|
that ensures confidentiality of all State Confidential Information. Vendor shall provide the State with access, subject to
<br /> Vendor's reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential
<br /> Information and evaluating security control effectiveness. Upon the expiration or termination of this PO,Vendor shall return
<br /> State Records provided to Vendor or destroy such State Records and certify to the State that it has done so, as directed by
<br /> the State. If Vendor is prevented by law or regulation from returning or destroying State Confidential Information, Vendor
<br /> warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information.
<br /> H. Incident Notice and Remediation. If Vendor becomes aware of any Incident, it shall notify the State immediately and
<br /> cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by
<br /> the State. Unless Vendor can establish none of Vendor or any of its agents, employees, assigns, or subcontractors are the
<br /> cause or source of the Incident, Vendor shall be responsible for the cost of notifying each person who may have been
<br /> impacted by the Incident. After an Incident, Vendor shall take steps to reduce the risk of incurring a similar type of Incident
<br /> in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation
<br /> plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this
<br /> plan, in its sole discretion and Vendor shall make all modifications as directed by the State. If Vendor cannot produce its
<br /> analysis and plan within the allotted time, the State, in its sole discretion, may perform such analysis and produce a
<br /> remediation plan, and Vendor shall reimburse the State for the reasonable actual costs thereof.
<br /> I. Data Protection and Handling. Vendor shall ensure that all State Records and Work Product in the possession of
<br /> Vendor or any subcontractors are protected and handled in accordance with the requirements of this PO at all times. Upon
<br /> request by the State made any time prior to 60 days following the termination of this PO for any reason, whether or not this
<br /> PO is expiring or terminating, Vendor shall make available to the State a complete and secure download file of all data that
<br /> is encrypted and appropriately authenticated. This download file shall be made available to the State within 10 Business
<br /> Days following the State's request, and shall contain, without limitation, all State Records, Work Product, and system
<br /> schema and transformation definitions, or delimited text files with documents,detailed schema definitions, and attachments
<br /> in its native format. Upon the termination of Vendor's services under this PO, Vendor shall, as directed by the State, return
<br /> all State Records provided by the State to Vendor, and the copies thereof, to the State or destroy all such State Records
<br /> and certify to the State that it has done so. If legal obligations imposed upon Vendor prevent Vendor from returning or
<br /> destroying all or part of the State Records provided by the State, Vendor shall guarantee the confidentiality of all State
<br /> Records in Vendor's possession and will not actively process such data. The State retains the right to use the established
<br /> operational services to access and retrieve State Records stored on Vendor's infrastructure at its sole discretion and at any
<br /> time.
<br /> J. Compliance with OIS Policies and Procedure. Vendor shall review, on a semi-annual basis, all Colorado Office of
<br /> Information Security ("OIS") policies and procedures which OIS has promulgated pursuant to CRS §§ 24-37.5-401 through
<br /> 406 and 8 CCR § 1501-5 and posted at https://oit.colorado.ciov/standards-policies-ciuides/technical-standards-policies, to
<br /> ensure compliance with the standards and guidelines published therein. Vendor shall cooperate, and shall cause its
<br /> subcontractors to cooperate, with the performance of security audit and penetration tests by OIS or its designee.
<br /> K. Safeguarding PII. If Vendor or any of its subcontractors will or may receive PII under this PO,Vendor shall provide for
<br /> the security of such PII, in a manner and form acceptable to the State, including, without limitation, all State requirements
<br /> relating to non-disclosure, use of appropriate technology,security practices,computer access security,data access security,
<br /> data storage encryption, data transmission encryption, security inspections, and audits. Vendor shall be a "Third-Party
<br /> Service Provider" as defined in CRS §24-73-103(1)(i) and shall maintain security procedures and practices consistent with
<br /> CRS §§24-73-101. In addition, as set forth in § 24-74-102, et. seq., C.R.S., Contractor, including, but not limited to,
<br /> Contractor's employees, agents and Subcontractors, agrees not to share any PII with any third parties for the purpose of
<br /> investigating for, participating in, cooperating with, or assisting with Federal immigration enforcement. If Contractor is given
<br /> direct access to any State databases containing PII, Contractor shall execute, on behalf of itself and its employees, the
<br /> certification PII Individual Certification Form or PII Entity Certification Form [Download form from Hyperlink] on an annual
<br /> basis and Contractor's duty and obligation to certify shall continue as long as Contractor has direct access to any State
<br /> databases containing PII. If Contractor uses any Subcontractors to perform services requiring direct access to State
<br /> databases containing PII, the Contractor shall require such Subcontractors to execute and deliver the certification to the
<br /> State on an annual basis, so long as the Subcontractor has access to State databases containing PII.
<br /> L. Software Piracy Prohibition. State or other public funds payable under this PO shall not be used for the acquisition,
<br /> operation, or maintenance of computer software in violation of federal copyright laws or applicable licensing restrictions.
<br /> Vendor hereby certifies and warrants that, during the term of this PO and any extensions, Vendor has and shall maintain in
<br /> place appropriate systems and controls to prevent such improper use of public funds. If the State determines that Vendor
<br /> is in violation of this provision, the State may exercise any remedy available at law or in equity or under this PO, including,
<br /> without limitation, immediate termination of this PO and any remedy consistent with federal copyright laws or applicable
<br /> licensing restrictions.
<br /> M. Information Technology. To the extent that Vendor provides physical or logical storage of State Records; Vendor
<br /> creates, uses, processes,discloses,transmits,or disposes of State Records;or Vendor is otherwise given physical or logical
<br /> access to State Records in order to perform Vendor's obligations under this PO, Vendor shall, and shall cause its
<br /> subcontractors, to: (a) provide physical and logical protection for all hardware, software, applications, and data that meets
<br /> Page 7 of 8
<br /> Effective 7/1/2022
<br />
|