Information Security Exhibit

Exhibit C

INFORMATION AND PHYSICAL SECURITY TERMS AND CONDITIONS

1. Risk Management and Information Security Policy

   a. Vendor shall develop, implement and maintain a comprehensive written security program that includes administrative, technical and physical safeguards that are appropriate to the nature and scope of its activities performed for C&W and the sensitivity of C&W’s “Confidential Information” as defined in the Master Agreement. Such safeguards shall be reasonably designed to:

   i. Ensure the security and confidentiality of the Confidential Information;

   ii. Protect against any anticipated threats or hazards to the security or integrity of such information; and

   iii. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to C&W or any of its subsidiaries, business partners, employees or customers.

   b. Develop, document and maintain a comprehensive written security policy based on industry-accepted standards and practices, and approved by appropriate management or governance committee. Communicate security policy to all Vendor personnel. Such security policy should include, at a minimum,

   i. awareness, education and/or training to ensure that employees know and understand their individual security responsibilities and how to accomplish them, as well as any consequences for employee violations of their responsibilities; 

   ii. procedures to identify and interpret the security implications of relevant laws and regulations and appropriate procedures to modify Vendor’s security program as necessary; 

   iii. procedures and controls to authenticate and limit access to Confidential Information, whether in electronic or physical form, to authorized individuals and to immediately discontinue access by terminated or otherwise former employees;

   iv. procedures and controls for the secure handling, transfer, destruction and disposal of Confidential Information, whether in electronic or physical form;

   v. procedures and controls to protect against destruction, loss or damage of Confidential Information due to human error, potential environmental hazards such as fire and water damage, or technological failures; and

   vi. procedures and controls for detecting, preventing and responding to attacks, intrusions or other systems failures, including actions to be taken in the event of suspected or detected unauthorized access to Confidential Information

   c. Identify reasonably foreseeable internal and external risks to the confidentiality, integrity and availability of Confidential Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and design and implement safeguards to control these risks including, but not limited to:

   i. restricting access to Confidential Information to those Vendor personnel who have a business need to access it in order to provide services under the Agreement; and

   ii. implementing secure user authentication protocols and secure access control measures.

   d. Vendor’s information security policies, procedures, and protocols shall be reviewed annually or whenever there is a material change in business practices that may affect the security or integrity of C&W’s information.

   e. Vendor shall ensure that disciplinary measures are in place for violations of Vendor’s information security policies.

   f. Monitor, on a regular basis, the overall state of security within its organization and reputable sources of computer security vulnerability information such as FIRST, CERT/CC, and vendor mailing lists. Take appropriate measures to obtain, thoroughly test, and apply relevant service packs, patches, and upgrades to the software and hardware components providing the services anticipated by this agreement.

    

2. Information Security Organization

   a. Appoint one Vendor employee, accountable for the Vendor’s Information Security Program, to respond to C&W's commercially reasonable inquiries regarding computer and information security, and designate one or more employees to coordinate its security program across the Vendor organization.

   b. Vendor shall have a designated individual in the position of Information Security Officer (ISO) responsible to maintain and supervise the Vendor’s information security policies, procedures, and protocols

    

3. Human Resources Security

   a. Vendor shall ensure that appropriate background checks are performed on all employees or contractors who have access to C&W’s Confidential Information in accordance with the terms of the Master Agreement.

   b. Provide Security Awareness training to all employees which covers, at a minimum, appropriate use of technology, protection of data, and external threats (malware, phishing, social engineering). In addition, Information Technology staff shall be trained on secure development processes and systems management.

    

4. Asset Management
   

   a. Vendor must establish a formal process to manage secure disposal and reuse of media, computing assets, and office equipment to minimize the risk of unintended or unauthorized disclosure of C&W’s Confidential Information. Such program must include the following components:

   i. All of C&W’s Confidential Information in any format, media, paper, devices and office equipment must be physically destroyed (e.g., incineration or shredding) or securely overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format function.

   ii. Damaged devices containing C&W’s Confidential Information may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded.

   iii. When Vendor disposes of media, computing assets or office equipment, all data, information or software must be physically removed (wiped) or completely destroyed and rendered unreadable. The removal or destruction must follow ISO approved methods including Department of Defense overwrite standard, shredding of media or degaussing of media. All steps of the media, computing assets and office equipment disposal must be recorded and retained for reporting to the ISO.

   iv. Two Vendor employees must witness onsite sanitization (wiping) or destruction activities of any media, computing assets and office equipment and attest to the specific media’s, computing asset’s or office equipment’s disposal via approved methods.

   v. For any offsite sanitizing or destruction, the contracted vendor must supply a certificate(s) of destruction that clearly identifies each individual media disposed of and the method of disposal. This certificate must be retained by Vendor’s Information Technology Department for inventory purposes and a copy must be sent to the ISO.

   vi. Any media, computing asset, or office equipment that will be reused by external or internal resources must be properly sanitized to ensure data, information or software has been physically removed prior to being sent offsite or reassigned by Vendor.

   vii. Any media, computer asset, or office equipment being sent back to a vendor for credit or repair must be sanitized prior to leaving Vendor premises.

   viii. All activities relating to reuse of media, computing assets and office equipment must be tracked, approved and reported to the ISO regardless of whether the reuse is for reassignment within Vendor, returns to vendors or donations to charities.

    

5. Access Control

   a. A login account (login credentials), consisting of a login ID and one or more authentication factors shall be required to access any C&W confidential information or any vendor network services. Login Accounts must meet the following minimum requirements:

   i. Each user shall have a unique user account assigned.

   ii. All access is approved by appropriate managers. 

   iii. All privileged users (Admins, DBAs, developers) will use a separate user account for privileged user work except where a generic account is the only possible option.

   b. Generic accounts must be deleted where possible and an individual account should be created as its equivalent. If not, the account should only be accessible by a limited number of system admins, in which, the password should be changed immediately and managed by a password locker for access management.

   c. Restrict access for each system used to deliver goods and/or services under the Master Agreement to personnel with a job related need to access the system. Account creation and access granting should comply with the principle of least privilege, where individual access is limited and aligns to job responsibilities. All access provisioning, de-provisioning, and modifications shall be requested, approved, and granted, through a trackable method.

   d. Remove physical and electronic access for terminated employees or sub-contractors within 24 hours. For C&W employees with access to vendor systems, terminate access within 24 hours of being notified by C&W.

   e. Perform a quarterly management review of all user accounts and related privileges to validate a continued business need for access to C&W information.

   f. Maintain strong passwords that conform to Good Industry Practices.

    

6. Cryptography
   

   a. Vendor must use commercially available cryptographic algorithms and all deployed encryption solutions must follow commercially reasonable practices in key management.

   b. Encryption keys must be protected against disclosure and misuse.

    

7. Physical and Environmental
   

   a. Maintain all workstations, servers, and network equipment used to provide goods and/or services under the Master Agreement in secure facilities owned, operated, or contracted for by Vendor and ensure information systems hosting C&W Confidential Information are protected in a secure area protected by appropriate physical security barriers and access restrictions.

   b. Limit access to these secure facilities to authorized Vendor staff members with job-related needs.

   c. Monitor access to these secure facilities through the use of security guards, surveillance cameras, authorized entry systems, or similar methods capable of recording entry and exit information.

    

8. Operational Security
   

   a. Ensure all infrastructure platforms, authentication mechanisms, and services (operating systems, web servers, database servers, etc.) used to provide goods and/or services under this Agreement are configured and utilized according to Good Industry Practice.

   b. When database storage is required, store all C&W information classified “confidential” or above in a logically or physically separate database (i.e., a database that is not shared with other Vendor customers).

   c. All C&W information classified “confidential” or above must be encrypted at rest, including when stored on mobile devices.

   d. In the event that: (a) Vendor provides software to C&W and provides maintenance services for such software via an electronic connectivity mechanism; (b) Vendor provides applications processing or services with connectivity from C&W; or (c) C&W data is present on Vendor’s systems, then in any and all such events Vendor shall:

   i. Permit only authenticated and authorized users to view, create, modify, or delete information managed by applications used in connection with providing goods and/or services under this Agreement

   ii. Ensure that web browser cookies, temporary files, and other client-side files that store confidential data are encrypted using a public and widely accepted encryption algorithm. This encryption will be performed independently of any transport encryption such as Secure Sockets Layer. All other cookies must be opaque. 

   iii. “Time out” and terminate system communication sessions after a mutually agreed upon period of user inactivity

   iv. Terminate any active sessions interrupted by power failure, system “crash,” network/connectivity problem, or other anomaly.

   v. Validate all input and output prior to use to avoid data-driven attacks such as “cross-site scripting” and “SQL injection.”

   e. Vendor will implement controls to prevent the introduction of malicious software and viruses into the systems used to process C&W, including at a minimum:

   i. Use the latest, commercially available virus and malicious code detection and protection product(s) on all workstations and servers used to provide goods and/or services under this Agreement. 

   ii. Such products shall be (a) updated at least once per year, (b) security definitions must be updated on a daily basis, and (c) configured in a manner that causes automatic, on-access scanning of the default file types as specified by the antivirus vendor to be active, and periodic scanning of system files.

   iii. Anti-virus scanning shall not be disabled under any circumstances

   iv. Report all occurrences of viruses and malicious code, not handled by deployed detection and protection measures, on any workstation or server used to provide goods and/or services under this Agreement, to C&W as soon as commercially feasible after discovery.

   f. Maintain, for the term of the Master Agreement (or such longer period as may be required by law or contract), detailed logs files concerning all activity on Vendor's systems including, without limitation:

   i. All sessions established

   ii. Information related to the reception of specific information from a user or another system

   iii. Failed user authentication attempts

   iv. Unauthorized attempts to access resources (software, data, processes, etc.)

   v. Administrator actions

   vi. Events generated (e.g., commands issued) to make changes in security profiles, permission levels, application security configurations, and/or system resources.

   g. Vendor must protect all log files against modification, deletion, or unauthorized access. Vendor must provide C&W access to C&W-related logs upon request.

    

9. Communications Security
   

   a. Deploy multiple layers of defense from multiple suppliers on Vendor systems including, but not limited to firewalls, network intrusion detection and protection, and host-based intrusion detection systems. All security monitoring systems including, but not limited to, firewalls and intrusion detection systems must be monitored twenty-four (24) hours per day, three hundred sixty-five (365) days per year.

   b. Configure its firewalls, network routers, switches, load balancers, name servers, mail servers, and other network components in accordance with Good Industry Practices.

   c. Deploy firewalls, filtering routers, or other similar network segmentation devices between networks providing services anticipated by this agreement and other Vendor networks to control network traffic and minimize exposure to a network compromise.

   d. Access to all networking devices shall be limited to authorized administrators and all changes to the configurations shall be logged.

   e. Ensure that all remote administrative access to production systems is performed over encrypted connections (i.e., SSH, SCP, SSL-enabled web-management interfaces, and VPN solutions) and utilizes strong authentication mechanisms.

   f. All systems must transmit and store C&W information using a mutually agreed upon encryption algorithm and cryptosystem.

   g. Ensure that all remote administrative access to production systems is performed over encrypted connections (i.e., SSH, SCP, SSL-enabled web-management interfaces, and VPN solutions) and utilizes strong authentication mechanisms.

   h. If Vendor employs a wireless network in its corporate office location, Vendor shall utilize: wireless encryption protocols; and rogue access point detection and remediation.

    

10. System Acquisition, Development, and Maintenance
    

    a. Maintain separate and distinct development, test and staging, and production databases to ensure that production information is not altered or destroyed.

    b. Production data may not be used for testing purposes without the approval of the Information Security Officer (ISO) of the C&W business unit supplying the data. In such cases, where production data must be used to complete development testing, such data must be sanitized to the satisfaction of the C&W ISO.

     

11. Suppliers
    

    a. Oversee its service providers, by: (a) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for Confidential Information; (b) requiring its service providers by contract to implement and maintain such safeguards; and (c) where indicated by a risk assessment, monitor its service providers to confirm that they have satisfied their obligations to protect Confidential Information.

    b. Vendor shall ensure that it has written contracts in place with consultants, vendors or subcontractors that have access to C&W’s Confidential Information, which establish satisfactory security and confidentiality obligations consistent with the requirements under the Master Agreement

     

12. Incident Management
    

    a. Vendor shall maintain procedures to identify and respond to suspected or known security incidents and mitigate the harmful effects of known security incidents and document incidents, in accordance with the requirements in the Master Agreement.

    b. Vendor shall immediately, but in no event more than 24 hours later, report to C&W in writing, and if required by law or regulation to any other party, any breach or suspected breach of security of the environment(s) used to provide services under the Agreement following discovery or notification of such breach if the security, confidentiality or integrity of any C&W data or C&W Confidential Information was, or is reasonably believed to have been, compromised. Vendor shall, at no additional cost to C&W, cooperate with C&W to comply with laws and regulations relating to unauthorized use or disclosure of Personal Information and mitigate the losses that may be suffered as a result thereof, including, but not limited to making appropriate notifications, or providing, as approved and directed by C&W, ongoing credit or other monitoring that may be required as a result of a security breach.

    c. If an incident takes place that involves the systems employees or software used to provide goods and/or services to C&W (but not C&W data or Confidential Information, as set forth in Section B(2) above), Vendor will notify C&W as soon as commercially feasible and provide C&W, within five (5) days of the closure of the incident, with a written report describing the incident, actions taken during the response, and plans for future actions to prevent a similar incident from occurring in the future.

     

13. Business Continuity and Disaster Recovery
    

    a. Vendor must maintain a comprehensive and current:

    i. Business continuity plan (“BCP”) that documents and implements processes and procedures to ensure essential business functions continue to operate during and after a disaster.

    ii. Disaster recovery plan (“DRP”) that documents technical plans for specific restoration of information assets used to provide goods and/or services to C&W.

    b. Maintain backups of C&W information following an agreed backup schedule, not less than full weekly backups with daily incremental backups. Backups must be stored offsite from the primary datacenter/systems in secure, environmentally-controlled storage areas owned, operated, or contracted for by Vendor.

    c. If C&W information is corrupted or lost as a result of any failure by the Vendor, C&W may require the Vendor, at its own expense, to restore or recreate the lost information, or reimburse C&W resources used to recreate the information

    d. All C&W backup media shall be encrypted with prevailing industry standard algorithms or as otherwise required by law.

    e. Limit access to backup and archival media storage areas and contents to authorized Vendor staff members with job-related needs.

    f. Securely transport all backup and archival media containing C&W information, or other information used to provide goods and/or services under this Agreement.

     

14. Compliance
    

    a. Test, on at least an annual basis, the implementation of its information security measures through the use of network, system, and application vulnerability scanning tools and/or penetration testing; notwithstanding any “force majeure” provisions of the Master Agreement, test documented plans for responding to a disaster, emergency situation or other unforeseen circumstances, including processes and procedures for resuming business operations and the provision of services under the terms of the Agreement; and evaluate, adjust and upgrade its security program in light of the results of the foregoing monitoring, any material changes to its operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its security program.

    b. Permit C&W to perform, at the expense of C&W, one security assessments per year, including but not limited to, review of Vendor policies, processes, and procedures, interviews with key information security personnel, on-site assessment of physical security arrangements, network, system, and application vulnerability scanning, and penetration testing. In the event material deficiencies are found or a security incident has occurred, C&W may perform a subsequent security assessment to confirm compliance with the security requirements herein.

     

15. Vendor Security Compliance Management
    

    Vendor adheres to sign up for the C&W managed Vendor Risk Management tool and create its “Supplier Profile” to attest that it has implemented and will maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk and to protect the Confidential and Personal Data of C&W and its clients that Vendor processes for C&W.

    In order to ensure consistent security of C&W Data, Vendor and C&W adhere to the following:

    a. Vendor agrees to sign up for the C&W managed Vendor Risk Management tool and promptly complete its “Supplier Profile” within 30 days of a received invite from C&W’s Information Security Risk Services.

    b. C&W agrees to provide reasonable support and documentation on the know-how for the Vendor to complete its “Supplier Profile” in the Vendor Risk Management tool.

    c. Vendor shall promptly adjust and/or update the “Supplier profile” in the C&W managed Vendor Risk Management Tool for C&W to evaluate and monitor the effectiveness of the Vendor’s technical and organizational measures.

    d. C&W agrees to provide a written notice of 14-business-days in advance when a Vendor assessment is due to allow time for the Vendor to promptly review and/or update its “Supplier profile”.

    e. Vendor agrees to promptly adjust and/or update the “Supplier Profile” at least once a year even in case a yearly assessment is not performed by C&W.

    f. Vendor, at its own expense, shall promptly take the necessary measures to remedy any deficiency identified from the assessment and ensure remediation of deficiencies within the agreed timelines