My WebLink
|
Help
|
About
|
Sign Out
Home
Browse
Search
Bank of America 12/30/2021
>
Contracts
>
Agreement
>
Purchase
>
Bank of America 12/30/2021
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
1/28/2022 2:31:34 PM
Creation date
1/28/2022 2:30:26 PM
Metadata
Fields
Template:
Contracts
Contractor's Name
Bank of America
Approval Date
12/30/2021
Department
Purchasing
Department Project Manager
Theresa Bauccio-Teschlog
Subject / Project Title
PCard Schedule of Fees & Rebates
Tracking Number
0003164
Total Compensation
$0.00
Contract Type
Agreement
Contract Subtype
Purchase
Retention Period
6 Years Then Destroy
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
23
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
View images
View plain text
BANK OFAMERICA � Y <br /> 21.4 Security Policy. Our Information Security Policy has been approved by our management and is published and communicated to our <br /> Workforce. We have procedures designed to ensure that our Extended Workforce are subject to similar policies and processes. We conduct <br /> periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality and integrity <br /> of electronic, paper and other records containing CPI. We require our Extended Workforce to have a similar risk assessment process. The <br /> remainder of this Section 21 sets out the key aspects of our Information Security Policy. <br /> 21.5 Organizational Security. All information is stored in the United States for programs in the United States and Canada. Such information <br /> may be accessed by our Workforce and any Extended Workforce from locations within or outside the United States. Our Information Security <br /> Policy applies to at such access. We include,as part of our agreements with any Extended Workforce that has access to CPI, provisions that <br /> are consistent with those set out in this Section 21. <br /> 21.6 Human Resources Security. We take reasonable steps to ensure that our Workforce is aware of our obligations in the provisions of <br /> the Services and Applicable Data Protection Laws,including that any unauthorized processing or disclosure of the CPI may lead to disciplinary <br /> action under their contract of employment or other contractual arrangements. Prior to receiving access to CPI,the Workforce and any Extended <br /> Workforce receive appropriate security awareness training and recurring security awareness training at appropriate intervals, The access <br /> rights of our Workforce with access to Information Processing System(s) or media containing CPI are removed upon termination of their <br /> employment, contract or agreement, or adjusted upon change of job function in accordance with the Information Security Policy. <br /> 21.7 Physical and Environmental Security. We protect all areas that contain Information Processing System(s)or media containing CPI by <br /> the use of security controls deemed appropriate by us. <br /> 21.8 Communications and Operations Management. We use detection, prevention, and recovery controls which are consistent with <br /> Financial Services Industry Best Practices to protect against malicious software and attacks, and train our Workforce on the prevention and <br /> detection of malicious software and attacks. We dispose of any paper, electronic or other record containing CPI using all reasonable steps to <br /> destroy(based on our determination of the sensitivity of the information)the CPI. To protect the confidentiality and integrity of CPI in transit, <br /> we use encryption tools that are consistent with Financial Services Industry Best Practices,to encrypt records and files containing CPI that we: <br /> (i)transmit or send wirelessly across public networks; (ii)store on our laptops; (iii)where technically practicable, store on allowed portable <br /> devices: and (iv)store on any device that we authorize to be transported outside of our physical or logical controls. We use appropriate <br /> measures to safeguard the security and confidentiality of all encryption keys associated with encrypted CPI. <br /> 21.9 Access Control. To protect CPI from the risks inherent in mobile computing and remote access, we perform a risk assessment which, <br /> at a minimum, is designed to identify and mitigate risks to CPI from mobile computing and remote access, maintain a policy and procedures <br /> for managing mobile computing and remote access,and use security controls that are consistent with Financial Services Industry Best Practices <br /> to manage authentication of mobile and remote users. <br /> 21.10 Information Systems Acquisition, Development and Maintenance. To protect Information Processing System(s)and system files <br /> containing CPI, we restrict access to source code to authorized users whom we have determined have a need to know such CPI in the <br /> performance of their duties. <br /> To protect Information Processing System(s)and system files containing CPI,we: <br /> i. Use a change control process which is consistent with Financial Services Industry Best Practices to implement Information <br /> Processing System(s)changes;and <br /> ii. Use security controls which are consistent with Financial Services Industry Best Practices. <br /> 21.11 Information Security Event Management. We maintain an incident response plan that addresses handling of Information Security <br /> Events. In accordance with such incident response plan,we will, to the extent not prohibited by law enforcement: <br /> i. Provide you prompt, but in no event later than (2) Business Days of becoming aware thereof, notice of any Information <br /> Security Event documented and verified by us as part of our standard incident response process that involves, or which we <br /> reasonably believe involves,the unauthorized access, use or disclosure of your CPI. <br /> ii. Such notice shall, to the extent we are legally allowed, summarize in reasonable detail the Information Security Event and <br /> the corrective action taken or to be taken by us, if known at that time. We will promptly take all corrective action deemed <br /> necessary or appropriate by us. This includes responsibility and associated expenses for: (i)to the extent caused by the <br /> Bank or otherwise covered by the Bank's insurance,damages of any nature arising out of such Information Security Event, <br /> including without limitation damages to the individual Cardholders(i.e. identity theft); (ii) informing all affected individuals if <br /> applicable laws require notification to such individuals;(iii)reissuance of credit cards to all affected individuals;and(iv)credit <br /> monitoring services for one year for all affected individuals. <br /> 21.12 Business Continuity Management. In order to protect the confidentiality and availability of CPI, we maintain a business continuity <br /> management program that is consistent with Financial Services Industry Best Practices which we update and test at planned intervals and as <br /> required. <br /> 21.13 Security Assessments. We permit your representatives to perform one on-site or written assessment of the security controls used at <br /> our data processing and business facilities. Such assessments will be performed during regular business hours, at a date and time agreed to <br /> by both parties, and will not require access to Information Processing System(s). Such assessments will be subject to our security policies, <br /> procedures, and restrictions, including restrictions on access to data centers, the ability to perform hands-on testing, and copying of certain <br /> materials. <br /> 00-35-6182NSBW 02-28-2020 AK Page 13 of 16 <br /> Bank of America — Confidential ©2020 Bank of America Corporation <br />
The URL can be used to link to this page
Your browser does not support the video tag.