-
IT SECURITY
This Schedule 3.17 (IT Security) relies on the definitions set out in Schedule 1 (Definitions) and on the definitions set out in Appendix 1 (Definitions) to Schedule 3.15 (Intellectual Property; Ownership).
-
SECURITY.
-
General.
Throughout the Term, the Operator shall implement and maintain security standards with respect to the Commuter Rail IT Environment (the “Security Standards”). It is understood that in the event of any security breach or compromised system, Operator shall immediately notify the MBTA and a the Operator shall conduct a Root Cause Analysis and develop a Mitigation Plan, regardless of severity or topic, as provided in Section 8.11 (Root Cause Analysis) of Schedule 3.16 (Information Technology Requirements). The MBTA CIO shall have the final authority to determine whether a Security issue has been resolved.
-
Required Physical Security Measures.
The Operator shall implement and maintain, throughout the Term, safeguards and other protections to control and prevent Physical Access to Sensitive Assets (including Sensitive Assets that constitute Personal Information) (collectively, the “Physical Security Measures”). Physical Security Measures include (i) badge requirements for visitors; (ii) requirements that visitors be accompanied and overseen by authorized personnel; (iii) requirements that visitors be identified through appropriate means (provision of driver’s license or other appropriate credentials) and logged on entry and exit; (iv) badge requirements for employees and other authorized non-visitor personnel (such as retained consultants and independent contractors); (v) monitoring of visible activities within the facility at issue (such as through security cameras and video-feeds); (vi) locked file cabinets, storage areas, offices, and other repositories for Sensitive Assets; and (vii) other measure to ensure the physical Security of Sensitive Assets. These required Physical Security Measures shall include the secure transportation of Sensitive Assets outside (i) from Operator, Subcontractor, or The MBTA computing facilities or other premises; and (ii) from Third Party computing facilities or other premises, where such Third Party is under the control or direction of the Operator.
-
Required Technical Security Measures.
The Operator shall implement and maintain throughout the Term safeguards and other protections to control and prevent access to Sensitive Assets, where such access does not constitute Physical Access (collectively, the “Technical Security Measures”); Technical Security Measures include the following:
-
User Authentication. The Operator shall implement and follow Secure user authentication protocols including: (i) control of user IDs and other identifiers; (ii) a secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (iv) restricting access to active users and active user accounts only; and (v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system.
-
Access Controls. The Operator shall implement and follow Secure access control measures to (i) restrict access to records and files that contain or constitute Sensitive Assets to those who need such information to perform their job duties; and (ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with access to the Commuter Rail IT Environment, that are reasonably designed to maintain the integrity of the Security of the access controls. The Operator shall require complex password control parameters, including but not limited to at least the following criteria: the password (i) must be at least 8 characters in length, (ii) cannot contain any portion of the user's name, (iii) must have at least 3 of the following 4 characters (a) one uppercase letter, (b) one lowercase letter, (c) one number 0 to 9, and (d) one non-alphanumeric character (!, @, #, $, etc.); and (iv) must not repeat past passwords. The MBTA shall be entitled to conduct audits of system access to the Commuter Rail IT Environment.
-
Encryption. The Operator shall cause the Encryption of Sensitive Assets (including Personal Information) (a) that will be transmitted across public networks, (b) that will travel outside the premises of a Secure facility, or (c) that will be transmitted wirelessly. In addition, Sensitive Assets stored on laptops or other portable devices shall be Encrypted utilizing a Data at Rest Encryption standard.
-
Host/Server Protections. For all IT Assets resident on a component of the Commuter Rail IT Environment, the Operator shall maintain up-to-date firewall protection, operating system security patches, up to date anti-virus and spyware protection, and full logging/audit capabilities to maintain the integrity and Security of Sensitive Assets. Up-to-date versions of system security agent software must include malware protection and up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
-
Point of Presence and Gateway Protection Security. The Operator shall be responsible for ensuring the security of Commuter Rail IT Environment. The Operator shall provide Point of Presence and Gateway Protection Security for the Commuter Rail IT Environment. The Operator shall control Points of Presence and Gateways to all sites where it provides connectivity and internet connectivity. The Operator shall implement at a minimum a sufficient firewall, a packet inspection system, an intrusion prevention system, and an intrusion detection system. The MBTA shall be entitled to access and audit all logs and event tracking. The Operator shall configure the Commuter Rail IT Environment to provide an automatic alert to the MBTA in the event of a breach or attempted breach via a group mailbox established by the MBTA or its Authorized Vendor and provided to the Operator upon commencement of the IT Services. In the event of a breach, the Operator shall execute all commercially reasonable steps to protect the MBTA Data and operations including, but not limited to the complete shutdown of affected portions of the Commuter Rail IT Environment, if necessary (each, a “Security Shutdown”). The Operator shall not be penalized for availability of systems Service Levels based upon a Security Shutdown, if such Security Shutdown was warranted. The Operator shall conduct a full Root Cause Analysis and develop a Mitigation Plan, as required in Schedule 3.16 (Information Technology Requirements). MBTA Security personnel shall be entitled to access all Security systems within the Commuter Rail IT Environment. The Operator shall comply with IT Change procedures and the IT Change Control Board for all Security-related IT Changes to rules and security systems. Operator shall conduct appropriate testing of any such IT Changes to ensure full functionality of the Commuter Rail IT Environment with the MBTA Systems.
-
WAN/LAN Architecture Guidance. The Operator shall incorporate an isolation metric into the design and operation of site networks within the Commuter Rail IT Environment by the implementation of DMZs and VLANs, as relevant. The Operator shall only locate web based systems that require interaction over the Internet and real addressable configurations in the DMZs. The Operator shall isolate database servers and data storage/processing systems from greater internet presence. The Operator shall implement tunnels and controlled routed connectivity to ensure the connection of internal systems between sites within the Commuter Rail IT Environment. The Operator shall ensure that internal systems within the Commuter Rail IT Environment shall not be directly addressable from non-MBTA associated Internet sources. The Operator shall leverage this protection at the firewall level by subnet/VLAN utilizing an ALLOW by exception White list concept.
-
The Operator shall maintain all logs and events for the prescribed period of time based on severity, as provided in Schedule 3.16 (Information Technology Requirements). The Operator shall maintain all logs and events in a searchable and indexed format accessible to the MBTA and shall link such logs and events to applicable Root Cause Analysis efforts. The Operator shall maintain all Issue logs and events preserved from deletion for the 1st year, and Issue logs and events for subsequent years for Severity 1 and 2 Issues, in addition to any logs/events designated by the MBTA, shall be archived and preserved from deletion automatically.
-
Information Security Policies and Procedures.
The Operator shall develop and implement, and throughout the Term maintain and follow, a comprehensive information security program (the “Information Security Program”), including information security polices and procedures, in accordance with the requirements set out in this Agreement, Applicable Law and industry best practices (collectively, “Information Security Policies and Procedures”). Such Information Security Policies and Procedures at a minimum shall include the following:
-
Risk Assessments. The Operator shall conduct and update a risk assessment, identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing or embodying Sensitive Assets, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: (i) ongoing employee (including temporary and contract employee) training; (ii) employee compliance with policies and procedures; and (iii) means for detecting and preventing security system failures (each a "Risk Assessment"). The Operator shall review and update its Risk Assessment as provided.
-
Monitoring and Continuous Improvement. The Operator shall review its Information Security Program (including its Risk Assessment, Physical Security Measures and Technical Security Measures) (i) at least quarterly, or (ii) whenever there is a change in its business practices or the design, build, deployment, operation, or maintenance of the Commuter Rail IT Environment that implicates the security or integrity of Sensitive Assets embodied in or related to the Commuter Rail IT Environment. The Operator shall update its Information Security Program (including its Risk Assessment, Physical Security Measures and Technical Security Measures) regularly to ensure that the Information Security Program is operating in a manner calculated to prevent unauthorized access to or unauthorized use of Sensitive Assets.
-
Employee Practices. The Operator shall develop and implement, and throughout the Term maintain and follow practices to ensure its employees comply with the Information Security Program (including its Physical Security Measures and Technical Security Measures). Such practices shall include (i) educating and training employees (i) on the proper use of the Security systems and compliance with the Security Standards; and (ii) on the importance of Security for Sensitive Assets including, in particular, Personal Information; (ii) imposing disciplinary measures for violations of the Information Security Program and its rules; and (iii) preventing terminated employees from accessing Sensitive Assets (including Personal Information).
-
Subcontractor Security Obligations.
The Operator shall include the requirements of Section 1 (Security) to this Schedule 3.17 (IT Security) in all subcontracts under this Contract. To the extent an applicable subcontractor has access to, or otherwise supports the Operator's services that are governed by the Payment Card Security Standards, the Operator shall also include the requirements of Section 2 (Payment Card Security Standard) of this Schedule 3.17 (IT Security) in all subcontracts under this Contract. The Operator shall oversee Subcontractors' compliance with such requirements and shall select and retain only those Subcontractors that are capable of meeting or exceeding, and that in fact meet or exceed Security Standards.
-
Third Party Security Obligations.
In addition to its obligations concerning Subcontractors, as set out in the Subsection entitled “Security / Subcontractor Security Obligations”, the Operator shall select and retain only those Third Parties for work on the Commuter Rail IT Environment that are capable of meeting or exceeding, and that in fact meet or exceed Security Standards.
-
Operator Responsibility for Subcontractor and Third Party Compliance with Security Obligations.
The Operator shall be directly responsible to the MBTA for a Subcontractor's or Third Party’s breach of Security Standards, and a breach of Security Standards by such Subcontractor or Third Party shall be deemed a breach by the Operator for all purposes under this Contract.
-
Disaster Recovery and Business Continuity.
During the Term, The Operator shall implement and maintain a business continuity plan and disaster recovery plan, as provided in Appendix 1 (Disaster Recovery (DR) and Business Continuity (BC) Support Services) to this Schedule 3.17 (IT Security) (collectively, the “Business Continuity Plan”). Under the Business Continuity Plan, the Operator shall ensure the timely resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure in the event of a disaster or outage. The Operator shall regularly test the Business Continuity Plan, and train MBTA users for contingencies under such Plan.
-
Incident Response Plan; Incident Response.
The Operator shall prepare and, by the Agreement Services Commencement Date, deploy an incident response plan to address and handle a Security Incident (the “Incident Response Plan”), as set out in the Technical Specification and in this Section 1.9 (Incident Response Plan; Incident Response) of this Schedule 3.17 (IT Security). The Incident Response Plan shall include the following:
-
Notice of Intrusion; Implementation of Plan. In the event of a Security Incident, the Operator shall immediately implement the approved Incident Response Plan and notify the MBTA. The Operator shall (i) document responsive actions taken in connection with any Security Incident, (ii) preserve system logs and electronic evidence, and (ii) conduct mandatory post-incident review of events and actions taken to make changes in business practices in response to a Security Incident.
-
Contain Exposure. In the event of a Security Incident, the Operator shall immediately contain and limit the exposure, in order to prevent further loss of data. Among other steps, the Operator shall (i) isolate compromised systems from the network; (ii) log all actions taken; (iv) alert all necessary parties immediately; (v) identify any compromised Payment Card accounts, and any Data Subjects whose Personal Information may have been compromised; (vi) prepare an incident report; (vii) compile information to determine whether or not an independent forensic investigation will be initiated; and (viii) with the consent of the MBTA, conduct such forensic investigation.
-
Costs. Operator shall be financially responsible for the costs resulting from a security incident involving Personal Information, including (i) the costs of required notifications to data subjects; (ii) the costs of a call center to assist such data subjects in mitigating the effects of the security incident; and (iii) the costs of associated credit monitoring for such data subjects.
-
Privacy and Security Regulations.
Without limiting the requirements set out in this Contract Section entitled “Security,” during the Term the Operator shall comply with, and be responsible for the Commuter Rail IT Environment's compliance with, all Privacy and Security Regulations.
-
SSAE 16 Audit.
In addition to its other obligations under this Contract, Operator shall cause an audit to be conducted with respect to the Commuter Rail IT Environment, the Services, and the performance of other obligations pursuant to this Contract, by a certified public accountant registered with the Public Company Oversight Board based on the Statement on Standards for Attestation Engagements (SSAE) No. 16 (or such industry equivalent which was previously a “SAS 70”) and have a “Type 2” report prepared in connection therewith.
-
Timing. With respect to each such audit, Operator shall (i) confer with the MBTA as to the scope and timing of each such audit, and (ii) accommodate the MBTA's requirements and concerns to the extent practicable. Unless otherwise agreed by the Parties, such audit shall be conducted so as to result in a final audit opinion not later than 120 days following the close of the Operator's fiscal year.
-
Provision of Report to the MBTA. Operator shall provide a copy of such Type 2 report and any other reports issued as a result of such audit to the MBTA and its independent auditors as soon as reasonably possible after the conclusion of such audit, and in all events within thirty (30) days of completion. Further, Operator shall provide any updates to any audit reports to the MBTA promptly after they are received by Operator. Operator shall promptly correct any deficiencies identified in any such audit. At the MBTA’s request, Operator shall confirm in writing that there have been no changes in the relevant policies, procedures and internal controls since the completion of such audit other than the correction of any deficiencies as provided above. If Operator becomes certified in other programs intended to evaluate security, Operator shall also provide information regarding such certification to the MBTA consistent with this Section 1.11 (SSAE 16 Audit) of this Schedule 3.17 (IT Security).
-
Operator Inability to Deliver. If Operator is unable to timely deliver the required SSAE 16 report, Operator shall (a) provide the MBTA, on or before the date such report is delivered or due to be delivered, a written statement describing the circumstances giving rise to any delay or any qualification, (b) take such actions as shall be necessary to resolve such circumstances as soon as practicable, and (c) permit the MBTA and its external auditors to perform such procedures and testing as are reasonably necessary for their assessment of the operating effectiveness of Operator's policies, procedures and internal controls.
-
Additional Requirements Concerning Sensitive Security Information.
The Operator must protect, and take measures to assure that its Subcontractors protect, “sensitive information” made available during the course of administering an MBTA Contract or Subcontract in accordance with 49 U.S.C. Section 40119(b) and implementing DOT regulations, “Protection of Sensitive Security Information,” 49 CFR Part 15, and with 49 U.S.C. Section 114(s) and implementing Department of Homeland Security regulations, “Protection of Sensitive Security Information,” 49 CFR Part 1520.
-
Operator Designation As Data Controller or Data Processor.
Operator shall be designated in regards to such response as a Data Controller or a Data Processor, as determined by the MBTA in the exercise of its reasonable discretion.
-
PAYMENT CARD SECURITY STANDARD
The following Section (entitled “Payment Card Security Standard”) governs required payment card security standards and procedures under this Contract.
-
Compliance with Standard.
As of the Notice to Proceed, and without interruption through the Term, the Operator shall comply with Payment Card Security Standards (i) in providing Services or Deliverables to the MBTA under this Contract (ii) in storing, processing, or transmitting Cardholder Account Data; and (iii) in engaging in any other activities for any purpose relating to this Contract.
-
PCI-DSS Vendors.
The Operator shall ensure that all PCI-DSS Vendors comply with Payment Card Security Standards (i) in providing Services or Deliverables to the MBTA under this Contract (ii) in storing, processing, or transmitting Cardholder Account Data; and (iii) in engaging in any other activities for any purpose relating to this Contract. As between the Operator and the MBTA, the Operator alone shall be responsible for a PCI-DSS Vendor's non-compliance with Payment Card Security Standards.
-
Validation.
The Operator shall validate (i) its compliance with the Payment Card Security Standards and (ii) the compliance of its PCI-DSS Vendors, and shall obtain validation in the manner (or manners) required under the applicable Payment Card Security Standard at issue (through use, for example, of a Qualified Security Assessor, an Approved Scanning Vendor, a Self-Assessment Questionnaire, or through other expressly permitted means), and at the frequency required by such Standard.
-
Reports and Confirmations To The MBTA.
The Operator shall report in writing the results of such validations, and any evidence of non-compliance, immediately to the MBTA.
-
MBTA-Requested Validation.
Independent of the Operator’s validation obligations set out immediately above, the MBTA shall have a right (but no obligation) to conduct a review and audit of the Operator’s (and its PCI-DSS Vendors') payment card related systems, policies, practices, complaints, data, and other information to assess continued compliance with the Payment Card Security Standard (each, an “MBTA-Requested Validation”).
-
Process. The MBTA shall provide reasonable notice of an MBTA-Requested Validation, except in the case of exigent circumstances, where minimal notice shall be required. The MBTA shall be entitled to conduct such MBTA-Requested Validations, using MBTA or Third Party personnel (provided such Third Party personnel agree to reasonable confidentiality provisions) (each, a “Third Party Examiner”). MBTA-Requested Validations shall take place on the dates and at the frequency reasonable designated by the MBTA.
-
No Effect On Operator Obligations. Action or inaction by the MBTA under this subsection (entitled "MBTA-Requested Validation") shall not effect the Operator's obligations to ensure compliance with Payment Card Security Standards, and the Operator shall continuously maintain such compliance.
-
Costs of MBTA-Requested Validation. Each Party shall bear its own costs of an MBTA-Requested Validation; provided, however, that if the process reveals non-compliance with the Payment Card Security Audit, the Operator shall promptly reimburse the reasonable costs incurred by the MBTA and any Third Party Examiner in conducting MBTA-Requested Validation (without prejudice to other rights and remedies of the MBTA for such non-compliance).
-
Remediation.
In the event of any revealed non-compliance, whether through the standard validation process or an MBTA review, the Operator shall take all necessary steps to immediately mitigate such non-compliance. Without prejudice to the MBTA’s other rights and remedies, the Operator shall provide the MBTA with a written mitigation plan, with milestone dates, and shall timely update the MBTA during the resolution of the non-compliance.
-
Notice to Payment Card Networks.
The Operator shall arrange for immediate notice to Payment Card Networks of a Security Incident affecting a Payment Card and, after obtaining the MBTA’s approval (which can be withheld for just cause), shall cause such notice to be provided to the Payment Card Networks.
-
Responsibility for Penalties.
Without limiting any other obligations of the Operator under this Contract, the Operator shall be responsible in full for any penalties, fines, levies, audit fees, or other fees, remedies, or damages imposed by a Third Party, including by a Card Association, Card Processor, issuer of Payment Cards, Merchant Acquirer, or others in connection with Security Incident or other non-compliance with Privacy and Security Regulations.
-
Relationship to Other Data Security Provisions.
This Section 2 (Payment Card Security Standards) of this Schedule 3.17 (IT Security) addresses security issues for Cardholder Account Data and compliance with Payment Card Security Standards. This Section 2 (Payment Card Security Standards) of this Schedule 3.17 (IT Security) supplements, but does not detract from, or act as a substitute for, other sections in this Agreement that address data security, information technology security or other security-related matters (“Other Security-Related Contract Provisions”). In the event of a conflict between (a) this 2 (Payment Card Security Standards) of this Schedule 3.17 (IT Security) and (b) Other Security-Related Contract Provisions, the particular standard that affords greater security and protection shall control; provided, however, that the Operator notifies the MBTA immediately of any conflict prior to taking action with respect to a conflict.
-
OPERATOR SECURITY POLICIES AND STANDARDS.
The Operator shall develop, implement, comply with throughout the Term of the Agreement, maintain and, as necessary, update the following policies and standards with respect to the Commuter Rail IT Environment:
-
Commuter Rail IT Environment Access Control Policy.
This policy articulates the access controls that are required to meet the security objectives set out herein and as otherwise defined by the MBTA. Access control management is paramount to protecting MBTA Data and requires implementation of controls and continuous oversight to restrict access.
-
Enterprise Electronic Messaging Communications Security Policy.
Electronic communication includes any communication that is transmitted, acknowledged, stored, downloaded, displayed or printed by an electronic communication system or service. Given the ubiquitous nature of electronic communication, this policy shall focus on the specific category of electronic messaging (i.e., email, instant messaging, etc.) communication and related threats that, if left unmitigated, may lead to a loss of data and/or system integrity, confidentiality or availability.
-
Information Security Policy.
This policy articulates requirements that assist management in defining a framework that establishes a secure environment. This framework provides the overarching structure for safeguarding the Commuter Rail IT Environment, achieving confidentiality, integrity and availability of the Commuter Rail IT Environment and MBTA Data.
-
Data Classification Standards
-
These standards provide minimum requirements for:
-
Evaluation and classification of MBTA Data
-
Assessing the impact of compromise to MBTA Data
-
Establishing security controls commensurate with data classification
-
The data classification standards are organized into four sections:
-
The Data classification Standard's shall be organized as follows:
Section
|
Summary
|
1: Classification Scheme
| -
Requires agencies to classify MBTA Data into at least one of three levels of classification: Low Sensitivity, Medium Sensitivity and High Sensitivity.
|
2: Required Considerations for Classification
| -
Provides the baseline to consider in evaluating MBTA Data.
|
3: Risk Assessment and Security Controls
| -
Requires the Operator to conduct and document risk assessments in evaluation of MBTA Data.
-
Requires the Operator to determine security controls needed based on assigned classifications and risk assessments.
-
Promotes minimum security controls across the Commuter Rail IT Environment.
|
4: Data Management Lifecycle
| -
Requires the protection of MBTA Data at all stages of its lifecycle through the proper maintenance of classifications and controls.
|
Share with your friends: |