1. Policies and Procedures
Artemis Pro shall maintain written security management policies and procedures to prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, and availability of Artemis Pro information systems and/or Customer’s Confidential Information. Such policies and procedures shall (i) assign specific data security responsibilities and accountabilities to specific individual(s); (ii) include a formal risk management program, which includes periodic risk assessments; and (iii) provide an adequate framework of controls that safeguard Customer’s information systems, including without limitation any hardware or software supporting Customer, and Customer’s Confidential Information.
2. Security Evaluations
Artemis Pro shall periodically (no less than annually) evaluate its processes and systems to ensure continued compliance with obligations imposed by law, regulation, or contract with respect to the confidentiality, integrity, availability, and security of Customer’s Confidential Information within Artemis Pro information systems as well as the maintenance and structure of Artemis Pro’s information systems. Artemis Pro shall document the results of these evaluations and any remediation activities taken in response to such evaluations.
3. Physical Security
Artemis Pro shall maintain appropriate physical security controls (including facility and environmental controls) to prevent unauthorized physical access to Artemis Pro information systems and areas in which Customer’s Confidential Information is stored or processed.
4. Visitor Access Logs
Artemis Pro shall maintain sign in access logs for visitors and guests and ensure that such visitors and guests are escorted while in the facility. In addition, these access logs shall be maintained in a secure location for three (3) months.
5. Perimeter Controls
Artemis Pro shall maintain reasonable network perimeter controls such as firewalls at all perimeter connections.
6. Vulnerability Management
Artemis Pro shall employ reasonable vulnerability management processes to mitigate data security risks to Customer’s Confidential Information. These processes shall include mitigation steps to resolve issues identified by Artemis Pro, Customer, or any regulator, auditor, or other external constituent of either party.
7. System Hardening
System configuration parameters shall include procedures to disable all unnecessary services on devices and servers. This practice shall at a minimum be applied to all systems that access, transmit, or store Customer’s Confidential Information.
8. Patch Management
Artemis Pro shall establish and adhere to policies and procedures for patching systems. Systems and applications used to access, process or store Customer’s Confidential Information shall be maintained at current stable patch level.
9. Anomaly Detection
Artemis Pro shall install commercially reasonable anomaly detection software, to include anomaly / intrusion detections and deviations from standard system configuration, on all systems used to access, process or store Customer’s Confidential Information as well as other information that Artemis Pro hosts. In addition, definition files shall be updated regularly.
10. Incident Response
Artemis Pro shall maintain formal processes to detect, identify, report, respond to, and resolve any event that compromises the confidentiality, availability, or integrity of Customer’s data or service provider’s systems (“Security Incidents”) in a timely manner.
11. Incident Notification
Artemis Pro shall immediately provide Customer with notification of any known or reasonably suspected breach of security relating to Customer Systems or Customer’s Confidential Information. Artemis Pro will notify Customer immediately following discovery of any suspected breach or compromise of the security, confidentiality, or integrity of any Customer’s Confidential Information. Written notification provided pursuant to this paragraph will include a brief summary of the available facts and the status of Artemis Pro’s investigation.
12. System Logs
For all systems that access, transmit or store Customer’s Confidential Information, system logs shall be in place to uniquely identify individual users and their access to associated systems and to identify the attempted or executed activities of such users. All systems creating system logs shall be synchronized to a central time source. Reasonable processes shall be in place to review privileged access and identify, investigate and respond to suspicious or malicious activity. System log trails shall be secured in a manner to prevent unauthorized access, modification, and accidental or deliberate destruction. These logs shall be maintained in accordance with the retention requirements set forth in the Agreement or upon a mutual written agreement signed by both parties.
13. Background Checks
Artemis Pro shall maintain processes to determine whether a prospective member of Artemis Pro’s workforce is sufficiently trustworthy to work in an environment which contains Artemis Pro information systems and Customer’s Confidential Information.
14. Change Control Process
Artemis Pro shall maintain reasonable change control processes to approve and track changes within Artemis Pro’s computing environment.
15. Protection of Storage Media
Artemis Pro shall ensure that storage media containing Customer’s Confidential Information is properly sanitized of all Customer’s Confidential Information or is destroyed prior to disposal or re-use for non-Artemis Pro processing. All media on which Customer’s Confidential Information is stored shall be protected against unauthorized access or modification. Artemis Pro shall maintain reasonable and appropriate processes and mechanisms to maintain accountability and tracking of the receipt, removal and transfer of storage media used for Artemis Pro information systems or on which Customer’s Confidential Information is stored.
16. System Accounts
Artemis Pro shall maintain appropriate processes for requesting, approving, and administering accounts and access privileges for Artemis Pro information systems and Customer’s Confidential Information. Artemis Pro personnel, who access systems that store, transmit or process Customer’s Confidential Information shall be assigned individual system accounts to ensure accountability for access granted.
Artemis Pro shall implement appropriate password parameters for systems that access, transmit or store Customer’s Confidential Information (“Related Systems”). Artemis Pro shall implement strong authentication services and complex passwords (“Passwords”) for all network and systems access to Related Systems. Default manufacturer passwords used in Artemis Pro’s products shall be changed upon installation.
18. Third Parties
Artemis Pro shall ensure that any agent, including without limitation any third-party subcontractor, to whom Artemis Pro provides Customer’s Confidential Information agrees to maintain reasonable and appropriate safeguards to protect such Customer’s Confidential Information.