: citing equipment; physically securing power and telecommunications cabling; ensuring equipment is properly maintained and protected from power failures.
11.2. Equipment and/or media containing PEGUS Information shall be placed in secure areas to prevent unauthorized physical access, damage, and interference to the information. Measures corresponding with the nature of PEGUS Information being Processed shall be taken to limit physical access to that information. For example, this may include access control, CCTV, and intrusion detection systems; implementing visitor entry control procedures; securing offices, rooms, and facilities; protecting against external and environmental threats; and controlling all access points including delivery and loading areas.
11.3. Equipment and media (including printed materials) containing PEGUS Information shall only be removed from PEGUS’s or the Processor’s premises following prescribed a procedure/plan that prevents unauthorized access to or retrieval of PEGUS Information.
11.4. Where hardcopy records containing PEGUS Information are to be retained in manual filing systems, they shall be stored and filed according to appropriate criteria which enable the Processor to locate the relevant records where necessary to facilitate the access, amendment or destruction of the relevant records and facilitate the exercise of the data subject rights at the request of PEGUS or the individual to who those records relate. The making of copies of such documents must be under the control of persons authorized in accordance with the relevant security document(s).
Enhanced Level Requirements
11.5. Containers with locks or equivalent devices to prevent tampering and/or unauthorized access shall be used to store or transport hardcopy records.
11.6. Tracking of back-up and/or mass storage media containing PEGUS Information during transport (for example by Radio Frequency Identification (RFID) or GPS) and/or bonded courier services shall be used.
12. PHYSICAL AND LOGICAL ACCESS
Basic Level Requirements
12.1. Processor shall not make PEGUS Information publicly available without PEGUS’s prior written consent.
12.2. Processor shall not make any PEGUS Information available via a publicly available, restricted access website (i.e. URL available from outside of the PEGUS network), without providing evidence of successful completion of a security vulnerability test acceptable to PEGUS.
12.3. Further technical measures shall be put in place to prevent unauthorized electronic access to PEGUS Information. Expectations are that these measures include, but are not limited to, firewalls, logical separation (no co-mingled data) and/or intrusion prevention and detection systems.
12.4. Authorization to access Information Systems Processing PEGUS Information shall be granted on a need to know or do basis, authorized users shall only have access to that PEGUS Information necessary for them to perform their duties.
12.5. Processor shall restrict access to Information Systems Processing PEGUS Information through use of adequate and appropriate identification, authentication and authorization mechanisms.
12.6. Formal procedures to control the authorization of access rights to Information Systems and services shall be developed. The procedures shall cover:
12.6.1. user registration and revocation;
12.6.2. privilege management;
12.6.3. user password management; and
12.6.4. review of user access rights.
12.7. As part of the user registration procedures, the Processor shall:
12.7.1. Ensure every authorized user is issued a unique user identification code prior to accessing PEGUS Information or Information Systems Processing PEGUS Information.
12.7.2. Maintain a list of all individuals authorized to access Information Systems Processing PEGUS Information that includes the unique user identification code and the level of information to which the individual has access.
12.7.3 The Processor may disable but shall not delete or reassign such user identification codes so long as a historical list of user identification code assignments is maintained for the life of the underlying Information System.
12.8. At yearly intervals, the Processor shall review those individuals that it has authorized to access Information Systems Processing PEGUS Information and verify whether the individual still requires access and the present access level.
12.9. Only the Information Security Officer, or other Processor staff duly authorized in the security document(s), shall be permitted to grant, alter or cancel authorized access to PEGUS Information.
12.10. Authorized users shall only be allowed to access Information Systems Processing PEGUS Information after completing authentication procedures. Authentication procedures for access to electronic PEGUS Information shall be based on a password, or other authentication method (such as biometrics, passphrases, PINs, etc.) associated with the user identification code but only known to the authorized user.
12.11. Passwords shall meet prevailing legal and/or industry standards for strength and complexity, and confidentiality.
12.11.1. Password strength and complexity shall include a length not less than 6 characters and numbers, with password composition allowing upper and lower-case letters, numbers or special characters.
12.11.2. Password must be changed by the user upon first access to the Information System and shall be changed at regular intervals appropriate to the information accessible via the systems to which they relate, and in accordance with Processor security documents, prevailing industry standards and with any legal requirements applicable to the Processor in the country in which the PEGUS Information is Processed.
12.11.3. Passwords shall be maintained in a location and/or format that do not compromise the security of the data they protect. Passwords will be rendered unreadable or unusable by unauthorized individuals, i.e., encrypted, when stored and transmitted electronically.
12.11.4. Access of a user identification code shall be blocked after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system. Prior to reactivation of access or replacement of lost/forgotten authentication credentials, user identity must be verified.
13. ACCESS RECORDS
Basic Level Requirements
13.1. An audit trail of access, or access logs, to Information System Processing PEGUS Information shall be maintained for a minimum period of one (1) year. At minimum, the audit trail shall be able to reasonably determine the files/databases accessed, user ID of the individual accessing the files/databases, the date, time and type (e.g. remote, local etc.) of access, and whether access was authorized or denied.
13.2. Access record mechanisms for producing the audit trail shall be under the direct control of the Information Security Officer, or other Processor staff duly authorized in the security document(s), and under no circumstances can they be de-activated or manipulated.
13.3 The Information Security Officer, or other Processor staff duly authorized in the security document(s), shall ensure that procedures are in place to detect suspicious and irregular access and requests for access to Information Systems (“Irregular Access”). Irregular Access shall be reviewed periodically and any action arising from that review shall be documented. Any Irregular Access issues affecting PEGUS Information or services shall be reported to PEGUS.
Enhanced Level Requirements
13.4. Audit trails of access to Information System housing PEGUS Information shall be retained for a minimum period of two (2) years, and shall include any Sensitive Personal Information categories accessed.
14. SOFTWARE AND VIRUS PROTECTION
Basic Level Requirements
14.1. Anti-virus software shall be installed on all Information Systems Processing PEGUS Information and updated on a regular basis, having regard to the state of the art and relevant industry best practice.
14.2. Processor shall follow a documented security patching policy, process, and schedule for the infrastructure and layered application products that includes the assessment of security vulnerabilities and deployment of updates or upgrades in accordance with industry best practice.
14.3. Only licensed copies of commercial software which comply with and do not compromise security standards shall be used.
14.4. The Processor shall notify PEGUS promptly (and in any event within 24 hours of becoming aware) of the actual or potential transmission of any identified computer virus by the Processor to PEGUS.
14.5. No newly acquired discs/media/programs/executables from whatever source shall be loaded on to Information Systems Processing PEGUS Information unless they have been previously vulnerability scanned and virus checked by a suitable vulnerability scanning and virus checking package.
14.6. Appropriate controls to prohibit the download and use of file sharing (e.g. peer- to-peer) and other software that can open security vulnerabilities to Information Systems shall be implemented by the Processor.
15. SECURITY INCIDENT RECORDING AND RESPONSE
Basic Level Requirements
15.1. The Processor shall have a documented procedure for identifying, reporting, responding to and managing Security Incidents that affect PEGUS Information or Information Systems Processing PEGUS Information.
15.2. Recovery of PEGUS Information or Information Systems Processing PEGUS Information following a Security Incident shall adhere to documented procedures.
Basic Level Requirements
16.1. The Processor shall carry out periodic audits to ensure the ability to comply with these Requirements.
Enhanced Level Requirements
16.2. Information Systems or non-automated means of (i.e. hardcopy filing systems) Processing PEGUS Information constituting Personal Information, Sensitive Personal Information, Financial Personal Information, or profiling or depicting the personality or behavior of one or more individuals, shall undergo an internal or external audit at least once every two (2) years to assess their compliance with these Requirements, and the findings delivered in the form of an audit report.
16.3. In addition to this bi-annual audit, extraordinary audits must be carried out whenever material changes to the Processing are introduced which may affect PEGUS Information or Information Systems Processing PEGUS Information. The carrying out of any such extraordinary audit will reset the period of two years until the following audit.
16.4. An audit report shall include: a compliance assessment; identify any shortcomings; propose corrective or supplementary measures; and include the information upon which the recommendations are based.
16.5. The Information Security Officer, or other Processor staff duly authorized in the security document(s), shall analyze the audit report and refer any conclusions to PEGUS and the Processor so that appropriate corrective steps can be taken.
16.6. PEGUS shall be permitted access to the audit report and it will be permitted to disclose it to relevant authorities with jurisdiction upon their request where legally required to do so.
MINIMUM REQUIREMENTS FOR TRUSTED CONNECTIONS
1. TRUSTED CONNECTION
In addition to the requirements set forth in Section 2, the following requirements must be met in order to be granted a Trusted Connection and would only apply if triggered by this type of connection. These requirements must continue to be met as long as the Trusted Connection remains in effect. PEGUS reserves the right to terminate the Trusted Connection if the Processor fails to meet the minimum requirements.
1.1. A Trusted Connection shall only be established with a specific Processor facility. A Trusted Connection established at one secured Processor facility is not transferable to other Contractor locations or facilities without subsequent approval.
1.2. Physical access to the secured Processor facility must be restricted to those individuals working for the Processor on PEGUS contracts supported by the Trusted Connection. Any other individuals requiring entry to the facility must be escorted at all times by one of the individuals described above.
1.3. The secured Processor facility shall provide an isolated network that connects directly to PEGUS and does not connect back to the Processor’s own internal network or any other network including the Internet. Internet access will be provided via the PEGUS Internet gateways.
1.4. End user computing devices used in the secured Processor facility shall be either PEGUS provided devices with a PEGUS Desktop Management Services (DMS) image or Processor provided devices with a PEGUS DMS image. Said devices will be managed and supported in accordance with PEGUS supplied processes.
1.5. The Contractor agrees to an initial site survey at the secured Processor facility and subsequent assessments conducted by PEGUS, which includes, but is not limited to, monitoring of the following:
1.5.1. Restricted physical and logical access to devices connecting to the PEGUS network;
1.5.2. Connectivity between secured Processor facility and other networks (including supplier network and the Internet) to ensure that there is no additional connectivity outside of the established Trusted Connection;
1.5.3. End user computing devices to ensure that all are either PEGUS machines with PEGUS DMS images or Processor machines with PEGUS DMS image, and that all devices will be managed and supported in accordance with PEGUS supplied processes.
1.6. The Processor agrees that PEGUS may employ Intrusion Prevention Systems (IPS) or other tools to monitor network traffic or the flow of sensitive intellectual property between the secured Processor facility and PEGUS, specifically to detect malicious traffic on the wire.