Schedule 3.17 (IT Security); and Schedule 3.18 (Service Level Agreement and Service Credits). To the extent there is a conflict in language between (a) the definitions set out in this Appendix 1 (Definitions) to Schedule 3.15 (Intellectual Property; Ownership) and (b) the definitions provided in Schedule 1 (Definitions), then the definitions set out in this Appendix 1 (Definitions) to Schedule 3.15 (Intellectual Property, Ownership) shall control, but only with respect to (i) intellectual property rights and obligations and (ii) information technology and information security rights, obligations and service levels.
“API” or “Application programming interface” means a source code interface that a computer system or program library provides in order to support requests for services to be made of it by other computer programs, and/or to allow data to be exchanged. By way of example, an API consists of a set of routines, data structures, object classes, protocols or any combination of these or other elements that is designed to assist in the development or interoperability of (i) Software, and (ii) Software with equipment. The term “API” includes Interfaces to other sources of input and data-exchanges, such as human operators, and thus includes graphical user interfaces. The term “API” includes internal APIs, external APIs and updates to such APIs.
“Authenticate” or “Authentication” means to verify the identity of a Person or the validity of an item of credit/debit media.
“Baseline IT Environment” means, collectively, the (i) Relevant Baseline IT Assets, and (ii) Operator IT Continuation Services.
“Cardholder Account Data” means (i) cardholder data, including (a) primary account number (PAN); (b) cardholder name; (c) expiration date; and (d) service code, and (ii) sensitive authentication data, including (a) full magnetic stripe data or equivalent on a chip; (b) card verification codes and values (CAV2/CVC2/CVV2/CID); and (c) PINs/PIN blocks. The term “Cardholder Account Data” is to be interpreted at least as broadly as the term “Account Data” is defined in the Payment Card Security Standards.
“Commuter Rail IT Assets” means, collectively, the (i) Relevant Baseline IT Assets; (ii) New IT Assets; and (iii) Operator-Provisioned IT Assets.
“Commuter Rail IT Environment” means, collectively, the: (i) Baseline IT Environment; (ii) New IT Component Environment; (iii) Operator-Provisioned IT Environment; and (iv) Operator IT Interfaces. The term “Commuter Rail IT Environment” expressly includes all Updates to the: (1) Baseline IT Environment; (2) New IT Component Environment; (3) Operator-Provisioned IT Environment.; and (4) Operator IT Interfaces.
“Commuter Rail IT Services” means, collectively, the: (i) Operator IT Continuation Services; (ii) New IT Services; and (iii) Operator-Provisioned IT Services.
“Compliance-Assurance Device” has the meaning set out in Section 3 (Compliance-Assurance Devices) of this Schedule 3.16 (Information Technology Requirements).
“Computer Equipment” means the computer hardware, firmware and all related devices, articles, components, peripherals, control systems, integrated-circuit devices (including without limitation, such devices that reside on any of the Rolling Stock Fleet), printers, personal computers, work stations, materials and incidentals for executing and hosting Software, processing, transmitting and storing Data and performing other computing functions.
“Computer Network” means a system of interconnected computers, network servers, network operating systems, storage devices, backup devices, peripherals, cabling, routers, switches, wireless communications devices and incidentals that function together as a platform.
"Credit Card Transaction Fee" means those fees (typically referred to as "transaction fees" or "swipe fees") charged by a Payment Card Network or other payment processor specifically in consideration of payment for goods or services using a credit or debit card.
“Data” means information: (i) input into, stored within, processed by or transmitted through an IT Infrastructure, including all files, database records, reports, query-results and other inputs for, and outputs generated by Software; (ii) information maintained in paper-based records; and (iii) other information that the Operator receives in connection with its provision of services under this Agreement. The term “Data” includes Personal Information as well as both Confidential and non-confidential Data.
“Data Controller” means a Person that holds the right or ability to control the use, share or exploit Personal Information.
“Data Encryption Standard” means a method for encrypting information.
“Data Processor” means a Person processing, storing, manipulating or using Personal Information at the direction of a Data Controller.
“Data Subject” means the natural person identified by the applicable Personal Information.
“Deliverables” means all items, information or materials that the Operator is to provide or make available to the MBTA under the Agreement including, but not limited to: (i) Operator Software; (ii) Design Documents; (iii) Operator IT Interfaces; (iv) Documentation; (v) hardware; (vi) system equipment; and (vii) all other components of the Commuter Rail IT Environment not directly provided by the MBTA.
“Deposit Materials” means Source Code deposited into escrow with the MBTA in accordance with Schedule 3.15 (Intellectual Property; Ownership).
“Design Documents” means drawings, shop drawings, plans, specifications, graphic depictions, bills of materials and all other associated materials that relate to the design, implementation, provisioning, maintenance, improvement, end-of-life and other aspects of the Commuter Rail Services.
“Developed Software” means (i) software developed by the Operator pursuant to this Agreement (ii) software developed by the Operator independently of this Agreement and used by the Operator in the Commuter Rail IT Environment; and (iii) Operator-Commissioned Software.
“Documentation” means specifications, requirements documents, engineering manuals (including hardware, equipment, and software engineering manuals), end-user manuals, training materials, handbooks, data-flow and work-flow diagrams, diagrams of system and subsystem architecture, drawings, engineering changes and related materials.
“Encrypt” or “Encryption” means the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.
“Error” means a failure of the Commuter Rail IT Environment (or any portion therein) to conform in all material respects to the Documentation, applicable technical specifications, applicable warranties, applicable Service Levels, requirements of the Commuter Rail IT Services or the MBTA's reasonable expectations.
“Error Correction” means a modification or addition that, when made or added to the Commuter Rail IT Environment: (i) removes the Error; (ii) otherwise establishes material conformity of the Commuter Rail IT Environment to the applicable technical specifications and Documentation; or (iii) constitutes a procedure or routine that, when observed in the regular operation of the Commuter Rail IT Environment, eliminates the adverse effect on the MBTA of the Error without loss of performance, function or feature.
“Gateway” means an internet protocol (IP) address for a network interface on a router that leads to another website or network.
“Incident Communication” means MBTA system user's service requests, customer complaints, and other communications, as further defined in Section 1 (Operator Service Center) of Schedule 3.16 (Information Technology Requirements).
“Information Security Policies and Procedures” has the meaning set out in Section 4 (Information Security Policies and Procedures) of Schedule 3.17 (IT Security).
“Information Security Program” has the meaning set out in Section 4 (Information Security Policies and Procedures) of Schedule 3.17 (IT Security).
“Information Security Regulations” means Applicable Law governing security practices and procedures designed to safeguard the confidentiality, security and integrity of Personal Information.
“Initial Joint Audit” means the audit of the Relevant Baseline IT Assets and other components of the IT Environment to be conducted by the Operator in connection with the bid process.
“In-Process Review” or “IPR” means a series of meetings with the MBTA and the Operator to ensure proper and informative communication between the parties.
“Intellectual Property Rights” means rights under patent law, copyright law, moral rights law, trade secret law or other similar law (whether such rights are registered or unregistered).
“Interface” means the points where two or more systems, subsystems or structures meet, transfer energy or transfer data or information.
“Interface Tools and Documentation” has the meaning set out in Section 5 (Open Configuration) of Schedule 3.16 (Information Technology Requirements).
“Issue Tracking Portal” means the user and customer issue and ticket tracking portal defined in Section 3 (Issue Tracking Portal) of Schedule 3.16 (Information Technology Requirements).
“IT Assets” means, collectively, the (i) Software, and (ii) IT Infrastructure.
“IT Change” has the meaning set out in Section 7.11 (Change Control and Configuration Management) of Schedule 3.16 (Information Technology Requirements).
“IT Change Control Board” has the meaning set out in Section 7.11 (Change Control and Configuration Management) of Schedule 3.16 (Information Technology Requirements).
“IT Environment” means, collectively, the (i) IT Assets, and (ii) IT Services.
“IT Infrastructure” means, collectively: (i) Computer Equipment; (ii) Computer Network; and (iii) all other hardware and tangible assets related to Computer Equipment and Computer Network.
“IT Operations Services” has the meaning set out in Section 1 (Overview of IT Operations Services) of Schedule 3.16 (Information Technology Requirements).
“IT Project Management” means the discipline of planning, organizing, securing, managing, leading and controlling resources to achieve specific goals.
“IT Security Services” has the meaning set out in Section 11 (IT Security Services) of Schedule 3.16 (Information Technology Requirements).
“IT Services” means, collectively, the: (i) IT Operations Services; (ii) IT Support and Maintenance Services; (iii) IT Security Services; (iv) IT Training Services; and (v) all other series necessary and desirable for the operation of the Commuter Rail IT Environment within the Service Levels and the MBTA's reasonable expectations.
“IT Support and Maintenance Services” has the meaning set out in Section 1 (General) of Schedule 3.16 (Information Technology Requirements).
“IT Training Services” has the meaning set out in Section 1 (Overview of IT Training Services) of Schedule 3.16 (Information Technology Requirements).
“ITIL” has the meaning set out in Section 9 (Information Technology Infrastructure Library) of Schedule 3.16 (Information Technology Requirements).
“MBTA Data” means Data input into, processed by, stored in, accessed through or transmitted by the Commuter Rail IT Environment or the MBTA Internal IT Environment, whether by the MBTA, Operator, Authorized Vendors or service providers, MBTA customers or users authorized by the MBTA. The term “MBTA Data” includes any data or information derived from such MBTA Data, whether through de-identification, data mining, analytics, aggregating, profiling or other techniques that analyze, augment or otherwise manipulate such Data.
“MBTA Internal IT Environment” means the Software and IT Infrastructure used by the MBTA for MBTA purposes other than those components within the Commuter Rail IT Environment.
“MBTA Security Policies and Standards” means a set of standards governing security practices and procedures designed to safeguard the privacy and security of Personal Information and other subjects.
“MBTA Trademark Assets” means the names, symbols, mottos, designs and other designations of origin, the registered and unregistered rights to which are owned by the MBTA.
“Mission Critical” has the meaning provided in Section 11 (Baseline Relevant Software; System Applications; Mission Critical and Mission Support Service Levels) of Schedule 3.18 (Service Level Agreement and Service Credits).
“Mission Support” has the meaning provided in Section 11 (Baseline Relevant Software; System Applications; Mission Critical and Mission Support Service Levels) of Schedule 3.18 (Service Level Agreement and Service Credits).
“New IT Assets” means, collectively: (i) Compliance-Assurance Devices; (ii) Other MBTA-Designated IT Components; and (iii) Operator-Proposed IT Components that are integrated by the Operator into the Commuter Rail IT Environment.
“New IT Component Environment” means, collectively, the (i) New IT Assets, and (ii) New IT Services.
“New IT Services” has the meaning set out in Section 5 (New IT Services) of this Schedule 3.16 (Information Technology Requirements).
“Notice of Security Breach Regulations” means Applicable Law governing: (i) the mitigation of a security breach or threatened security breach with respect to Personal Information; (ii) notification to Data Subjects concerning the breach or threatened breach; and (iii) other obligations imposed on Data Controllers and Data Processors concerning a breach or threatened breach of the security of Personal Information.
“Off-the-Shelf Software” means Software generally made available for commercial use, either for free or subject to licensing terms and conditions. The term Developed Software expressly excludes Off-the-Shelf Software.
“Operator” means the proposer awarded the contract under the RFP.
“Operator APIs” has the meaning set out in Section 3 (Open Architecture Standards; Interfaces) of Schedule 3.16 (Information Technology Requirements).
“Operator-Commissioned Software” means Software that a Third Party develops on behalf of the Operator under this Agreement.
“Operator Feeds” has the meaning set out in Section 1 (Operator Obligations Concerning the MBTA Internal IT Environment) of Schedule 3.16 (Information Technology Requirements). The term Operator Feeds expressly includes the Baseline Operator Feeds.
“Operator Hardware Interfaces” has the meaning set out in Section 3 (Open Architecture Standards; Interfaces) of Schedule 3.16 (Information Technology Requirements).
“Operator Interfaces” has the meaning set out in Section 4 (Operator Interfaces; Versions) of Schedule 3.16 (Information Technology Requirements).
“Operator IT Continuation Services” has the meaning set out in Section 7 (Operator IT Continuation Services) of Schedule 3.16 (Information Technology Requirements).
“Operator IT Interfaces” means, collectively, the: (i) Operator Feeds; (ii) Operator Interfaces; and (iii) Interface Tools and Documentation.
“Operator-Proposed IT Components” has the meaning set out in Section 1 (Submission of Operator-Proposed IT Components) of Schedule 3.16 (Information Technology Requirements).
“Operator-Provisioned IT Assets” means, collectively, the (i) Operator-Provisioned Software, and (ii) Operator-Provisioned IT Infrastructure.
“Operator-Provisioned IT Environment” means, collectively, the (i) Operator-Provisioned IT Services, and (ii) Operator-Provisioned IT Assets.
“Operator-Provisioned IT Infrastructure” means IT Infrastructure provided by the Operator that is independent of, or otherwise supplemental to, the Relevant Baseline IT Infrastructure, and that is necessary or advisable for the operation of the Commuter Rail IT Environment and the provision of the Commuter Rail Services. The term Operator-Provisioned IT Infrastructure includes all Updates to the same.
“Operator-Provisioned IT Services” means services related to the Operator-Provisioned IT Assets, as further set out in Section 2 (Operator-Provisioned IT Services) of this Schedule 3.16 (Information Technology Requirements).
“Operator-Provisioned Software” means Software provided by the Operator that is independent of, or otherwise supplemental to, Relevant Baseline Software, and that is necessary or advisable for the operation of the Commuter Rail IT Environment and the provision of the Commuter Rail Services. The term “Operator-Provisioned Software” expressly includes Operator Software and all Updates to the same. The term “Operator-Provisioned Software” excludes Operator-Proposed IT Components, unless and until such Operator-Proposed IT Component has been accepted by the MBTA in accordance with Section 2 (Evaluation of Operator-Proposed IT Components) of Schedule 3.16 (Information Technology Requirements).
“Operator Service Center” means the service center provided and maintained by the Operator, as further provided in Section 2 (Operator Service Center) of Schedule 3.16 (Information Technology Requirements).
“Operator Software” means (i) Off-the-Shelf Software provided by the Operator that is necessary or advisable for the provision of the Commuter Rail Services, and (ii) Operator Developed Software that is necessary or advisable for the provision of the Commuter Rail Services (including, but not limited to, Operator-Provisioned Software and Software portions of Operator-Proposed IT Components). The term “Operator Software” includes: (a) Operator-Commissioned Software, and (b) all Updates to Operator Software. To the extent the Operator employs, within the Commuter Rail IT Environment, Software owned or licensed by an Affiliate of the Operator (the “Affiliate-Sourced Software”), such Affiliate-sourced Software is included in the definition of the term “Operator Software,” and such Software does not constitute Third Party Software.
“Other MBTA-Designated IT Components” means those Software and IT Infrastructure components that the MBTA directs the Operator to integrate into the Commuter Rail IT Environment.
“Payment Card Network” means a company such as Visa, MasterCard, Discover Financial Services or American Express, which: (i) owns and operates systems for the processing of Bankcard payments; (ii) establishes relationships with financial institutions to issue Payment Cards; and (iii) maintains standards and rules for Payment Card issuers and Card Processors. The term “Payment Card Network” is synonymous with the term “Card Association” and, to the extent the terms conflict, the term that provides the MBTA with greater protections and functionality shall control.
“Payment Card Security Standards” means: (i) the PCI DSS Standard; (ii) the PCI PED Standard; (iii) the PCI PA-DSS Standard; (iv) applicable information supplements and other supplements to, updates, new versions of and new requirements for the PCI DSS Standard, the PCI PED Standard or the PCI PA-DSS Standard that are implemented by the PCI SSC Council during the Term; and (v) any other security standards applicable to Cardholder Account Data or Payment Cards, such as the EMV Specifications. The term “Payment Card Security Standards” expressly includes additional or unique compliance standards established by individual card brands (such as VISA, MasterCard, and American Express) within a Card Association.
“Payment Card” means, collectively, (i) Bank-Issued Media, and (ii) other payment media that is or becomes subject to Payment Card Security Standards.
“PCI DSS Standard” means the Payment Card Industry Data Security Standard maintained by the PCI SSC Council with respect to merchants, processors and other entities that store, process or transmit Cardholder Data.
“PA-DSS Standard” means the Payment Application Data Security Standard maintained by the PCI SSC Council with respect to software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement.
“PCI-PED Standard” means the PIN Entry Device Security Standard maintained by the PCI SSC Council with respect to manufacturers of personal identification number (PIN) entry terminals used for payment card financial transactions.
“PCI-SSC Council” means the Payment Card Industry Security Standards Council, and any successors to the Payment Card Industry Security Standards Council.
“PCI-Compliant” means the adherence to the Payment Card Security Standards.
“PCI-DSS Vendor” means a subcontractor, service provider or other vendor of the Operator that either (i) stores, processes or transmits Cardholder Account Data, or (ii) otherwise falls under the Payment Card Security Standard.
“Personal Information” means a natural Person's (i) first name and last name, or first initial and last name, in combination with (ii) any one or more of the following data elements that relate to a particular Person: (a) Social Security number; (b) driver’s license number or state-issued identification card number; (c) financial account number; (d) credit card number, debit card number, other cardholder account data; or (e) other smart media-holder data, and (iii) similar information whose unauthorized use would constitute or permit identity theft or other fraud, and (iv) medical information or other health insurance information.
“Physical Security Measures” has the meaning set out in Section 2 (Required Physical Security Measures) of Schedule 3.17 (IT Security).
“Privacy and Security Regulations” includes, but is not be limited to, the: (i) Federal Trade Commission Act (15 USC §§41-58, as amended); (ii) Electronic Fund Transfer Act (15 USC §1693 et seq.); (iii) Federal Reserve Regulation E (12 CFR Part 205); (iv) Identify Theft and Assumption Deterrence Act (18 USC §1028); (v) Fair Credit Reporting Act (15 USC §1681 et seq.); (vi) “Red Flag” Rule (16 CFR Part 681 and analogous regulations, as applicable); (vii) Gramm-Leach-Bliley Act (15 USC §§6801-6809 and §§6821-6827); (viii) the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) (including regulations and rules under HIPAA and the HITECH Act; (ix) Financial Privacy Rule (16 CFR Part 313 and analogous regulations, as applicable); (x) Safeguards Rule (16 CFR Part 314 and analogous regulations, as applicable); (xi) USA PATRIOT Act (115 Stat. 272); (xii) Federal Regulation II (12 CFR Part 235); (xiii) Notice of Security Breach Regulations; (xiv) Information Security Regulations; and (xv) cyber threat/security network guidance, standards and regulations published by accepted industry and federal agencies including but not limited to APTA, the U.S. Department of Human Services, the U.S. Department of Transportation and the Federal Bureau of Investigation.
