|
any of its agents, employees, assigns, or subcontractors are the cause or source of the Incident, Vendor
<br /> shall be responsible for the cost of notifying each person who may have been impacted by the Incident.
<br /> After an Incident, Vendor shall take steps to reduce the risk of incurring a similar type of Incident in the
<br /> future as directed by the State, which may include, but is not limited to, developing and implementing
<br /> a remediation plan that is approved by the State at no additional cost to the State. The State may adjust
<br /> or direct modifications to this plan, in its sole discretion and Vendor shall make all modifications as
<br /> directed by the State. If Vendor cannot produce its analysis and plan within the allotted time, the State,
<br /> in its sole discretion, may perform such analysis and produce a remediation plan, and Vendor shall
<br /> reimburse the State for the reasonable actual costs thereof.
<br /> I. Data Protection and Handling. Vendor shall ensure that all State Records and Work Product in
<br /> the possession of Vendor or any subcontractors are protected and handled in accordance with the
<br /> requirements of this PO at all times. Upon request by the State made any time prior to 60 days following
<br /> the termination of this PO for any reason, whether or not this PO is expiring or terminating, Vendor shall
<br /> make available to the State a complete and secure download file of all data that is encrypted and
<br /> appropriately authenticated. This download file shall be made available to the State within 10 Business
<br /> Days following the State's request, and shall contain, without limitation, all State Records, Work
<br /> Product, and system schema and transformation definitions, or delimited text files with documents,
<br /> detailed schema definitions, and attachments in its native format. Upon the termination of Vendor's
<br /> services under this PO, Vendor shall, as directed by the State, return all State Records provided by the
<br /> State to Vendor, and the copies thereof, to the State or destroy all such State Records and certify to
<br /> the State that it has done so. If legal obligations imposed upon Vendor prevent Vendor from returning
<br /> or destroying all or part of the State Records provided by the State, Vendor shall guarantee the
<br /> confidentiality of all State Records in Vendor's possession and will not actively process such data. The
<br /> State retains the right to use the established operational services to access and retrieve State Records
<br /> stored on Vendor's infrastructure at its sole discretion and at any time.
<br /> J. Compliance with OIS Policies and Procedure. Vendor shall review, on a semi-annual basis, all
<br /> Colorado Office of Information Security ("OIS") policies and procedures which OIS has promulgated
<br /> pursuant to CRS §§ 24-37.5-401 through 406 and 8 CCR § 1501-5 and posted at
<br /> https://oit.colorado.gov/standards-policies-guides/technical-standards-policies, to ensure compliance
<br /> with the standards and guidelines published therein. Vendor shall cooperate, and shall cause its
<br /> subcontractors to cooperate, with the performance of security audit and penetration tests by OIS or its
<br /> designee.
<br /> K. Safeguarding PII. If Vendor or any of its subcontractors will or may receive PII under this PO,
<br /> Vendor shall provide for the security of such PII, in a manner and form acceptable to the State,
<br /> including, without limitation, all State requirements relating to non-disclosure, use of appropriate
<br /> technology, security practices, computer access security, data access security, data storage
<br /> encryption, data transmission encryption, security inspections, and audits. Vendor shall be a "Third-
<br /> Party Service Provider" as defined in CRS §24-73-103(1)(i) and shall maintain security procedures and
<br /> practices consistent with CRS §§24-73-101. In addition, as set forth in § 24-74-102, et. seq., C.R.S.,
<br /> Contractor, including, but not limited to, Contractor's employees, agents and Subcontractors, agrees
<br /> not to share any PII with any third parties for the purpose of investigating for, participating in,
<br /> cooperating with, or assisting with Federal immigration enforcement. If Contractor is given direct access
<br /> to any State databases containing PII, Contractor shall execute, on behalf of itself and its employees,
<br /> the certification PII Individual Certification Form or PII Entity Certification Form [Download form from
<br /> Hyperlink] on an annual basis and Contractor's duty and obligation to certify shall continue as long as
<br /> Contractor has direct access to any State databases containing PII. If Contractor uses any
<br /> Subcontractors to perform services requiring direct access to State databases containing PII, the
<br /> Contractor shall require such Subcontractors to execute and deliver the certification to the State on an
<br /> annual basis, so long as the Subcontractor has access to State databases containing PII.
<br /> Page 9of10
<br /> Effective 7/1/2022
<br />
|