Security, Compliance and Privacy
-
Objectives:
IHRDC-CIPDH shall implement data security measures that are consistent with industry best practices and standards such that IHRDC-CIPDH:
- Protects the privacy, confidentiality, integrity, and availability of all data which is disclosed by Employee to or otherwise comes into the possession of IHRDC-CIPDH (“Data”), its affiliates or sub-contractors, directly or indirectly as a result of this Agreement, including but not limited to Employee’s Confidential Information and any Employee personally identifiable information;
- Protects against accidental, unauthorized, unauthenticated, or unlawful access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of the Employee Data including, but not limited to, identity theft;
- Complies with all federal, state, and local laws, rules, regulations, directives and decisions (each, to the extent having the force of law) that are relevant to the handling, processing, storing or use of Employee Data in accordance with this Agreement;
- Manages, controls and remediates any threats identified in the Risk Assessments findings that could result in unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of any of the Employee Data, including without limitation identity theft; and
- Complies with and implements the risk policies listed in this document, together with the data protection and confidentiality obligations of the Agreement.
-
Organization Security Measures:
- Environment: IHRDC-CIPDH shall provide assurance that it sets the foundation for the necessary tone, discipline, and structure to influence the control consciousness of its people necessary, and for the services provided by Employees.
- Responsibility: IHRDC-CIPDH shall assign responsibility for information security management to appropriate skilled and senior personnel.
- Qualification of Employees: IHRDC-CIPDH shall implement and maintain appropriate security measures and procedures, including background checks following industry best practices, to restrict access to information systems used in connection with this Agreement or to Employee information to only those personnel who are reliable, have sufficient technical expertise for the role assigned, and have personal integrity.
- Obligations of Employees: IHRDC-CIPDH shall Implement and maintain appropriate security measures and procedures in order to verify that any personnel accessing the Employee Information or information systems used in connection with this Agreement knows his or her obligations and the consequences of any security breach, and have read and agree to comply with all applicable Employee Information Security Policies and Standards.
- Segregation of Duties: IHRDC-CIPDH shall provide reasonable assurance the organization of personnel provides adequate segregation of duties between incompatible functions.
-
Physical Security Measures:
- Physical Security and Access Control – IHRDC-CIPDH shall ensure that all systems hosting Employee’s Data and/or providing services on behalf of Employee are maintained consistent with industry best practices and standards in a physically secure environment that prevents unauthorized access, with access restrictions at physical locations containing Employee Data, such as buildings, computer facilities, and records storage facilities, designed and implemented to permit access only to authorized individuals and to detect any unauthorized access that may occur, including without limitation 24 x 7 security personnel at all relevant locations (“IHRDC-CIPDH Secure Area”).
- Physical Security for Media – IHRDC-CIPDH shall implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to prevent the unauthorized viewing, copying, alteration or removal of any media containing Employee Data, wherever located.
- Media Destruction – IHRDC-CIPDH shall implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to destroy removable media and any mobile device (such as discs, UBS drives, DVDs, back-up tapes, laptops and PDAs) containing Employee Data where such media or mobile device is no longer used, or alternatively to render Employee Data on such removable media or mobile device unintelligible and not capable of reconstruction by any technical means before re-use of such removable media is allowed.
-
Computer System Access Control Measures:
- Access Controls – IHRDC-CIPDH shall implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to ensure the logical separation such that access to all systems hosting Employee Data and/or being used to provide services by the Employee shall: be protected through the use of access control systems that uniquely identify each individual requiring access, grant access only to authorized individuals and based on the principle of least privileges, prevent unauthorized persons from gaining access to Employee Data, appropriately limit and control the scope of access granted to any authorized person, and log all relevant access events. These security measures and procedures shall include, but shall not be limited to:
- Access Rights Policies – IHRDC-CIPDH shall implement appropriate policies and procedures regarding the granting of access rights to Employee Data in IHRDC-CIPDH’s possession or control, in order to ensure that only the personnel expressly authorized pursuant to the terms of the Agreement or by Employee in writing may create, modify or cancel the rights of access of the personnel. IHRDC-CIPDH shall maintain an accurate and up to date list of all personnel who have access to the Employee Data and shall have the facility to promptly disable access by any individual personnel. For purposes of this Schedule, the term “personnel” as to Employee or IHRDC-CIPDH shall mean such Party’s employees, consultants, subcontractor or other agents.
-
Intrusion Detection/Prevention and Malware:
- IHRDC-CIPDH shall use appropriate security measures and procedures (i) to ensure that Employee Data in IHRDC-CIPDH’s possession and control, and /or systems being used to provide Services, is protected against the risk of intrusion and the effects of viruses, Trojan horses, worms, and other forms of malware, and (ii) to monitor and record each and every instance of access to the IHRDC-CIPDH’s assets and information systems and to Employee Data to detect the same, and to promptly respond to the same. If any malicious code is found to have been introduced by IHRDC-CIPDH or any third party into any of IHRDC-CIPDH’s information systems handling or holding Employee Data, IHRDC-CIPDH shall take appropriate measures to prevent any unauthorized access or disclosure of any Employee Data and in any case (wherever such code originated), IHRDC-CIPDH shall, at no additional charge to Employee, remove such malicious code and eliminate the effects of the malicious code. If such malicious code causes a loss of operational efficiency or loss of data, IHRDC shall monitor such losses and restore such lost data in accordance with the terms of the Agreement. Unless, and to the extent, prohibited by law enforcement authorities, IHRDC-CIPDH shall immediately notify Employee’s Chief Information Security Officer if it knows or reasonably suspects that there has been an actual instances of unauthorized access to the Employee Data and/or systems holding or handling Employee Data and shall cooperate fully in assisting Employee as necessary to enable Employee to comply with its statutory and other legal breach notice requirements, if any.
-
Incident Response Measures
– IHRDC-CIPDH shall implement and maintain appropriate incident response measures and procedures for systems that handle or hold Employee Data, including, but not limited to:
- Operational problems and security incidents are detected, reported, logged, and resolved in a timely manner.
- Processing is appropriately authorized, scheduled, and that deviations from scheduled processing are detected, reported, logged, and resolved in a timely manner.
- System availability, performance and capacity are routinely monitored to help ensure potential issues are detected, reported, logged, and resolved in a timely manner.
- Networks are routinely monitored for availability and response times to help ensure potential issues are detected, reported, logged, and resolved in a timely manner