Service Providers Information Security Requirements

At a minimum and as specified herein, Service Provider (which shall have the same meaning as ‘Supplier’) shall provide security for all data and communication systems in support of the Agreement or Procurement Document to which this Exhibit is attached (“ Exhibit ”).

Service Provider’s security efforts will include, without limitation:

Logical Access Controls:

Service Provider agrees to employ effective logical access control measures over all systems used to create, transmit, or process [24]7 Confidential Information), including but not limited to:

  • User authentication must use unique identifiers (“User ID’s”) consistent with individual accountability; shared User ID’s do not provide the level of accountability required by [24]7;
  • A complex password policy, including the prohibition of clear-text credentials must be enforced;
  • User access rights/privileges to information resources containing [24]7 Confidential Information must be granted on a need-to-know basis consistent with role-based authorization.
  • User access to [24]7 Confidential Information must be removed immediately upon user separation or role transfer eliminating valid business need for continued access.
  • Default passwords and security parameters must be changed in third-party products/applications used to support [24]7 Confidential.
  • Access [24]7 resources only from [24]7 network by a mutually agreed upon process, signed off by [24]7 Security teams

Network Security Architecture:

Service Provider agrees to employ effective network security control measures over all systems used to create, transmit, or process [24]7 Confidential Information including but not limited to:

  • Firewalls shall be operational at all times and shall be installed at the network perimeter between Service Provider’s internal (private) and public (Internet) networks.
  • Properly configured and monitored IDS/IPS (Intrusion Detection/Prevention Systems) must be used on Service Provider’s network.
  • Databases or any data domains storing [24]7 data must be logically or physically separated from the web server, and the database may not reside on the same host as the web server, where applicable. 
  • The database and other information systems used for the purposes of processing [24]7 Confidential Information must have only those services/processes and ports enabled to perform routine business. All other services/processes on the host must be disabled.
  • All information systems, repositories, etc. used for [24]7 by Service Provider, or its business partners, must be physically located in a controlled data center environment used for the purpose of protecting information systems. 
  • Secure channels (e.g., SSL, SFTP, SSH, IPSEC, etc.) must be used at all times for administering devices.

Physical Access Controls:

Service Provider agrees to maintain servers, databases, and other hardware and/or software components that store information related to [24]7’s business activities in an access controlled and consistently monitored Data Center secured by appropriate alarm systems, The facility storing [24]7 data must follow best practices for infrastructure systems to include fire extinguishing, temperature control and employee safety.

Risk Assessment/Audit

At no additional cost, Service Provider agrees to provide responses to a risk assessment questionnaire (if provided by [24]7), participate in vulnerability scans of their network and / or application (upon notification).

  • Service Provider agrees to perform regular security vulnerability assessments and shall as applicable to [24]7 allow [24]7 to review the results of a current security assessment by an accredited third-party (e.g., penetration test results of internet-facing devices, SSAE 16-Type II reports, ISO 27001 certification, or any other relevant reports, etc) as well as action plans describing how Service Provider will address all identified security vulnerabilities affecting systems used to store, process or otherwise access [24]7 Confidential Information.
  • To the extent applicable, Service Provider agrees to maintain appropriate PCI certifications of its data security controls.
  • Service Provider will permit [24]7 or its designee to conduct audits of [24]7’s data maintained or stored by the Service Provider at a pre-determined frequency and with prior notification of at least 15 business days,

Security Policy:

Service Provider agrees to maintain and enforce security policies consistent with security best practices, and all applicable regulatory and legal security and privacy requirements, including but not limited to IT Amendment Act 2008 of India, Gramm LeachBbliley Act (GLBA) or other applicable laws communicated by [24]7 from time to time.Upon request, Service Provider shall provide [24]7 the copy of current security policy and standards as well as security architecture. Service Provider shall comply with [24]7’s Privacy Policy with respect to any [24]7 employee personal information it receives.

Training and Awareness:

Service Provider agrees to provide necessary training to ensure security awareness in Service Provider personnel that are directly or indirectly engaged in handling [24]7 Information and systems, onsite or remotely.

Protection of [24]7 Confidential Information:

In addition to what may be described in the Agreement or Procurement Document to which this Exhibit is attached, where applicable, Service Provider agrees to protect [24]7 Confidential Information as it would its own. For purposes of clarity, [24]7 Confidential Information may include, but is not limited to, the following:

  • Credit Card numbers
  • Credit Card Validation Codes
  • Personal Identification (PIN) numbers 
  • Loyalty Card Numbers with or without any associated PIN or Access Code
  • Checking Account number (alone or in combination with checking account routing information)
  • Employee Number
  • Bank Account number (alone or in combination with routing information)
  • Driver's License Number or  State-issued Identification Card Number
  • Customer or Employee Names, in whole or in part
  • Customer or Employee Postal Address
  • Customer or Employee email address
  • Date of Birth  
  • Social Security Numbers
  • Health Insurance Card or Policy Identification Number
  • Medical or Health Information
  • Personal Telephone Number (when used with a customer/employee name or address)

Additionally, Service Provider agrees to adhere to the following controls surrounding the use and protection of [24]7 Confidential Information:

  • [24]7 Confidential Information must be encrypted with key sizes of 256-bit for symmetric and 2048-bit for asymmetric encryption. 
  • Clear text (ftp, telnet, etc.) protocols may not be used to access or transfer [24]7 Confidential information. [24]7 Confidential Information must be encrypted when stored on portable media, which by way of example shall include USB Sticks, Portable hard drives, Laptops, DVD/CDs, and when transmitted on wireless networks or across public networks. 
  • [24]7 Confidential Information may not be copied, sold or used for solicitation purposes by the Service Provider or its business partners.  [24]7 Confidential Information may only be used in conjunction with and within the scope of the Procurement Document or the Agreement to which this Exhibit is attached.
  • [24]7 Confidential Information (data) must be segregated from other Service Provider customers, systems, or applications unrelated to [24]7.  Appropriate data security controls must be used over data at rest, including, access controls and encryption.
  • Where applicable, Payment Card information must be masked on display rendering in a manner consistent with the Payment Card Industry Data Security Standard (PCI-DSS), the Fair and Accurate Credit Transaction Act (FACTA) and all other applicable laws and regulations.
  • Service Provider must disclose where [24]7 data will be stored and processed.   Storage and Processing of [24]7 Confidential Information shall take place within the agreed Georgraphies. In case vendor agrees to move data from the mutually agreed Geographies to another Geographies, vendor will obtain explicit consent from [24]7 prior to doing so. And at no extra cost to [24]7 would provide [24]7 with the Safe harbor or similar certifications where applicable. 
  • During the contract period [24]7 may mandate the vendor to not to move or store data in a specific Geography if in case [24]7 is mandated by a specific law or regulatory requirement it needs to adhere to.

System Monitoring:

Service Provider agrees to regularly audit and monitor information systems processing [24]7’s business activities to ensure the protection of [24]7’s information. Monitoring includes, but is not limited to, potential breaches or hacking activity and access to devices. Service Provider must have defined processes for security alerting, escalation and remediation that are consistent with the Services procured pursuant to the Agreement. Service Provider must ensure that event logs with [24]7 data are not provided to other subscribers. If Service Provider using virtual machines, must ensure there is granular monitoring of traffic that is crossing the virtual machine backplanes.

Vulnerability Management Controls:

Service Provider agrees to employ effective vulnerability management control measures over all of its systems used to create, transmit, or process [24]7 Confidential Information, including; but, not limited to:

  • Deploy and maintain currency of up-to-date commercially available anti-virus, anti-spam, anti-malware software on all information system components including personal computers, laptops, and interconnecting networks, where applicable, used for the purpose of managing [24]7 Confidential Information. Additionally, provide for regular scanning for viral infections and update virus signature files frequently.
  • Maintain a standard patch management process and practice to ensure the protection of any devices used to access, process or store [24]7 Confidential Information. Service Provider agrees to provide [24]7 a summary of patch management program upon request.
  • Regularly auditing and monitoring to ensure the protection of [24]7 Confidential Information.
  • Any security breach that involves [24]7 Confidential Information must be reported to [24]7 in accordance with the Notice provision of the Agreement without unreasonable delay.   Service Provider shall immediately perform a root cause analysis as well as provide detailed information about measures taken by the Service Provider to prevent future breaches.  All efforts to rectify or resolve the situation must include subsequent and regular notification for the reported incident.
  • Service Provider agrees to provide full cooperation with [24]7 and in the event of a data breach involving [24]7 Confidential Information including, but not limited to:  server log information showing network and application traffic.
  • Vulnerabilities discovered by the [24]7’s or Service Provider’s Security Scanning tools must be resolved by following the schedule outlined below (the level of vulnerability will be determined by [24]7):
    • P1 vulnerabilities: A successful exploit of this vulnerability may result in catastrophic and significant physical or property damage or loss. Or, there may be a catastrophic and significant loss of revenue or productivity (e.g., Denial of Service Attack, exploit ‘kits’ exist, buffer overflows high jacking, or source code exposure, etc.).  Such vulnerability must be resolved before a site launch or within 8 hours of discovery if the application is currently publically available. 
    • P2 vulnerabilities: A successful exploit of this vulnerability may result in moderate physical or property damage, or, there may be a moderate loss of revenue or productivity to the organization (e.g., Weak encryption, or possible phishing opportunity, etc.).  Such vulnerability must be resolved within 3 days of site launch or within 4 hours of discovery if the application is currently publically available. 
    • P3 vulnerabilities: A successful exploit of this vulnerability may result in minor physical or property damage.  Or, there may be a minor loss of revenue or productivity to the organization (e.g., FTP use or missing service pack, etc.).  Such vulnerability must be resolved within 15 days of a site launch or within 8 hours of discovery if the application is currently publically available.

Data Destruction:

Service Provider shall ensure that residual magnetic, optical, or electrical representation of [24]7 Confidential Information that has been deleted may not be retrieved or reconstructed when storage media is transferred, become obsolete or is no longer usable or required by [24]7.

  • Service Provider data retention and destruction must comply with applicable laws or regulations.
  • [24]7 information stored on Service Provider media (e.g., hard drive, optical discs, digital media, tapes, paper, etc.) must be rendered unreadable or unattainable using the NIST Guidelines for Media Sanitization (Special Pub 800-88), prior to the media being recycled, disposed of, or moved off-site.

Application Service Provider:

This section applies to the Service Providers that provide application software hosted at [24]7 or offsite at the Service Provider facility. Service Provider agrees to adhere to the following controls surrounding application development:

  1. Service Provider must provide supporting documentation that commonly accepted web application security guidelines and frameworks are used for developing Internet-facing applications (e.g. Open Web Application Security Project [OWASP], SANS).
  2. Service Provider must provide a data flow diagram that demonstrates all security controls in place.
  3. Service Provider must demonstrate how Internet-facing applications are tested for security vulnerabilities and remediated prior to the source code being promoted to production.
  4. Service Provider shall allow [24]7 to review the results of penetration testing and/or application source code reviews conducted by 3rd parties, when requested or allow a third party to perform the same.
  5. Service Provider must provide supporting documentation describing how fraud is detected and prevented when requested by [24]7.
  6. Service Provider agrees to allow [24]7 to review within the requested timeframe, and demonstrate full cooperation with [24]7, pertaining to all inquiries deemed necessary by [24]7 to determine the risk of any third-party systems and procedures related to and affecting [24]7. This includes, but is not be limited to, inquiries pertaining to s, server logs sanitized of sensitive information but showing application traffic, operating systems, applications, databases, network configuration, data encryption algorithms being utilized, fraud detection and prevention controls, physical inspection of facilities, incident response procedures, and disaster recovery measures.
  7. Where possible Service Provider agrees to allow relevant sites dedicated to [24]7 to be monitored by [24]7 or a third-party for availability and performance.

Personnel Roles and Responsibilities:

Service Provider agrees to identify in writing the person who will be responsible for overall security of the application development, management, and update process throughout the Contract period. The person identified shall be a single technical resource serving as project Security Lead. The Security Lead shall confirm in writing the security of each deliverable. The Security Lead shall confirm to [24]7 in writing that the software meets the security requirements, all security activities have been performed, and all identified security issues have been documented and resolved. Any exceptions to the confirmation status must be fully documented with the delivery.

Pre-Screening or Background verification:

Prior to the engagement of any Personnel of Service provider in providing Services, Service provider will provide [24]7 with notice setting forth the name, relevant qualifications and proposed duties of such Personnel. Following receipt of such notice by [24]7, if Service provider has not already done so as part of its standard screening and hiring processes, Service provider will, as a condition to engagement of such Personnel in providing the Services (including Personnel engaged by Service provider to replace Personnel that have ceased to perform as Service provider Personnel for any reason), to the extent permitted by Applicable Law comply with the minimum requirements for the recruitment and screening of Service provider Personnel set forth below and referred to as Background checks criteria.

Background Checks Criteria

The Background verification checks of [24]7 shall cover the most recent five years or back to the applicant’s 18th birthday, whichever comes first, starting from the date of application and or proposed access to Sensitive information or systems.

Criminal records check

A criminal records check shall be conducted at the police station found to have jurisdiction for the residence(s) identified in section three, “Residential verification”. As permitted by Law and where possible, Criminal check will be conducted to ensure that no personnel have been convicted of any criminal offense involving dishonesty, a breach of trust, or money laundering, or who have entered into a pre-trial diversion or similar program in connection with a prosecution for such offense. Crimes of dishonesty or breach of trust that would disqualify an individual from having access to confidential/restricted information or access to computer networks include but are not limited to (the background check should include any crimes that are substantially similar to those listed below, as different jurisdictions can sometimes use different names for similar crimes):

  • Bribery
  • Burglary
  • Check kiting
  • Corruption
  • Counterfeiting
  • Drug trafficking/illegal sale, manufacture or distribution
  • Embezzlement
  • Falsification or falsifying documentation, evident or an oath
  • Forgery
  • Fraud
  • Impersonation
  • Misapplication/misappropriation of funds
  • Money laundering
  • Perjury
  • Possession or receipt of stolen property
  • Robbery
  • Shoplifting
  • Theft or larceny
  • Treason

The following is a list of other crimes that due to their seriousness disqualify a person from having unsupervised access to 247 secured facilities. The background check should include any crimes that are substantially similar to those listed below, as different jurisdictions can sometimes use different names for similar crimes:

  • Abduction
  • Aggravated assault/battery
  • Assault (felony)
  • Assault with intent to commit a felony
  • Burglary
  • Indecent assault
  • Kidnapping
  • Manslaughter
  • Mayhem/dismemberment
  • Murder/attempted murder
  • Possession of illegal weapons
  • Rape/attempted rape
  • Child abduction (not in a domestic relationship)
  • Child molestation 
  • Fraud 
  • Hate crimes 
  • Hostage taking 
  •  Robbery 
  • Sex crimes 
  • Sexual/carnal abuse of children
  • Stalking
  • Terrorism/terrorist threats
  • Theft or larceny
  • Weapons use
  1. Gap verification —The Third Parties shall ensure that no unexplained gaps between education and employment experiences are present for any applicant having access to Sensitive information, systems or sites. In the event a gap is identified the Supplier shall:
    • Conduct additional police check verification(s) in the jurisdiction(s) in which the gap(s) were found to have occurred.
    • Ensure all information collected relevant to the gap(s) is clearly documented and maintained in such a manner as to ensure the applicant has not been convicted of one or more of the disqualifying offenses listed in this document.
    • For the purposes of this document a “Gap” is defined as a period of time extending three (3) continuous calendar months.
  2. Previous Employment verification — Shall be conducted via phone or in person, a review of the applicant’s prior employment release form(s) alone is not acceptable verification.
  3. Residential verification — The applicant’s last residence shall be verified physically provided the applicant has resided there for at least a 6-month period. If the period of residence is less than 6 months, the requirement will be to go back and check all the residential addresses going back 6 months.
  4. Educational verification — Graduation degree(s), diploma(s), and certificate(s) shall be validated via phone or in person, verifying the applicant’s educational qualifications; a review of the document alone is not acceptable verification.
    • [24]7 assumes the applicant was actively engaged in collegiate activities for three continuous years, working back from the date of graduation listed on the Graduation degree(s), diploma(s) and certificate(s). Therefore, validation of the enrollment schedule is not required, provided information to the contrary is not identified.
  5. Passport verification — if available.

    Access to Sensitive Data — The Supplier may grant the applicant access to Sensitive information and systems upon the completion and written submission of the applicants Police Records Check, Employment, Residential and Education verification request(s) to their selected service provider. The Supplier shall comply with the following stipulations surrounding this exception:

    • The request(s) shall be dated and maintained in the applicant’s employee file for review by Information Security Teams.
    • In the event any information is received as a result of the aforementioned checks that place the applicant out of compliance with this requirement, the Supplier shall immediately remove the applicant’s access to Sensitive information and systems and notify Information Security team of [24]7.
    • If the police records check, employment, residential and education verifications have not been received in their entirety within eight weeks of the date of submission and/or hire, whichever is sooner:
      • The applicant’s access to any Sensitive information and systems shall immediately be removed until all the results are received and reflect compliance with the background check requirements of this document or unless there is a formal exception provided by the Information Security Team.