INFORMATION SECURITY REQUIREMENTS
1. Scope
Subject to the terms and conditions of the Agreement, all Services performed by Market Logic under this Agreement, shall comply with the requirements set forth herein, as applicable in the context of the Services.
This annex sets out the security requirements for the IT environments, facilities, equipment and personnel used by Market Logic to store and/or process Subscriber Data in relation to the Services. This annex and the requirements set forth herein are in addition to, and not in lieu of, other requirements incorporated into the Agreement. Notwithstanding any security requirements agreed between Subscriber and Market Logic, any proprietary data of Third Party Service Providers shall be solely subject to separate security and confidentiality obligations between Market Logic and the respective provider.
Before processing Subscriber Data under this Agreement, Market Logic and its subcontractors shall bring into effect and maintain throughout the term of this Agreement the technical and organisational measures as set out hereunder in order to meet the requirements according to this Agreement, to secure at any time the confidentiality and integrity of the Subscriber Data, to prevent unauthorised or unlawful processing of Data and to protect against accidental or unlawful destruction, damage, accidental loss, alterations or unauthorised disclose or access.
The technical and organisational measures are subject to technical progress and development. In that regard, Market Logic and its Subcontractors are allowed to implement adequate alternative measures, provided, however, that the security level shall not be undercut at any time.
Significant changes to the technical and organisational measures as set out hereunder will be documented and notified to Subscriber prior to their implementation.
2. Certification
Market Logic warrants that the third-party Data Centre it utilizing to provide the Services is ISO27001 and SOC2 certified.
Significant changes to the technical and organizational measures as set out hereunder will be documented and notified to Subscriber prior to their implementation.
3. Logical Security
3.1. General
The logical security processes in this Section 3 apply to all systems used to provide the Services on which Subscriber Data is accessed, processed, stored, transferred or maintained.
3.2. Systems Access Control and Network Access Control
The logical security processes in this Section 3 apply to all systems used to provide the Services on which Subscriber Data is accessed, processed, stored, transferred or maintained.
3.2.1. Access Controls. Market Logic warrants that it employs access control mechanisms that:
a. prevent unauthorized access to Subscriber data;
b. limit access to Market Logic personnel with a business need to know;
c. follow principle of least privilege allowing access to only the information and resources that are necessary under the terms of the Agreement; and
d. have the capability of detecting, logging, and reporting access to the system or network or attempts to breach security of the system or network.
3.2.2. Authentication: All Market Logic personnel must have an individual account that authenticates that individual’s access to Subscriber Data. Market Logic will not allow sharing of accounts. Access controls and passwords must be configured in accordance with industry standards and best practices. Passwords must be (i) at least eight characters long, (ii) cannot contain the user’s account name or more than two characters that occur in the full name or the user sequentially and (iii) must contain three of the following categories: Uppercase letters, Lowercase letters, Numbers, Symbols.
3.2.3. Regular Review of Access Controls: Market Logic will maintain a process to review access controls on a minimum annual basis for all Market Logic systems that contain Subscriber Data, including any system that, via any form of communication interface, can connect to the system on which Subscriber Data is stored. These access processes and the process to establish and delete individual accounts will be documented in, and will be in compliance with, Market Logic’s security policies and procedures.
3.2.4. Revocation of Access: Market Logic will revoke its Personnel’s access to physical locations, systems, and applications that contain or process Subscriber Data within a reasonable time of the cessation of such Market Logic Personnel’s need to access the system(s) or application(s).
3.3. Telecommunication and Network Security
3.3.1. Firewalls: Market Logic will deploy reasonably appropriate firewall technology. Traffic between Subscriber and Market Logic will be protected and authenticated by industry standard cryptographic technologies.
3.3.2. Intrusion Detection and Prevention: Market Logic will deploy intrusion detection or preferably prevention systems (NIDS/NIPS) in order to generate, monitor, and respond to alerts which could indicate potential compromise of the network and/or host.
3.3.3. Log Management: Market Logic shall ensure that all systems, incl. firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized server for a minimum period of 3 months.
3.3.4. Network Segmentation: Market Logic shall establish and maintain appropriate network segmentation, including the use of virtual local area networks (VLANS) where appropriate, to restrict network access to systems storing Subscriber Data.
3.3.5. Wireless Security: If Market Logic deploys a wireless network, Market Logic will configure and maintain the use, configuration and management of wireless networks to meet the following:
a.Physical Access – All wireless devices shall be protected using appropriate physical controls to minimize the risk of theft, unauthorized use, or damage;
b.Network Access – Network access to wireless networks should be restricted only to those authorized;
c.Access points shall be segmented from an internal, wired LAN;
d.The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value;
e.Encryption of all wireless connections will be enabled using Industry Standard Encryption Algorithms (i.e., WPA2/WPA with 802.1X authentication and AES encryption). WEP should never be used;
f.If supported, auditing features on wireless devices shall be enabled and resulting logs shall be reviewed periodically by designated staff or a wireless intrusion prevention system. Logs should be retained for ninety (90) days or longer; and
g.SNMP shall be disabled if not required for network management purposes. If SNMP is required for network management purposes, SNMP will be read-only with appropriate access controls that prohibit wireless devices from requesting and retrieving information and all default community strings will be changed.
3.3.6. Rogue Access Point Detection: Market Logic will maintain a program to detect rogue access points to ensure that only authorized wireless access points are in place.
4. Malicious Code Protection
4.1. All workstations and servers will run the current version of industry standard anti-virus software with the most recent updates available on each workstation or server. Market Logic will configure this equipment and have supporting policies to prohibit users from disabling anti-virus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of the computing environment.
4.2. Market Logic will have current anti-virus software configured to run real-time scanning of machines and a full system scan on a regularly scheduled interval.
4.3. Market Logic will scan incoming and outgoing content for malicious code on all gateways to public networks, including, but not limited to, email and proxy servers.
4.4. Market Logic will quarantine or remove files that have been identified as infected and will log the event.
5. Vulnerability Management and Application Security Assessments
5.1. Market Logic shall run internal and external network vulnerability scans at least quarterly and after any material change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades). Vulnerabilities identified and rated as high risk by the Market Logic will be remediated within (15) days maximum.
5.2. For all Internet-facing applications that collect, transmit or display Subscriber Data, Market Logic agrees to conduct Penetration Test assessment to identify common security vulnerabilities as identified by industry-recognized organizations (e.g., OWASP Top 10 Vulnerabilities; CWE/SANS Top 25 vulnerabilities) annually or for all major releases, whichever occurs first.
5.3. Patch Management: Market Logic will patch all workstations and servers with all current operating system, database and application patches deployed in Market Logic’s computing environment according to a schedule predicated on the criticality of the patch. Market Logic must perform appropriate steps to help ensure patches do not compromise the security of the information resources being patched. All emergency or critical rated patches must be applied as soon as possible but at no time will exceed thirty (30) days from the date of release.
6. Storage, Handling and Disposal of Subscriber Data
6.1. Data Segregation: Market Logic will physically or logically separate and segregate Subscriber Data from its other customer’s data.
6.2. Electronic Form Data: Market Logic will utilize Industry Standard Encryption Algorithms and Key Strengths to encrypt the following:
a.all Subscriber Data that is in electronic form while in transit over all public wired networks (e.g., Internet) and all wireless networks.
b.all Subscriber Data while In Storage. "In Storage" means information stored in databases, in file systems, and on various forms of online is also commonly referred to as "at rest."
c.passwords will be hashed with irreversible industry standard algorithms with randomly generated “salt” added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings. The randomly generated salt should be at least as long as the output of the hash function.
d.any mobile devices (e.g., laptop, cell phone, tablet) used outside of a Data Center to perform any part of the Services.
6.3. Data Retention: Upon Subscriber’s request, or, upon termination or expiration of this Agreement, all Subscriber Data, including copies of such information, must be promptly returned to Subscriber or destroyed. Notwithstanding the foregoing obligations, Market Logic shall be permitted to retain back-up copies of Subscriber Data in accordance with applicable laws, applicable regulations and the Agreement.
6.4. Destruction of Data: Market Logic will dispose of Subscriber Data when information is deemed no longer necessary to preserve as outlined above in “Data Retention” Section 6.3. Subscriber Data shall be disposed of in a method that renders it unreadable, effectively decommissioned. Market Logic will destroy any equipment containing Subscriber Data that is damaged or non-functional. All Subscriber Data must be rendered unreadable and unrecoverable regardless of the form (physical or electronic).
7. Physical Security and Personnel Security
7.1. Physical security of Market Logic’s offices:: Market Logic shall have adequate physical security perimeters to safeguard Subscriber Data. Market Logic shall have a premises access control system that requires:
a. very individual to have a unique access card and or key to access the premises;b. access to sensitive areas, e.g., server rooms to be granted only to those who need access to the area to perform their work-related duties;
c. all visitors to be identified, registered, logged and accompanied by an employee of Market Logic at all times and;
d. Market Logic employees to adhere to a Clean Desk Policy.
7.2. Market Logic Personnel: Market Logic warrants that its personnel will:
b. upon hiring, and at least annually thereafter, participate in security awareness trainings. This training will cover, at a minimum, Market Logic’s security policies, including acceptable use, password protection, data classification, incident reporting, the repercussions of violations, and;
c. also receive training regarding data privacy and protection if Market Logic or its personnel accesses Personal Data.
8. Incident Reporting and Action
In case that Market Logic detects any event that poses a risk to the security of any Subscriber Data, Market Logic shall a) immediately report the incident to the Subscriber in writing; b) promptly provide a full investigative report along with the corrective action(s) reasonably necessary to prevent a future recurrence of such violation, security incident or infraction; c) execute such corrective actions; and d) take such other investigative actions and measures to ensure that such corrective actions are and will remain effective.