Security requirements

PERFANA shall, and shall ensure that all applicable PERFANA Personnel shall, implement and maintain:

1. Risk Management policies, procedures and tools which evaluate organizational, administrative risks no less than annually, and system and technical risks no less than quarterly;
2. Asset Management policies, procedures and tools which (a) identify all equipment and media used in the storage or processing of Customer Data; (b) assign responsibility for all equipment and media to one or more custodians; and (c) require regular reviews of the asset inventory for accuracy and to identify missing equipment and media;
3. Access Control and Identity Management policies, procedures and tools in which (a) all data and system access rights are assigned to individuals according to their documented responsibilities and the principle of least privilege; (b) all user and administrator accounts are assigned to individuals and required to have strong passwords, password rotation, failed authentication locks, and session timeouts; and (c) issuance of privileged access accounts (e.g., administrator or root) require management approval and are held to strict security standards. All of these standards must be implemented before PERFANA Personnel have access to Customer Data;
4. Awareness and Training policies, procedures, and tools which address (a) information security threats and best practices; (b) information security policies, procedures, and controls in place to protect Customer Data; and (c) each PERFANA Personnel’s roles and responsibilities in the protection of Customer Data;
5. Contingency Planning policies, procedures, and tools which define roles and responsibilities and provide clear guidance and training on the proper handling of contingency events including: (a) natural threat events such as floods, tornadoes, earthquakes, hurricanes, and ice storms; (b) accidental threat events such as chemical spills, and mechanical or electrical failures; and (c) intentional acts such as privacy and security breaches, bomb threats, assaults, and theft;
6. System Maintenance policies, procedures, and tools, including controls related to: (a) structured vulnerability management, including: regular scanning, penetration testing, risk analysis, and timely patching; (b) change management, including documentation of the purpose, security impact analysis, testing plan and results, and authorization for all changes; (c) configuration management, including secure baseline configurations; and (d) monitoring to detect and generate alerts for unauthorized changes;
7. System and Communications Protection policies, procedures, and tools to preserve the confidentiality, integrity, and availability of Customer Data, including: (a) physical controls that restrict and monitor access to systems that Process Customer Data; (b) technical and administrative controls that protect against malicious software (e.g., viruses, spyware, etc.); (c) technical and administrative controls that protect against malicious actors (e.g., social engineering, phishing, etc.); (d) strong encryption of data in transit across untrusted and public networks and, in the case of Highly Restricted Data, at rest in all locations where it is stored; (e) periodic encryption key rotation and management; (f) prohibition of Highly Restricted Data and Personal Data being Processed in non-production environments; (g) regular security control reviews and effectiveness testing; and (h) strong technical and administrative controls regarding remote access and mobile devices;
8. Media Protection policies and procedures that implement controls to ensure that media containing Customer Data is securely handled, including (a) strong encryption of Customer Data on all mobile devices and removable storage; (b) requirement for secure sanitization and destruction methods for media that at any time held Customer Data; and (c) requirement that all media, including paper, containing unencrypted Customer Data be stored in a secure location; and
9. Reporting policies, procedures, and tools which provide Customer with access to relevant documentation and reporting on the implementation, certification, effectiveness, and remediation, if necessary, of the Appropriate Safeguards in place.

PERFANA Personnel shall regularly, but in no event less than annually, evaluate, test and monitor the effectiveness of their Appropriate Safeguards and shall promptly adjust and/or update their Appropriate Safeguards as reasonably warranted by the results of such evaluation, testing, and monitoring.