Information Security Exhibit

This Information Security Exhibit sets forth Company’s obligations to provide for the confidentiality, security, and integrity of Sensitive Information, as defined herein, in connection with the Agreement. Company will adhere to the principles and requirements set forth in this Information Security Exhibit. 

1. Definitions.  For purposes of this Information Security Exhibit, all capitalized terms shall have the following meanings. Any capitalized terms not otherwise defined shall have the meanings set forth in the Agreement.

   a. “Confidential Information” shall have the same meaning as defined in the Agreement except shall be limited to that which is provided by the Client to Company.

   b. “Privacy Laws” means, collectively, all laws and regulations relating to data privacy, data security, personal data, transborder data flow, and data protection that apply to Company’s use and disclosure of Client Information, primarily the HIPAA Rules (collectively, “HIPAA Rules”).

   c. “HIPAA Rules” means the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder, as amended from time to time, (“HIPAA”) Title XIII, Subtitle D, of the American Recovery and Reinvestment Act of 2009 (P.L. 111-5), known as the Health Information Technology for Economic and Clinical Health Act, as amended (the “HITECH Act”), and the implementing regulations for HIPAA and the HITECH Act.

   d. “Personally Identifiable Information” shall mean information that Company receives as part of the services provided under the Agreement that, when used alone or with other relevant data, can identify an individual.

   e. “Protected Health Information” shall have the meaning set forth in § 164.501 of the HIPAA Rules and shall include Electronic Protected Health Information.

   f. “Workforce Members” shall mean the employees, representatives, contractors, and consultants of Company (including that of Company’s affiliates) with access to Client Information Company.

   g. “Security Incident” shall have the meaning set forth in § 164.304 of the HIPAA Rules.  However, Security Incident does not include “trivial incidents” that occur on a daily basis and do not represent a material threat to the confidentiality, security, integrity, or availability of Client Information covered by this Security Exhibit (such as scans or pings of Company’s computers or computer networks).

   h. “Sensitive Information” means any and all elements and field values containing Protected Health Information and Personally Identifiable Information related to the Participant Services and any Confidential Information.  For clarity, “Sensitive Information” includes Participant Data and Personal Information. 

   i. “Subcontractor” means an entity, including vendor or third party, that are engaged by Company to perform services for Company that involve the use and or disclosure of Client Information.

2. Information Security Policies and Documentation

   a. Company shall adopt, implement, and maintain a set of information security policies and procedures intended to prevent the unauthorized access, acquisition, destruction, modification, use, and/or disclosure of Sensitive Information (collectively, “Policies”).

   b. Such Policies shall be approved by Company’s management and shall be published and communicated to Workforce Members and relevant external parties.

   c. Company shall review these Policies at planned intervals, or if significant changes occur, to ensure their continuing suitability, adequacy, and effectiveness.

   d. Company shall conduct, at a minimum, an annual security risk assessment that identifies, categorizes, and quantifies the security risks to Sensitive Information accessed, processed, and transmitted. Identified gaps shall be addressed through documented remediation plans that shall be made available to the Client upon request.

   e. Company shall maintain documentation of its compliance with this Security Exhibit.

   f. Company agrees not to alter or modify its Policies in such a way that will weaken or compromise the confidentiality, security, or integrity of Sensitive Information.

3. Organization of Information Security

   a. Company shall appoint an individual who is either formally designated as a Security Officer and/or is responsible for Company’s security program, compliance with applicable Privacy Laws, and security requirements set forth herein.

4. Security Compliance Notification

   a. Company shall provide prompt notification (via email to a contact provided by Client) should Company become materially non-compliant with this Security Exhibit during the duration of the Agreement. This notification will, at a minimum, include a summary of corrective actions to achieve compliance with each outstanding requirement.

5. Certification

   a. Company shall obtain and/or maintain an information security certification, as described below, from a firm that specializes in enterprise information security assessment and certification. At least one certification must be maintained by Company for the entire duration of the Agreement.  The following certification programs are acceptable for the purposes of this Security Exhibit:

   i. a properly scoped annual SOC 2 Type 2 review that includes assessment of the entire IT infrastructure that supports the services provided by Company under the Agreement and related security policies and practices, or

   ii. an ISO 27001 Certification from a nationally recognized accrediting body, or

   iii. a HITRUST Certification from a nationally recognized accrediting body.

   b. Company shall provide evidence of a SOC 2 Type 2, ISO 27001 Certification, or HITRUST Certification upon request.  

6. Confidentiality

   a. Company shall grant access to Sensitive Information only after determining and applying the appropriate “minimum necessary” access requirements.

   b. Company shall review access to Sensitive Information to ensure access has only been granted to authorized Workforce Members:

   i. at least once every twelve (1 2. months for Sensitive Information accessed, stored, or processed on Company systems, and

   ii. at least quarterly for all Workforce that have been issued credentials to the Client information systems.

   c. Under no circumstances shall user names or passwords associated with accounts that allow access to Sensitive Information be shared or transferred between Workforce Members.

7. Information Transfer

   a. Company shall be obligated to keep records of all third parties, including Subcontractors, to which Company has transferred any of Sensitive Information during that year, which records can be provided to Client upon request.

   b. For all public network-based transfers of Sensitive Information Company will use encrypted transmission methods.

   c. Company will not access Client’s computing systems and/or networks without Client’s authorization. If Client grants Company permission to access its computing systems and/or networks, Company will only access Client’s computing systems and/or networks as authorized.

8. Disposal and Lingering Information

   a. Prior to disposal of Sensitive Information, Company shall utilize cryptographic erasure or any other industry-accepted sanitization process.

   b. Company shall dispose of any hardware or media, including but not limited to tape drives, thumb drives, diskettes, CDs, DVDs, laptop drives, workstation drives, or server drives, storing Sensitive Information in accordance with industry leading practices.

9. Training and Disciplinary Measures

   a. Workforce must complete a security awareness training prior to accessing Sensitive Information and periodically (at least once every twelve (1 2. months) thereafter. Such training must:

   i. include administrator and end user responsibilities related to the requirements herein, as well as administrative, technical, and physical information security controls, and

   ii. be documented, including the names of those individuals who received the training and dates of completion.

   b. Company shall also ensure that all Workforce Members comply with the security requirements set forth herein. Company will impose appropriate disciplinary measures for violations of the Policies by Workforce Members.

10.  System Logging and Monitoring

    a. For all systems accessing, storing, or processing Sensitive Information, Company shall develop logging and log monitoring policies and procedures, and conduct an ongoing log analysis. Activities that will be logged include, but are not limited to:

    i. account management activities,

    ii. system/server shutdown and reboot,

    iii. system/server alerts and errors,

    iv. application/system shutdown and reboot,

    v. application errors and modifications,

    vi. file changes (create, update, delete),

    vii. security policy changes,

    viii. configuration changes, modification to sensitive information,

    ix. read access to sensitive information, and

    x. printing of sensitive information.

    b. Company shall also develop, implement, and adhere to a log retention policy requiring that system activity and user access logs be kept for a minimum of one year.

11. Intrusion Prevention and Detection

    a. Company shall develop intrusion prevention and detection policies and procedures and implement an ongoing analysis process on all systems accessing, storing, or processing Sensitive Information.

    b. Company shall maintain IDS or IPS functionality on all cloud assets that house Sensitive Information.

    c. Company shall implement a WAF for any exposed web application environment.

12. Authentication and Password

    a. Company shall develop, document, and adhere to an enterprise-wide authentication and password management program in accordance with NIST SP 800-63B.

    b. Company shall implement MFA for all privileged access accounts, where applicable.

13. Access Management, Remote Access, and Data Storage

    a. Access management controls shall be in place to ensure need-based access is granted to Sensitive Information, including:

    i. The provisioning and maintenance of controls for onboarding, updating, and terminating Company’s access to Sensitive Information, and

    ii. Periodic access reviews at least once every ninety (90) days.

    b. In the case of remote access, traffic with the remote device must be encrypted and the remote user must utilize strong authentication as described in the Authentication and Password section of this Security Exhibit.

14.  Infrastructure Architecture

    a. Networks that contain Sensitive Information must be separated from public networks by a firewall designed to prevent unauthorized access from public networks.

15. Patch Management

    a. Company shall develop, document, and adhere to a patch management process for all aspects of Company’s systems that have access to Sensitive Information. Pursuant to the process, Company shall:

    i. apply critical security patches within thirty (30) days, and

    ii. apply non-critical security patches on at least a quarterly basis.

16. Vulnerability Scanning and Penetration Testing

    a. Company shall develop, document, and adhere to vulnerability scanning policies and procedures.

    b. Company shall conduct vulnerability scans on at least a monthly basis for:

    i. any system that stores and/or processes Sensitive Information, and ii. container images.

    c. Company shall annually engage a third party to conduct penetration testing against the environment leveraged by Company to provide the services under the Agreement.\

17. Software

    a. Company shall ensure that industry standard technical controls are deployed on end user devices to monitor, detect, and prevent common threats. Company shall also ensure administrative privileges will only be used on laptops on an as needed basis.

18. PC and Host Configuration Controls

    a. Company shall implement session timeouts as follows:

    i. electronic sessions on any device or hardware (e.g. laptops, workstations,  tablets, smart phones, servers, etc.) that access, store, or process Sensitive Information shall lock the screen and/or console after at least fifteen (1 5. minutes of inactivity, and

    ii. require the user to provide a valid logon (e.g., user ID and Password, biometrics, or similar credential) to re-authenticate and gain access to a locked device or hardware.

    b. Company shall implement malware protection as follows:

    i. all Company-issued devices and hardware used to provide services under the Agreement have current antivirus software protection installed, and

    ii. antivirus software shall be updated through an automated process at least daily.

    c. Company shall block the use of USB mass media devices except for Workforce Members that have a need to do so for their job functions.

19. Subcontractors

    a. Where Company engages a Subcontractor for carrying out specific activities, Company shall impose on the Subcontractor similar, but no less restrictive, data protection obligations as set out herein between Client and Company. Alternatively, Company may require each Subcontractor to provide an annual attestation of SOC 2 Type 2, ISO 27001 Certification, or HITRUST Certification.

20. Encryption

    a. Where encryption is necessary to secure Sensitive Information, Company will use encryption methods and technologies that comply with standards published by the National Institute of Standards and Technology (NIST). 

    b. Company will use only validated cryptographic modules, such as encryption and hashing algorithms that are approved by NIST, including AES-256 and SHA-256.

    c. Company must ensure that Sensitive Information is encrypted not only when it is stored (at rest), but also when it is being transmitted over a public network (in transit).

    d. Company must use secure key management practices, including generating, distributing, storing, and retiring encryption keys according to industry leading practices outlined by NIST.

21. Physical Security Plan

    a. Company shall limit physical access to work areas and to systems that may access, contain, or process Sensitive Information to only those Workforce Members that have a business need for such access.

    b. Company shall review and document all physical security controls at least annually or following office relocations or additions.

22. Security Incidents

    a. Company shall maintain an incident prevention, detection, and response plan (“Incident Response Plan”) that is published and is made available to all Workforce Members. This Incident Response Plan will be reviewed and tested at least annually, and results of the review will be provided to Client upon request.

    b. Company shall report any Security Incident that materially impacts the confidentiality, integrity, and/or availability of the Sensitive Information, incurred by Company via email to a contact provided by the Client[2]  within three ( 3. business days of such Security Incident, or sooner if reasonably necessary or possible given the circumstances.

23. Business Continuity

    a. Company shall develop, implement, and adhere to a business continuity/disaster recovery plan (“BC/DR”) plan, which covers all services performed for Client under the Agreement. In addition to the requirement that Company maintain a BC/DR plan, as part of the BC/DR plan Company shall also:

    i. test the BC/DR plan on an annual basis. Upon request from Client, Company shall provide a summary of the results of those tests and any associated remediation plans.

    ii. maintain backups, to occur regularly, for Company systems used to access, process, transmit, or store the Sensitive Information. Company shall have a formal backup/recovery strategy. Backups shall be stored in an environmentally protected and physically secure off-site facility.

    iii. Company shall encrypt all Sensitive Information stored on backup media and the encryption key shall be stored separately from the backup media at all times.

24. Background Checks

    a. Company shall conduct background checks on all Workforce Members prior to allowing such Workforce Members access to perform work for or on behalf of Client. As part of the background check, Company shall include a criminal history check.

    b. Company will, on a monthly basis, check all Workforce Members against the OIG/GSA exclusion checklist.

    c. Company will provide its Third Party Code of Conduct to all Subcontractors providing services on Company’s behalf and obtain an Attestation from those Subcontractors of their compliance with the Third Party Code of Conduct.

25. Right to Audit

    a. Client retains a right to audit Company’s compliance with this Security Exhibit, with prior sixty (60) day’s written notice, no more than annually, and only during Company’s normal business hours. Such audit shall be conducted virtually (not on-site) and in compliance with Company’s security policies that are made known to Client. Such audit shall be limited to documentation related to Company’s information security controls outlined in this Security Exhibit and/or Company’s SOC 2 Type 2, ISO 27001 Certification, or HITRUST Certification status.

26. Order of Precedence

    a. In the event of a conflict between this Security Exhibit and the Agreement, this Security Exhibit shall control with respect to its subject matter, unless the Agreement sets forth more stringent standards. With respect to this Security Exhibit and any Business Associate Agreement executed between the Client and Company, the terms of the Business Associate Agreement shall control.