A. NLMATICS agrees to:
(1) Employ essential current industry practice security controls and tools to monitor its information processing systems and log key events such as user activities (including root or administrative access), exceptions, successful and unsuccessful logins, access to audit logs, unauthorized information processing activities, suspicious activities and information security events;
(2) Ensure that neither it nor any of its employees or contractors (“Workforce”) will place Confidential Information (which shall include “Personal Information” and “Customer Data”) on portable computing/storage devices which are not owned by NLMATICS;
(a) “Personal Information” has the meaning given by Applicable Law and includes any and all information or data (regardless of format and whether alone or in combination) that relates to an identified or identifiable individual; and is supplied to or Processed by or on behalf of NLMATICS in connection with the provision of the Services or otherwise for or on behalf of Customer;
(3) Ensure that data files containing Confidential Information are not saved on public or private computers while accessing corporate e-mail through the Internet;
(4) Secure all electronic Confidential Information in motion;
(5) Secure any Confidential Information at rest that is placed or stored on portable devices or mobile devices or media (including, without limitation, laptop computers, removable hard disks, USB or flash drives, personal digital assistants (PDAs) or mobile phones, DVDs, CDs or computer tapes);
(6) Secure all electronic Confidential Information at rest, including ensuring that all electronic Confidential Information held at rest shall be rendered unreadable by unauthorized parties using strong encryption technologies;
(7) Dispose of all Confidential Information in a Secure manner, including the permanent removal of all Confidential Information from such media or devices before making such electronic media or devices available for re-use;
(8) Make log events available for monitoring to Customer or a managed security service provider as designated by Customer;
(9) Regularly back up activity logs to a secure central location, protected against tampering and unauthorized access;
(10) Retain activity logs in accordance with regulatory requirements;
(11) Perform regular, routine log reviews and take necessary actions to protect against unauthorized access or misuse;
(12) Comply with all applicable regulatory requirements related to monitoring and logging activities;
(13) Ensure that the clocks of all relevant information processing systems will be synchronized using an authoritative national or international time source;
(14) Incorporate date and time stamp into log entries;
(15) Employ, monitor, and keep up to date intrusion detection systems and intrusion prevention systems to monitor all network traffic and alert personnel to suspected security events;
(16) Ensure access to NLMATICS applications accessible over un-trusted or open networks are controlled and restricted by a defined security perimeter;
(17) Appropriate security barriers including entry controls, authentication controls, malicious or hostile software detection are applied. Access to applications is restricted to authorized parties using authorized protocols.
(18) Obtain certification that its information security safeguards meet or exceed a defined industry information security standard and maintain its safeguards in compliance with such certification requirements and obligations;
(19) Provide to Customer, at Customer’s request, a list of its Workforce who have (or have had) access to the Protected Health Information and the work location of each such individuals; and
(20) Submit to controls testing by Customer, or at the sole cost of the NLMATICS a mutually agreed upon third party, and provide evidence at least annually, demonstrating a process for threat & vulnerability management, including:
(a) Regularly scheduled internal and external system, application, and network vulnerability scans;
(b) Results of network and application layer penetration tests
(c) Results of secure application source code scanning and analysis review; and
(d) NLMATICS agrees to remediate vulnerabilities to the reasonable satisfaction of Customer.
B. NLMATICS represents that neither it nor its agents or Subcontractors will transfer, access or otherwise handle Confidential Information outside the United States without the explicit prior written permission of Customer.
C. Before obtaining access to or receiving any Confidential Information from Customer, NLMATICS shall submit to a review of its security program through the Customer’s Vendor Assessment Program (“VAP”), which shall be carried out by Customer (or by an independent inspection company designated by Customer).
(a) Any NLMATICS representations made during the VAP or NLMATICS responses provided to questions as part of the VAP are hereby incorporated into the Master Services Agreement and NLMATICS shall be obligated to comply with and honor such representations as if they were part of the Agreement.
(b) NLMATICS shall reasonably co-operate with any review for the VAP.
(c) If the review under the VAP identifies material gaps or weaknesses in NLMATICS’s security program or its ability to Secure Confidential Information, Customer shall be entitled to suspend NLMATICS’s access to or use of Customer Confidential Information until such issues are resolved to the satisfaction of the Customer.
(d) During the term of this Addendum, Customer may periodically, but no more frequently than once every two years, request that NLMATICS complete a new VAP. If any subsequent annual review under the Customer VAP identifies any material gaps or weaknesses in NLMATICS’s security program or its ability to Secure Confidential Information, Customer shall be entitled to suspend NLMATICS’s access to or use of Customer Confidential Information until such issues are resolved to the satisfaction of the Customer.