Master Provider Security Requirements

Master Provider Security Requirements

These Master Provider Security Requirements (“MPSR”) apply to any suppliers, contractors and other third parties (“Provider”) who may handle the assets, data or information of Gen Digital Inc. or its affiliates (“Gen”). This MPSR may be updated from time to time by Gen in is sole discretion, provided that the MPSR in effect at the time of performance of any activities covered by this MPSR shall apply to such performance.

1.        SECURITY REQUIREMENTS

Provider shall operate in compliance with: (i) the requirements set forth in this document, (ii) industry best practices and standards; and iii) any applicable legal and regulatory requirements, whichever is the stricter, higher, or more protective standard.

Nothing herein is intended or shall be construed to limit any of Provider’s obligations under the Master Purchase Agreement, the Procurement Terms and Conditions, or any other applicable agreement or terms between Provider and Gen (“Terms”). In the event of any conflict between such Terms and this Master Provider Security Requirements, the stricter, higher, or more protective standard shall govern unless otherwise expressly agreed to in writing and signed by both parties.

2.        DEFINITIONS

TERM DEFINITION
Gen Data                    Any Gen data, content, and information that Provider is provided, or has access to.
Gen Restricted Data 

Highly sensitive Gen Data limited to very few individuals and shared only on a need-to-know basis. 

Applies to Gen Data that must be protected due to legal or regulatory requirements; may give Gen a competitive advantage.

Any Gen Data containing Nonpublic Personal Information (NPI), Personally Identifiable Information (PII), or Protected Health Information (PHI) is considered Gen Restricted Data.

Unauthorized disclosure impact will be severe. Unauthorized access, use, or disclosure is expected to have a major reputational, regulatory, or financial impact.

The business impact of loss or modification will be severe and is expected to have a major adverse effect on operations, assets, or individuals.
Gen Confidential Data

Sensitive Gen Data limited to small groups (e.g., project teams) and shared only on a need-to-know basis.

Applies to company secrets, proprietary code, and other data that would give Gen a competitive advantage.

Any Gen Data that is not expressly classified under this Section 2 as either Gen Restricted Data, or Internal Use Only is Gen Confidential Data.

Unauthorized disclosure impact will be severe to moderate. Unauthorized access, use, or disclosure may have a major reputational or financial impact but is not expected to have a regulatory impact.

The business impact of loss or modification will be severe to moderate and may have a major adverse effect on operations, assets, or individuals.
Gen Internal Use Only

Non-sensitive Gen Data used for conducting company business.

Applies to data commonly available within Gen and used for daily operations.

Unauthorized disclosure impact will be minimal. Unauthorized access, use, or disclosure is not expected to have a reputational, regulatory, or financial impact.

The business impact of loss or modification will be minimal and may have a limited adverse effect on operations, assets, or individuals.
Handle (or “handle”) Any processing operation(s) performed upon Gen Data, whether by automatic means or not, such as collecting, recording, using, accessing, copying, reproducing, retaining, storing, disclosing, modifying, altering, transferring, transmitting, deleting, destroying or otherwise disposing of, selling, assigning, licensing, or marketing.
Personnel Provider’s employees, contractors, subcontractors, and/or third parties engaged by or on behalf of Provider that provide services to Gen and/or handle Gen information.
Gen Information Assets Gen assets including end user computing devices, networks, infrastructure, data repositories.

3.        INFORMATION SECURITY POLICIES

3.1.     Management Direction for Information Security

3.1.1.     Provider shall maintain an Information Security Policy (ISP) that is reviewed and approved at least annually at the executive level. Provider shall ensure that all Personnel have access and comply with the ISP. 

4.        ORGANIZATION OF INFORMATION SECURITY

4.1.     Internal Organization

4.1.1.     Provider shall adopt physical, technical and organizational security measures in accordance with industry best practices and standards and be in compliance with all applicable legal and regulatory requirements as they apply to the Provider’s services being provided to Gen.

5.        HUMAN RESOURCE SECURITY

5.1.     Prior to employment

5.1.1.     Provider shall, when and to the extent legally permissible, perform background verification checks in compliance with the Gen policies for all Personnel who may have access to Gen Restricted Data or Gen Confidential Data and/or Gen Information Assets. Such background checks shall be carried out in accordance with and as permitted under applicable regulation and law and shall include the following regional equivalent items: SSN Trace, Global Blacklist Search, Criminal County Search (5-Year Address History), Criminal Federal Search (5-Year Address History), and Financial Sanctions Search.

5.2.     During employment

5.2.1.     Provider shall provide security awareness training based on industry best practices and standards to all Personnel at least annually.

5.2.2.     Additional Training

5.2.3.     Provider shall complete and implement additional training as may be required by Gen from time to time.

5.3.     Termination and change of employment

5.3.1.     Provider shall implement effective user termination / transfer controls that include access removal / disablement immediately upon termination or transfer of Personnel or when such Personnel no longer require handling of Gen Data as part of their job duties for Provider.

6.        ASSET MANAGEMENT

6.1.     Responsibility for assets

6.1.1.     Providers that use Gen Information Assets shall strictly adhere to the most current version of Gen’s Acceptable Use Standard.

6.1.2.     Gen Information Assets may not be modified in any way or used to provide services to any other parties other than by prior express written agreement with Gen.

6.2.     Media handling

6.2.1.     Destruction Requirements and Compliance Evidence

6.2.1.1.     Any and all Gen Data is and shall remain the sole property of Gen, and Provider shall not acquire any rights or licenses therein except as expressly set forth in the relevant Terms. Provider shall return to Gen (or at Gen’s option, destroy) any and all Gen Data and any other information and materials that contain such Gen Data (including all copies in any form) immediately upon Gen’s request, or upon the earlier of the completion of services or termination of the relevant Terms. 

6.2.1.2.   Provider shall ensure secure disposal of systems and media to render all Gen Data contained therein as undecipherable or unrecoverable prior to final disposal or release from Provider’s possession. This shall be undertaken in accordance with U.S. National Institute of Standards and Technology (NIST) approved standards and within ten (10) days following Gen’s request, Provider shall provide Gen with a written certificate of destruction.

6.2.2.     Removable Media

6.2.2.1.     Use of removable media is prohibited. All ports for USB and external drives must be disabled on all workstations that handle Gen Data.

7.        ACCESS CONTROL

7.1.     Business requirements of access control

7.1.1.     Provider shall implement strong access control and restrict access to operating system configurations to authorized, privileged personnel for systems handling Gen Restricted Data or Gen Confidential Data.

7.1.2.     Mobile devices and teleworking

7.1.2.1.     Provider shall require that all Personnel who are able to access to Gen Data must use a Provider issued device, excluding mobile devices.

7.1.2.2.     Provider shall not allow (and shall restrict) Personnel to access Gen Data via a mobile device.

7.1.3.     User access management

7.1.3.1.     Provider shall ensure that the Provider’s system (network, hosting and application) is designed in compliance with the least privilege principle. 

7.1.3.2.     Provider shall enforce the use of strong passwords for all Provider systems (network, hosting, and application) as follows:

                                                 ·    Passwords are at least ten (10) characters long;
                                                 ·    Contain at least three of the following: Upper-case letters, lower-case letters, numbers, non-alphabetic characters;
                                                 ·    Expire after 90 days for all systems; and
                                                 ·    Are never hard-coded, stored in files, or stored or transmitted in clear text

7.1.3.3.     All vendor default passwords within software and hardware products must be changed before or during installation

7.1.4.     User responsibilities

7.1.4.1.     For administrative accounts and for any accounts that allow remote access to systems, Provider shall use multi-factor authentication or other positive controls such as increased password length, shorter password life or restrictive white lists of users to restrict access to administrative accounts.

7.1.5.     System and application access control

7.1.5.1.     Provider shall maintain documentation on the applicable application, architecture, process flows and/or data flow diagram, and security features for applications handling Gen Restricted Data or Gen Confidential Data.

8.        CRYPTOGRAPHY

8.1.     Cryptographic controls

8.1.1.     Provider shall use NIST or PCI approved encryption and hashing standards (e.g. SSH, SSL, TLS) for transmission and storage of Gen Restricted Data and Gen Confidential Data.

8.1.1.1.     Where necessary to be stored on a portable device, the device shall be protected by full disk encryption.

8.1.2.     Gen Restricted Data or Gen Confidential Data stored on archive or backup systems shall be subject to at least the same protection measures used in the live environment.

9.        PHYSICAL AND ENVIRONMENT SECURITY

9.1.     Secure areas

9.1.1.     Provider shall ensure the physical and environmental security of all areas containing Gen Restricted Data or Gen Confidential Data, including but not limited to data centers and server room facilities, are designed to:

9.1.1.1.     Protect information assets from unauthorized physical and logical access based on role, duties, grade level, geographical location for all Personnel.

9.1.1.2.     Manage, monitor, and log movement of Personnel into and out of such facilities and all other applicable areas including, but not limited to, badge access control, locked cages, secure perimeter, cameras, monitored alarms, and enforced use provisioning controls, when and to the extent legally permissible.

9.1.1.3.     Guard against environmental hazards such as heat, fire and water damage.

9.1.1.4.     Security Personnel deployed to supervise the access to premises, and strict policies to ensure Gen Data is not removed from the premises.

9.1.2.     In regards to the data centers, contact centers and server facilities, Provider shall logicaly or physically segregate Gen Data from other customer or tenant’s data.

10.      OPERATIONS SECURITY

10.1.  Operational procedures and responsibilities

10.1.1.  Provider shall implement operating system hardening for hosts and infrastructure handling Gen Restricted Data or Gen Confidential Data. Operating system hardening includes, but is not limited to, the following configurations and practices: 

  ·    Strong password authentication, at least as secure as set out in Section 7.1.3.2 above.
  ·    Inactivity time-out
  ·    Disabling unused ports/services
  ·    Log management
  ·    Disabling or removal of unnecessary or expired accounts
  ·    Changing default account passwords and where possible default account names
  ·    Timely patching and updates to firmware, OS and system, application and database level software

10.2.  Protection from malware

10.2.1.  Provider shall employ and maintain comprehensive anti-malware solutions configured to download signatures at least daily and a firewall solution (or other threat protection technologies) for end user computing devices which connect to the Gen network or handle Gen Restricted Data or Gen Confidential Data.

10.2.2.  Provider shall prohibit and disable the use of external devices for storing or carrying, or in use with machines handling Gen Restricted Data or Gen Confidential Data. External devices include without limit: flash drives, CDs, DVD, external hard drives and other mobile devices.

10.3.  Logging and Monitoring

10.3.1.  Provider shall ensure system audit or event logging and related monitoring procedures are implemented and maintained to proactively record user access and system activity for routine review. All log files shall be retained for at least twelve (12) months and access restricted to authorized personnel only.

10.3.2.  Providers who have physical access to Gen Restricted Data or Confidential Data shall maintain logs for all entry points from CCTV, badge readers and sign-in sheets. All log files shall be retained for at least twelve (12) months and access restricted to authorized Personnel only, unless appliable data protection laws require a shorter retention period. 

10.4.  Vulnerability Scanning

10.4.1.  Providers who handle Gen Restricted Data or Gen Confidential Data, or host internet accessible sites on behalf of Gen (either directly or through third parties), shall:

10.4.1.1.   Utilize industry standard scanning tools to identify network, host and application vulnerabilities.

10.4.1.2.   Perform at least monthly internal vulnerability scans of network(s), host(s) and application(s).

10.4.1.3.   Perform ad-hoc vulnerability scanning to identify network, host, and application vulnerabilities prior to release to production and after more than minor changes.

10.4.1.4.   Remediate all critical, high and medium vulnerabilities according to CVSS scoring, prior to release to production and thereafter according to the following vulnerability remediation timeframes:

  ·    Critical/High – 30 days
  ·    Medium – 60 days
  ·    Low – 90 days or prior to the next testing time period

10.4.1.5.   For critical zero-day vulnerabilities, recommended remedial risk mitigation actions are implemented without undue delay in no event later than the timeframe specified for critical vulnerabilities in this section. Provider shall promptly implement recommended remedial risk mitigation action, such as applying a software patch, software upgrades, application configuration modifications, or other compensating security preventative control methods, no later than twelve (12) business days after the recommended remedial action has been published, tested and determined safe for installation and use.

10.5.  Penetration Testing

10.5.1.  Providers who handle Gen Restricted Data or Gen Confidential Data, or have access to the Gen network shall:

10.5.1.1.   Utilize an independent third-party to perform an at least annual penetration test of network(s), host(s) and application(s).

10.5.1.2.   Utilize an independent third-party to perform ad-hoc penetration tests prior to release to production and no less than thirty (30) days after significant changes.

10.5.1.3.   Remediate all critical, high and medium vulnerabilities discovered by the pen-tester , prior to release to production and thereafter according to the following vulnerability remediation timeframes:

  ·    Critical/High – 30 days
  ·    Medium – 60 days
  ·    Low – 90 days or prior to the next testing time period

10.5.1.4.   Provide to Gen the executive summary portion of the third party penetration test relating to the network(s), host(s) and application(s).

10.5.1.5.   Review the penetration test reports for any appointed subcontractor or fourth party to Gen, who handles Gen Restricted Data or Gen Confidential Data, or hosts internet accessible sites for Provider on behalf of Gen and notify Gen of their use.

10.5.1.6.   Gen reserves the right to independently or utilize an authorized third-party to perform a network penetration test on the area(s) of the Provider’s network that handles Gen Restricted Data or Gen Confidential Data, connects to the Gen network, or hosts internet accessible sites on behalf of Gen. 

11.      COMMUNICATIONS SECURITY

11.1.  Network-Level Requirements

11.1.1.  Provider shall use firewall(s) to protect networks that handles Gen Restricted Data or Gen Confidential Data or host internet accessible sites on behalf of Gen. The firewall(s) shall be able to effectively perform the following functions: stateful inspection, logging, support for all IPSec standards and certificates, support for strong encryption and hashing, ICMP and SNMP based monitoring and anti-spoofing. Provider shall have network-based security monitoring (i.e., syslog, security information and event management (SIEM) software or host-based intrusion detection systems) for the segment(s) which handles Gen Restricted Data or Gen Confidential Data.

11.1.2.  Provider is not permitted to use a dynamic DNS service for their external facing website IP address. If a static IP address cannot be provided, then a non-internet-based method of interaction/communication shall be used.

11.2.  Hosting-Level Requirements

11.2.1.  The Provider shall not use or change a cloud environment in any capacity (i.e., IaaS, PaaS, SaaS, process, transmit, access and store data) without obtaining express prior written consent from Gen. If Gen provides such permission, the Provider shall logically segregate all Gen Restricted Data and Confidential Data. 

11.3.  Information transfer

11.3.1.  For data originating from a Gen U.S. entity: Provider shall not access, store, process and/or use any Gen Data in a location outside the United States without Gen’s prior explicit approval. Additionally, Provider shall ensure that all Personnel who have access to Gen Data are located in the United States. If access or handling is performed outside of the United States additional terms or agreements may be appropriate and Provider agrees to promptly and in good faith enter into such additional terms or agreements as Gen may require from time to time. 

11.3.2.  For data orignating from a Gen EU entity or otherwise governed under EU and UK data protection laws: Provider shall not access, store, process and/or use any Gen Data in a location outside the European Union without Gen’s prior explicit approval. Additionally, Provider shall ensure that all Personnel who have access to Gen Data are located in the European Union. If access or handling is performed outside of the European Union additional terms or agreements may be appropriate and Provider agrees to promptly and in good faith enter into such additional terms or agreements as Gen may require from time to time. 

12.      SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

12.1.  Security in development and support processes

12.1.1.  Providers that develop source code for Gen, handle Gen source code (including without limit any Gen product or service source code), or develop and maintain applications that handle Gen Restricted Data or Gen Confidential Data shall:

12.1.1.1.   Deliver at least annual secure code training to all Personnel in-scope for delivering such services to Gen. Developers shall be proficient in the OWASP Top 10 and the CWE/SANS Top 25 vulnerabilities and their appropriate remediation techniques. Provider shall provide Gen with this initial evidence of compliance within thirty (30) days from the effective date of the relevant Terms between Gen and Provider and annually thereafter.

12.1.1.2.   Maintain and evidence an annual review of a documented change management process and software development lifecycle (SDLC), which includes:

  ·    Independent secure code reviews;
  ·    Secure programming guidelines and protocols for developing applications;
  ·    Threat model methodology to identify the key risks to applications and/or source code; and
  ·    Application security testing (testing may include static application security testing (SAST), dynamic application security testing (DAST) and third-party penetration testing)

12.2.  Test Data

12.2.1.  Provider may never use GEN Data for any testing scenarios.

13.      SUPPLIER RELATIONSHIPS

13.1.  Information security in supplier relationships

13.1.1.  Providers that either connect to any Gen network, handle Gen Restricted Data or Gen Confidential Data and/or develop or host internet assessable sites on behalf of Gen, shall ensure that they maintain an applicable SOC 2 Type 2 attestation and/or, ISO/IEC27001 certification. Provider shall provide Gen with a copy of the SOC 2 Type 2 report, and/or ISO27001 Statement of Applicability with certificate. 

13.1.2.  Providers who cannot provide an applicable attestation or certification as stated above, are required to undertake a Gen’s security risk assessment (SRA) or provide a SIG LITE as requested by Gen on an annual basis.

13.1.3.  Gen is a PCI Level 1 merchant. Any Provider who handles credit card data on behalf of Gen, shall at all times remain in compliance with the most recent version of Payment Card Industry Data Security Standard (PCI DSS) to the extent PCI DSS is applicable to the services provided under the Terms (e.g., if Provider accesses, collects, uses, retains, processes, discloses or transfers any cardholder data as defined under PCI DSS or any other data protected or subject to PCI DSS (collectively, “PCI Data”), or if any part of such services impacts the security of the PCI Data environment). Upon request by Gen, Provider shall promptly provide sufficient proof, as determined by Gen in its sole discretion, of compliance with PCI-DSS to Gen. If Provider has knowledge of a potential violation of PCI DSS, Provider shall notify Gen promptly, but no later than 48 hours or a shorter priod where required under PCI DSS, after obtaining such knowledge and come into compliance with PCI DSS within the time frame specified by Gen, but no later than 30 days, after Provider obtains knowledge of such violation. Provider shall ensure that all of its Personnel comply with the same obligations that apply to Provider under the Terms and remain liable to Gen for compliance with the Terms by its Personnel. Provider shall provide Gen with this initial evidence of compliance (PCI AoC) within thirty (30) days from the effective date of the relevant Terms between Gen and Provider and annually thereafter.

13.1.4.  Where Provider or its Personnel have a reasonable belief that Gen Data may have been compromised, including without limit any unauthorized handling, Provider shall notify Gen thereof without undue delay after becoming aware, and Gen may conduct an SRA on three (3) days’ notice at the Provider’s expense. Provider shall provide prompt, full and good faith cooperation in the performance of the SRA.

13.1.5.  Provider and its Personnel shall fully cooperate with any Gen or Gen appointed third party auditors, including any regulatory investigation of Gen or its affiliates, and shall allow access to any (i) Personnel involved in performance of the services or handling of Gen Data, (ii) premises where the services are being performed; (iii) applications and systems used to perform the services; (iv) data and records kept or created with respect to the services or any agreement in place between Provider and Gen and/or Provider and its Personnel.

13.1.6.  Gen Restricted Data or Gen Confidential Data shall not be shared with any other third party without prior written agreement from Gen. 

13.2.  Right to Audit

13.2.1.  In addition to Gen’s inspection and audit rights as set forth in any relevant Terms (inclduing any data processing agreement), Gen reserves the right to require the Provider to undertake a Gen Security Risk Assessment at least annually. If Provider fails to comply with such request within a reasonable timeframe, or if the security questionnaire raises Gen security concerns that are not addressed by Provider to Gen’s satisfaction, Gen reserves the right (in addition to any other audit or other rights it may have) to conduct, or engage a reputable third party auditor to conduct an SRA.

14.      INFORMATION SECURITY INCIDENT MANAGEMENT

14.1.  Management of information security incidents and improvements

14.1.1.  Provider shall notify Gen immediately, and in no event later than twenty-four (24) hours (unless applicable data protection law or the Terms requires a shorter notice period), if there is a reasonable basis to believe that Gen Restricted Data or Confidential Data may have been compromised, including without limit any unauthorized handling. 

14.1.2.  Provider shall inform GEN of the following:

14.1.2.1.   A description of the nature of the incident including, where possible, the categories and approximate scale of the incident;

14.1.2.2.   The name and contact details of the Provider contact from whom more information can be obtained; and

14.1.2.3.   A description of the measures taken or proposed to be taken to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

14.1.3.  Provider shall work with Gen promptly and in good faith as required to resolve the incident, and in conjunction with any associated investigations.

15.      INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

15.1.  Information security continuity

15.1.1.  Provider agrees to maintain a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) (the “Plans”) with respect to the services being performed for Gen.

15.1.2.  The Plans must be tested at least annually, a copy may be requested by Gen, and all findings shall be remediated.

15.1.3.  At a minimum the Provider’s Plans must include the following requirements:

15.1.3.1.   Business Continuity Plan (BCP). Provider must maintain a BCP for their essential business functions. A BCP must contain the information necessary to plan for the recovery of each essential business functions. BCPs must document the requirements necessary to execute the recovery strategy. BCPs must include strategies to achieve the essential business function recovery timelines determined in the associated Business Impact Analysis. The BCP must include the following information:

 ·   Executive Summary: 
·    Plan Overview, including the plan specific recovery objectives
·    Scope
·    Assumptions
·    Business Impact Assessment (BIA)
·    Recovery Strategy Details and Recovery Procedures for each of the following effects:
·    Loss of Facility
·    Loss of Critical Personnel
·    Loss of Core Dependencies
·    Notification, Escalation and Plan Activation Procedures
·    Calls Lists
·    Recovery Resource Requirements

15.1.3.2.   Disaster Recovery Plan (DRP). Except to the extent superseded by more stringent standards included in the Terms, the following shall apply: 

 ·    Provider shall provide Gen with a DRP relevant to any site, network, system, and/or application used to host Gen websites and data within thirty (30) days of the request.
 ·    DRPs shall include procedures to achieve a Recovery Time Objective (RTO) of four (4) hours or less and Recovery Point Objective (RPO) of no more than one (1) hour.

15.1.3.3.   Internet Service Providers. Provider shall maintain at least two Internet Service Providers (“ISPs”) with multiple paths into the building and traffic shall automatically be rerouted to another carrier.

15.1.3.4.   Fire. Provider’s facilities shall contain an automated fire suppression system that will not affect any of the equipment or systems but will immediately extinguish a fire.

15.1.3.5.   Bandwidth. Provider shall maintain two identical routers and an alternate firewall server. The backup router and firewall shall be pre-configured and able to be brought online immediately.

15.1.3.6.   Power. Provider’s service facilities shall have multiple sources of power including heavy-duty utility feed, extensive uninterrupted power supply (UPS) battery backup, surge protectors between power feed and UPS, and a back-up generator.

15.1.3.7.   Server Failure. Provider’s system shall be redundant to a reasonable degree necessary to meet up time and maintenance requirements.

Upon Provider's determination of a disaster as defined in the Plan, Provider shall immediately notify Gen and commence the activities for which it is responsible under the Plan. If Provider materially breaches its obligations to provide disaster recovery services in accordance with this Section, and, as a result thereof, fails to commence performance of services critical to the operation of Gen’s business within the proscribed period, Gen shall have, in addition to any other rights of Gen hereunder, the right to retain a third party to provide such services for so long as the disaster continues, at Provider's expense. Upon cessation of a disaster, Provider shall as soon as reasonably practicable, provide Gen with an incident report detailing the reason for the disaster and all actions taken by Provider to resolve the disaster.