Information Security Requirements (DOCX - 27KB)
Each Proposal must include detailed information that clearly describes how Company will meet the following Information and Security requirements.
In fulfilling its obligations, Company may be granted temporary access to networks, systems, and/or data of the College and be entrusted with the security and confidentiality of the College’s systems, records, and information. When such access is granted, Company (and any subcontracted personnel and agents) are to adhere to the following requirements:
- Unauthorized use or access to the College’s system records and information is prohibited.
- Access granted under this request is only for fulfillment of obligations under this Agreement.
- Access will be only for the term of the Agreement. Thereafter, all accounts, passwords, and access associated with this Agreement will be revoked immediately.
- If system administrator rights are granted, they will apply only to the specific actions authorized. Performance of any unrelated and/or unauthorized actions may, at the College’s sole discretion, result in the immediate termination of access and termination of this Agreement.
- To maintain account and password security, disclosure of any account information and passwords is prohibited.
- Exhibiting or divulging the contents of any record or report to any person, or otherwise, is prohibited except in the performance of authorized duties and responsibilities.
- Using any information accessed under any given request for gender and/or ethnicity-based recruiting/selections, unauthorized fund raising, or other barred activities are prohibited.
- Personally benefiting or allowing others to benefit from any confidential information or other information gained by virtue of network or system access is prohibited.
- Directly or indirectly causing the inclusion of any false, inaccurate, or misleading entries into any records or reports is prohibited.
- Except as specifically authorized under this Agreement, no record or report or copy thereof, whether paper or electronic, may be removed from the office where it is maintained without written authorization from the College’s authorized personnel.
- All systems must be completely exited before leaving a computer or server unattended.
- Industry-accepted security standards for access, use, retention, and disposal of information must be maintained.
- Company will protect any accessed confidential information no less rigorously than it protects its own/customers’ confidential information.
- Company will hold confidential information in strict confidence and will access information only for the explicit business purposes outlined this Agreement.
- Company will ensure compliance with the protective conditions outlined in this Agreement.
- Company will return or securely destroy all confidential information upon expiration or termination of this Agreement.
- Company agrees and understands that violation of security precautions to protect confidential information may be a crime and subject to appropriate legal action and/or criminal prosecution.
- Company will notify the College immediately upon the termination of any individual involved in providing services so that account access, passwords, remote diagnostic access, or other forms of access can be revoked.
- Company will not aid, or act in conspiracy with, anyone to violate any of the requirements listed above.
- Company may (1) create, (2) receive from or on behalf of the College, or (3) have access to, records or record systems (collectively, "College Records·). Among other things, College Records may contain social security numbers, credit card numbers, or data protected or made confidential or sensitive by applicable federal, state and local, laws, regulations, and ordinances, including the Gramm Leach Bliley Act (Public Law No: 106-102), the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g FERPA"), and the Health Insurance Portability and Accountability Act of 1996 ("HIPAA”). If COLLEGE Records are subject to FERPA, (1) College designates Company as a College official with a legitimate educational interest in College Records, and (2) Company acknowledges that its improper disclosure or re-disclosure of personally identifiable information from College Records will result in Company’s exclusion from eligibility to contract with the College for at least five (5) years. Company represents, warrants, and agrees that it will: (1) hold College Records in strict confidence and will not use or disclose College Records except as (a) permitted or required by a signed contract, (b) required by law, or (c) otherwise authorized by the College in writing; (2) safeguard College Records according to commercially reasonable, administrative, physical and technical standards such as standards established by (i) the National Institute of Standards and Technology and (ii) the Center for Internet Security, the Gramm-Leach Bliley Act, as well as the Payment Card Industry Data Security Standards that are no less rigorous than best practices in the data security industry; (3) continually monitor its operations and take any action necessary to assure that College Records are safeguarded and the confidentiality of College Records is maintained in accordance with all applicable federal, state and local, laws, regulations, and ordinances, including FERPA and the Gramm-Leach Bliley Act, and the terms of a signed contract; and (4) comply with the College’s rules, policies, and procedures regarding access to and use of College’s computer systems. Company represents, warrants and certifies that it complies with College’s Policies on lnformation Security, including, without limitation, the following Board Policies:
- At the request of the College, Company agrees to provide College with a written summary of the procedures the Company uses to safeguard and maintain the confidentiality of College Records.
- Company agrees to provide the College a copy of the Company’s Payment Card Industry – Data Security Standard (PCI-DSS) Attestation of Compliance and Statement of Scope.
- Company must provide insurance coverage for IT Professional and/or Cyber Liability. Coverage shall be sufficiently broad to respond to the duties and obligations undertaken in an agreement and shall include, but not limited to, claims involving infringement of intellectual property, information theft, damage to or destruction of electronic information, release of private information, alteration of electronic information, extortion and network security. The policy shall provide coverage for breach response costs as well as regulatory fines and penalties as well as credit monitoring expenses with limits sufficient to respond to these obligations.
- Notice of Impermissible Use. If an impermissible use or disclosure of any College Records occurs, Contractor will provide written notice to College within one (1) business day after Company’s discovery of that use or disclosure. Company will promptly provide College with all information requested by College regarding the impermissible use or disclosure.
- Return of College Records. Within thirty (30) days after the expiration or termination of a signed contract, Company will make commercially reasonable efforts, for College Records created or received from or on behalf of College, will be (1) returned to College, with no copies retained by Company; or (2) if return is not feasible, destroyed. Twenty (20) days before destruction of any College Records, Company will provide College with written notice of Company’s intent to destroy College Records. Within five (5) business days after destruction, Company will confirm to College in writing the destruction of College Records.
- Disclosure. If Company discloses any College Records to a permitted subcontractor or agent, Company will require the permitted subcontractor or agent to comply with the same restrictions and obligations as are imposed on Company by this Section.
- Press Releases. Except when defined as part of the Services, Company will not make any press releases, public statements, or advertisement referring to the Project or the engagement of Company as an independent contractor of College in connection with the Project, or release any information relative to the Project for publication, advertisement or any other purpose without the prior written approval of College.
- Public Information. College strictly adheres to all statutes, court decisions and the opinions of the Texas Attorney General with respect to disclosure of public information under the Texas Public Information Act ("TPIA"), Chapter 552, Texas Government Code. In accordance with Section 552.002 of TPIA and Section 2252.907, Texas Government Code, and at no additional charge to College, Company will make any information created or exchanged with College pursuant to a contract (and not otherwise exempt from disclosure under TPIA) available in a format reasonably requested by College that is accessible by the public.
- Cloud Service Provider. If Company provides cloud services to College, Company must comply with Texas Government Code 2054.0593 and provide College TX-RAMP certification before entering into contract with College. Company can refer wot the following site for TX-RAMP requirements:
Texas Risk and Authorization Management Program (TX-RAMP). Additionally, Company can view
TX-RAMP Webinar Overview for Vendors for more information.