(c) Organizational Security

(1) Responsibility – Assignment of responsibility for information security management. An information security group shall maintain a list of individuals authorized to access Personal Data, and shall be responsible for approving authorized access privileges to users, and documenting access security procedures. The information security group shall monitor and periodically review access levels, logging reports and access violation reports to detect inappropriate Systems activity and to facilitate the timely investigation of suspicious or unauthorized activity, and periodically conduct access reviews to verify that access assignments are appropriate. The information security group shall ensure that they conduct vulnerability assessments (infrastructure and application layer) at least once a month and also allow Media Company’s information security staff to scan bi-weekly for vulnerabilities. Upon Media Company’s request, VMT will provide the contact information for the information security group so they can be contacted 24*7*365 for support and security enquires. VMT will fully co-operate with Media Company’s information security and investigations personnel should a breach occur and ensure that evidence is preserved in a forensically sound manner.

(2) Resources – Commitment of adequate personnel resources to information security.

(3) Confidentiality Agreements – Requirement that VMT’s employees, agents, and subcontractors, and others with access to Personal Data, enter into signed confidentiality agreements and agree to use the systems to perform only authorized transactions in support of their job responsibilities.

(4) Qualification of Employees – Appropriate procedures and measures to ascertain the reliability, technical expertise, and personal integrity of all employees, agents, and subcontractors who have access to the information system or Personal Data.

(5) Obligations of Employees – Appropriate procedures and measures to verify that any employee, agent or contractor accessing the Personal Data knows his obligations and the consequences of any security breach.

(6) Controls on Employees – Employee background checks, where and to the extent permitted under applicable law, for employees with responsibilities for or access to Personal Data.

(7) Compliance with Laws – VMT will fully comply with all local data privacy laws in relation to the storage of personal information.

(8) Enforcement – Appropriate disciplinary procedures against individuals who access Personal Data without authorization, or who otherwise commit security breaches.

(d) Additional Safeguards

(1) Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes. VMT shall also designate a security official responsible for the development, implementation and maintenance of all the safeguards in this Schedule.

(2) Testing – VMT shall regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

(3) Security Awareness and Training – a security awareness and training program for all members of VMT’s workforce (including management), which includes training on how to implement and comply with this Schedule.

(4) Adjust the Program – VMT shall monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to VMT or the Personal Data, requirements of applicable work orders, and VMT’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

(e) Audit Access

(1) Audit Access – VMT shall provide, within ten (10) days’ written notice to Media Company, access to facilities, systems, records and supporting documentation in order for Media Company to audit VMT’s compliance with its obligations under or related to this Schedule. Audits shall be subject to all applicable confidentiality obligations agreed to by Media Company and VMT, and shall be conducted in a manner that minimizes any disruption of VMT’s performance of services and other normal operations.