|
its obligations under this Purchase Order using procedures as determined by the State. The State shall monitor Vendor's performance in a manner that
<br /> does not unduly interfere with Vendor's performance of the work. Vendor shall promptly submit to the State a copy of any final audit report of an audit
<br /> performed on Vendor's records that relates to or affects this Purchase Order or the work,whether the audit is conducted by Vendor or a third party.
<br /> E. Information Confidentiality. Vendor shall keep confidential,and cause all subcontractors to keep confidential,all State Records,unless those State
<br /> Records are publicly available. Vendor shall not,without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the
<br /> use by any third party of any State Records, except as otherwise stated in this PO, permitted by law, or approved in writing by the State. Vendor shall
<br /> provide for the security of all State Confidential Information in accordance with all applicable laws, rules, policies, publications, and guidelines. If Vendor
<br /> or any of its subcontractors will or may have access to any State Confidential Information or any other protected information,Vendor shall comply with all
<br /> Colorado Office of Information Security(OIS) policies and procedures which OIS has issued pursuant to CRS §§24-37.5-401 through 406, and 8 CCR
<br /> §1501-5 and posted at http://oit.state.co.us/ois,all information security and privacy obligations imposed by any federal,state,or local statute or regulation,
<br /> or by any industry standards or guidelines, as applicable based on the classification of the data relevant to Vendor's performance under this PO. Such
<br /> obligations may arise from HIPAA; IRS Publication 1075; Payment Card Industry Data Security Standard (PCI-DSS); Federal Bureau of Investigation
<br /> Criminal Justice Information Service Security Addendum; Centers for Medicare & Medicaid Services (CMS) Minimum Acceptable Risk Standards for
<br /> Exchanges;and Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information
<br /> With The Social Security Administration.Vendor shall immediately forward any request or demand for State Records to the State's purchase agent.
<br /> F. Other Entity Access and Nondisclosure Agreements. Vendor may provide State Records to its agents,employees,assigns and subcontractors
<br /> as necessary to perform the work,but shall restrict access to State Confidential Information to those agents,employees,assigns,and subcontractors who
<br /> require access to perform their obligations under this PO.Vendor shall ensure all such agents,employees,assigns,and subcontractors sign agreements
<br /> containing nondisclosure provisions at least as protective as those in this PO, and that the nondisclosure provisions are in force at all times the agent,
<br /> employee,assign or subcontractor has access to any State Confidential Information.Vendor shall provide copies of those signed nondisclosure provisions
<br /> to the State upon execution of the nondisclosure provisions if requested by the State.
<br /> G. Use, Security, and Retention. Vendor shall use, hold, and maintain State Confidential Information in compliance with all applicable laws and
<br /> regulations only in facilities located within the United States,and shall maintain a secure environment that ensures confidentiality of all State Confidential
<br /> Information.Vendor shall provide the State with access,subject to Vendor's reasonable security requirements,for purposes of inspecting and monitoring
<br /> access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this PO,Vendor shall
<br /> return State Records provided to Vendor or destroy such State Records and certify to the State that it has done so,as directed by the State. If Vendor is
<br /> prevented by law or regulation from returning or destroying State Confidential Information, Vendor warrants it will guarantee the confidentiality of, and
<br /> cease to use,such State Confidential Information.
<br /> H. Incident Notice and Remediation. If Vendor becomes aware of any Incident, it shall notify the State immediately and cooperate with the State
<br /> regarding recovery, remediation,and the necessity to involve law enforcement,as determined by the State. Unless Vendor can establish none of Vendor
<br /> or any of its agents, employees,assigns,or subcontractors are the cause or source of the Incident,Vendor shall be responsible for the cost of notifying
<br /> each person who may have been impacted by the Incident. After an Incident, Vendor shall take steps to reduce the risk of incurring a similar type of
<br /> Incident in the future as directed by the State,which may include, but is not limited to,developing and implementing a remediation plan that is approved
<br /> by the State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole discretion and Vendor shall make all
<br /> modifications as directed by the State. If Vendor cannot produce its analysis and plan within the allotted time,the State,in its sole discretion,may perform
<br /> such analysis and produce a remediation plan,and Vendor shall reimburse the State for the reasonable actual costs thereof.
<br /> I. Data Protection and Handling. Vendor shall ensure that all State Records and Work Product in the possession of Vendor or any subcontractors
<br /> are protected and handled in accordance with the requirements of this PO at all times. Upon request by the State made anytime prior to 60 days following
<br /> the termination of this PO for any reason,whether or not this PO is expiring or terminating,Vendor shall make available to the State a complete and secure
<br /> download file of all data that is encrypted and appropriately authenticated.This download file shall be made available to the State within 10 Business Days
<br /> following the State's request,and shall contain,without limitation,all State Records,Work Product,and system schema and transformation definitions,or
<br /> delimited text files with documents,detailed schema definitions,and attachments in its native format. Upon the termination of Vendor's services under this
<br /> PO,Vendor shall, as directed by the State, return all State Records provided by the State to Vendor, and the copies thereof, to the State or destroy all
<br /> such State Records and certify to the State that it has done so. If legal obligations imposed upon Vendor prevent Vendor from returning or destroying all
<br /> or part of the State Records provided by the State,Vendor shall guarantee the confidentiality of all State Records in Vendor's possession and will not
<br /> actively process such data.The State retains the right to use the established operational services to access and retrieve State Records stored on Vendor's
<br /> infrastructure at its sole discretion and at anytime.
<br /> J. Compliance with OIS Policies and Procedure. Vendor shall review, on a semi-annual basis, all Colorado Office of Information Security("OIS")
<br /> policies and procedures which OIS has promulgated pursuant to CRS §§24-37.5-401 through 406 and 8 CCR §1501-5 and posted at
<br /> http://oit.state.co.us/ois, to ensure compliance with the standards and guidelines published therein. Vendor shall cooperate, and shall cause its
<br /> subcontractors to cooperate,with the performance of security audit and penetration tests by OIS or its designee.
<br /> K. Safeguarding PII. If Vendor or any of its subcontractors will or may receive PII under this PO,Vendor shall provide for the security of such PII, in a
<br /> manner and form acceptable to the State, including, without limitation, all State requirements relating to non-disclosure, use of appropriate technology,
<br /> security practices,computer access security,data access security,data storage encryption,data transmission encryption,security inspections,and audits.
<br /> Vendor shall be a"Third-Party Service Provider"as defined in CRS§24-73-103(1)(i)and shall maintain security procedures and practices consistent with
<br /> CRS§§24-73-101.
<br /> L. Software Piracy Prohibition. State or other public funds payable under this PO shall not be used for the acquisition,operation,or maintenance of
<br /> computer software in violation of federal copyright laws or applicable licensing restrictions.Vendor hereby certifies and warrants that, during the term of
<br /> this PO and any extensions,Vendor has and shall maintain in place appropriate systems and controls to prevent such improper use of public funds. If the
<br /> State determines that Vendor is in violation of this provision,the State may exercise any remedy available at law or in equity or under this PO, including,
<br /> without limitation, immediate termination of this PO and any remedy consistent with federal copyright laws or applicable licensing restrictions.
<br /> M. Information Technology. To the extent that Vendor provides physical or logical storage of State Records; Vendor creates, uses, processes,
<br /> discloses,transmits,or disposes of State Records;or Vendor is otherwise given physical or logical access to State Records in order to perform Vendor's
<br /> obligations under this PO, Vendor shall, and shall cause its subcontractors, to: (a) provide physical and logical protection for all hardware, software,
<br /> applications,and data that meets or exceeds industry standards and the requirements of this PO; (b)maintain network,system,and application security,
<br /> which includes,but is not limited to, network firewalls,intrusion detection(host and network),annual security testing,and improvements or enhancements
<br /> consistent with evolving industry standards; (c) comply with State and federal rules and regulations related to overall security, privacy, confidentiality,
<br /> integrity, availability, and auditing; (d) provide that security is not compromised by unauthorized access to workspaces, computers, networks, software,
<br /> databases,or other physical or electronic environments; (e)promptly report all Incidents, including Incidents that do not result in unauthorized disclosure
<br /> or loss of data integrity, to a designated representative of the OIS; and (f) comply with all rules, policies, procedures, and standards issued by the
<br /> Governor's Office of Information Technology(OIT),including project Iifecycle methodology and governance,technical standards,documentation,and other
<br /> requirements posted atwww.oit.state.co.us/about/policies.Vendor shall not allow remote access to State Records from outside the United States,including
<br /> Page 5 of 6
<br /> Effective 7/1/2019
<br />
|