1.1. “Information” means non-public information received from GuidePoint, non-public information provided directly to Supplier by a GuidePoint customer or business partner, and non-public information generated for GuidePoint in connection with any agreement between GuidePoint and Supplier under which supplier provides products or services to GuidePoint or to others at GuidePoint’s request or direction, as well as any other information defined as “Confidential” under such agreement.
1.2. “Misuse” means the inappropriate or wrongful exercise of a right or privilege resulting in inappropriate access to Information (e.g., access knowingly obtained without prior appropriate approval), the unauthorized disclosure of Information to any party not previously agreed upon, or the malicious or otherwise improper execution of a function or operation resulting in the same or disruption to GuidePoint technologies and/or services.
1.3. “Encryption” means rendering Information ” unreadable using appropriately rigorous programmatic means.
1.3.1 Encryption at Rest means “information rendered unreadable using approved cryptographic methods wherever the information is stored (i.e., at rest)”.
1.3.2 Encryption in Transit means “information rendered unreadable when being transmitted between to points”.
1.4. “Strong Encryption” means cryptopgraphic algorithms and associated key strengths approved for use in current Federal Information Processing Standards (FIPS).
1.5. “Privileged Accounts” are user accounts that permit Supplier personnel to perform administrative or elevated activities when interacting with Supplier systems, in particular those systems used to store, process, transmit, and/or access GuidePoint or GuidePoint customer Information.
1.6. “Personal Data” as defined by the European Union in their General Data Protection Regulation.
1.7 “Information Security Management Program”. The aggregate of the policy, personnel, technologies, and processes used to safeguard information for which protection is necessary to achieve an acceptable level of risk.
2.1. Supplier must have and maintain an Information Security Management Program that is developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction.
2.2. Supplier must define and allocate security roles and responsibilities.
2.3. At least annually, Supplier must perform a risk assessment based on industry good practice that identifies prospective risks to the following: services and products it provides to GuidePoint; GuidePoint Information it stores, processes, transmits, and/or access; and to any GuidePoint customers taking into consideration and products and/or services Supplier provides them. Supplier agrees to take appropriates steps to mitigate identified risks.
2.4. Information shared with the Supplier, whether from GuidePoint or a GuidePoint customer, must be used solely for the provision of agreed-upon services and in compliance with all applicable data security and privacy laws and requirements. Information shared with Supplier may not be sold to or shared with any other party without express written consent from GuidePoint or GuidePoint customer, as appropriate.
2.5. Supplier understands it may be necessary to accept, in writing, any reasonable supplemental considerations published from GuidePoint customers necessary to satisfy those customers’ expectations as they pertain to safeguarding their systems and data, as necessary.
3.1. Supplier personnel must have background screenings at the expense of Supplier consistent and compliant with applicable sovereign law prior to beginning work and obtaining access to GuidePoint’s Information and/or networking environment or that of GuidePoint’s customer(s) to which Supplier may be providing products and/or services. Where permitted by law, Supplier personnel must have the following background checks: criminal, both local and national; credit history; work history; and education. Supplier shall provide GuidePoint with an attestation of background check obligation(s) upon written notice. Supplier shall satisfy this requirement prior to being granted access to GuidePoint and GuidePoint customer systems or data.
4.1. All Supplier personnel must receive security and awareness training at least annually that covers, at a minimum, an overview of current threats and expected user behaviors, to include how to handle sensitive data. Supplier shall provide documentation of compliance to GuidePoint upon written request.
4.2. Supplier personnel acting as a GuidePoint representative to, and performing services for, GuidePoint customers must complete required security training as part of onboarding and as otherwise directed.
4.3. Supplier personnel with access to GuidePoint or GuidePoint customer Information or systems must read and agree to abide by GuidePoint’s Acceptable Use Policy (AUP) at time of onboarding and annually thereafter. GuidePoint will provide its AUP as part of onboarding; customers are responsible for making their AUP available to resources supporting their projects.
5.1. Supplier must maintain an accurate and current asset register and maintain accountability of assets throughout their lifecycle up to and including secure disposal, to the extent any data resident on those systems is unrecoverable.
6.1. Supplier must have an Identity and Access Management program and technical capability that observes and satisfies the principles of: least user privilege; segregation of duties; role-based access consistent with Supplier personnel day-to-day responsibilities; and which allows uniquely identifies Supplier personnel’s actions when accessing GuidePoint or GuidePoint customer Information.
6.2. Supplier personnel access must be approved by an appropriate manager, and access rights for all personnel must be periodically reviewed for appropriateness at least annually. Accounts Supplier reasonably identifies as Privileged must be reviewed at least semi-annually.
6.3. Password and PINS must follow appropriately rigorous length, complexity and aging requirements that are consistent with industry good practice and resistant to brute force attacks.
6.4. Passwords and PINS must be protected with FIPS-compliant encryption wherever transmitted or stored.
6.5. Remote access to Supplier’s network must have a minimum of two factors of authentication.
6.6. All default and initial passwords must be changed prior to or in conjunction with first use such that they are unique and known only to one person.
7.1. Supplier must document and maintain a cryptographic policy or standard prescribing encryption use cases, encryption key strength, and key management.
7.2. Supplier must encrypt GuidePoint Information in transit and at rest using Strong Encryption.
8.1. Supplier must document and maintain a physical security policy and process governing the protection of facilities, work areas, and communications equipment to prevent unauthorized access to or misuse of GuidePoint and/ GuidePoint customer Information.
9.1. Supplier must document and maintain operational policies, standards, and responsibilities for implementing and managing required security controls to include, but not limited to: Change Management; Technical Vulnerability Management; secure configurations consistent with industry good practice; malware protection; event logging and monitoring; Information back up, sanitization, and destruction capabilities consistent with NIST 800-88, Guidelines for Media Sanitization.
9.2. Supplier must scan for vulnerabilities in systems used to store, process, transmit, and/or access GuidePoint or GuidePoint customer Information monthly at a minimum. Supplier agress to remediate identified vulnerabilities based on assessed criticality and within the following timeframes: Critical vulnerabilities within 15 days; High vulnerabilities within 30 days; Medium vulnerabilities within 60 days; and all others within a reasonable amount of time.
9.3. Supplier must regularly test backups to verify the availability and integrity of the Information contained therein.
10.1. Supplier’s networks hosting GuidePoint or GuidePoint customer Information, or which connect to those that do, must be configured to provide a defense-in-depth design. This includes but is not limited to: restricting network access to only authorized traffic using appropriate segmentation; using secure methods of communication that include strong encryption; strong encryption for data at rest; malware protection; and security event logging and monitoring.
10.2. Wireless access to the network must be secured and restricted to authorized personnel and endpoints where the wireless connection provides access into the Supplier’s network and services.
10.3. Supplier must use physical or logical segmentation between production and non-production environments, and will not store, process, and/or transmit GuidePoint or GuidePoint customer Information outside production environments.
10.4. Supplier will physically or logically segment GuidePoint and GuidePoint customer information from other customers’ information.
11.1. Supplier’s creation of any software for GuidePoint or GuidePoint customers, either directly or for the provision of services, must follow Open Web Application Security Project (OWASP) guidance for developing secure applications.
12.1. Annually, Supplier must undergo periodic independent validation (i.e., audit) to verify the controls outlined in this Exhibit are in place and operating effectively. Supplier commits to remediation of gaps in a timely fashion and in compliance with regulatory and statutory obligations, as well as any explicit requirements noted by GuidePoint customers in those circumstances where Supplier is providing GuidePoint customers a service. Upon request, Supplier will provide GuidePoint with the results of audits and stipulates GuidePoint’s ability to share any audit report and associated artifacts with GuidePoint’s auditors, applicable customers to which Supplier has or will provide services, and also to prospective customers, at GuidePoint’s sole discretion. GuidePoint will otherwise treat the results as confidential and will not disclose to any other third parties without Supplier’s written consent.
12.2. With GuidePoint’s prior written agreement, and in those cases where external audit for control validation has not previously been performed, Supplier may choose to complete a Security Questionnaire and perform a self-attestation. If the Supplier chooses to complete the Security Questionnaire, Supplier further agrees to complete an external audit within one year after submitting the Security Questionnaire, and to share the results of the external audit for control validation with GuidePoint, after which the terms above pertaining to audit results and associated artifacts apply.
13.1. Supplier must document and maintain both Disaster Recovery and Business Continuity plans that are tested at least annually. Supplier agrees to protect disruption caused by Distributed Denial of Service (DDoS) attack.
14.1. If Supplier uses cloud environments in conjunction with GuidePoint data, whether self-hosted, hosted with a third party, or a hybrid on-/off- premises solution, Supplier must establish trust verification and service-to-service application API and information processing interoperability (e.g., SSO and federation).
14.2. Multi-tenant applications, infrastructure systems, and network components, must be designed, developed, deployed, and configured such that Supplier and GuidePoint user access is appropriately segmented from other tenant users and data.
14.3. Access to all hypervisor management functions must be restricted based on least privilege and support through technical controls including, but not limited to, multi-factor authentication, audit trails, IP address filtering, firewalls and TLS encapsulated communications to the administrative consoles.
15.1. Supplier must maintain an incident response capability to respond timely to events affecting the confidentiality, integrity, or availability of GuidePoint’s Information and/or network, any services Supplier provides to GuidePoint, and also for any GuidePoint customers for which Supplier acts as a subcontractor.
15.2. Supplier shall notify GuidePoint within 48 hours of a confirmed compromise by emailing or calling the GuidePoint Chief Information Security Officer (CISO) or Vice President of IT at [email protected].
15.3. Supplier must document an incident response plan, review and test it at least annually.
15.4. Supplier hosting services to which GuidePoint provisions access and which stores, processes, and/or transmits GuidePoint or GuidePoint customers’ information must provide a means of aggregating security-related events to a Security Information and Event Monitoring (SIEM) solution (e.g., Splunk).
15.5 Supplier agrees to provide reasonable support to GuidePoint and GuidePoint customers during any incident response effort, as necessary and appropriate based on Information stored, processed, transmitted, and/or accessed by Supplier.
16.1. Supplier’s third-party service providers with access to GuidePoint’s or GuidePoint’s customers’ Information and/or network must have provisions no less rigorous than those in this Exhibit cascaded to them contractually.
16.2. Supplier must ensure that all third-party suppliers comply with statutory, regulatory, and all compliance requirements based on the Information shared. Supplier must ensure that Information shared with a third party is used only for the delivery of services to GuidePoint and GuidePoint customers, appropriate, and may not be sold or shared without the express written permission of GuidePoint or the GuidePoint customer from which the information originated.
17.1. Unless an alternative is agreed to in writing by GuidePoint, all Supplier personnel must be U.S.-based and performing their responsibilities within the U.S.
17.2. Unless agreed to in writing by GuidePoint, all GuidePoint information must remain within the U.S.
17.3. Unless agreed to in writing by GuidePoint customers, no GuidePoint customers’ information may be accessed by personnel outside the U.S., nor may any customers’ data be exported or transferred outside the U.S.
17.4. These requirements apply to any other third parties which Supplier relies to provide services to GuidePoint and/or GuidePoint customers.
18.1. Supplier agrees to protect and handle any Personal Data in accordance with appropriate statutory and regulatory requirement.
18.2. During the Term of the Agreement or individual engagement, and if applicable, in connection with any processing of personal data which it receives under the Agreement or individual engagement, each party shall (i) comply with all privacy or data protection laws applicable in the state, country, or countries where personal data is collected or held or otherwise processed (collectively, the “Data Protection Laws”), and (ii) implement industry accepted technical and organizational security procedures and measures to preserve the security and confidentiality of the personal data received under the Agreement or individual engagement.
18.3. Neither party shall take any action which a reasonable person would know may cause or otherwise result in a violation of the Data Protection Laws. Each party agrees to obtain all necessary consents under the Data Protection Laws and will not pass personal data to third-parties without prior notification to the data subject. Each party shall defend and indemnify the other party from and against all claims, actions, liabilities, losses, damages, and expenses (including reasonable legal expenses) which arise, directly or indirectly, out of or in connection with the indemnifying party’s data processing activities under or in connection with the Agreement or individual engagement.
19.1. Unless otherwise noted in any Master Agreement, Supplier is expected to maintain a reasonable amount of cybersecurity insurance. In those cases where the terms of this Exhibit and the Master Agreement conflict, the Master Agreement prevails.
