Vendor shall supply all hosting equipment (hardware and software) required for performance of the contract and ensure maintenance and replacement as necessary. The vendor shall warrant all system/software to be delivered free of malware or other malicious or destructive code. All application code should be written to comply with secure coding guidelines such as the Open Web Application Security Project (OWASP). Scans on custom code should be performed and reviewed to identify coding vulnerabilities prior to moving to production. In the event of adverse risk findings through an audit or assessment, the vendor shall cooperate with the Commission in remediating any risks to the system, including complying with requests to temporarily take the system offline or otherwise limit access to the system during remediation if warranted. Vendors must have a plan for compliance with all applicable breach notification laws, including Pennsylvania’s Breach of Personal Information Notification Act (73 P.S. Section 2301 et. seq.). The Commission must be notified in writing within 72 hours of the earliest indication or report of a breach or unintended disclosure of confidential information. Vendor is responsible to notify the Commission of any potential breach or unintended disclosure of confidential information that occurred with its subcontractors. Incident response actions that may affect confidential information must be conducted quickly and with ample resources. Vendor must hire a professional third-party incident response team if its inhouse resources do not have sufficient skill or availability. The Commission shall have the right to view all incident response evidence, reports, communications, and related materials, affecting Commission systems, upon request. If requested by the Commission, or if required by law, the vendor, at its own cost and expense, shall notify in writing all persons affected by the incident. The vendor is responsible for hardening all devices to run only the services required to support the application. All unnecessary services must be disabled (for example, UPnP, SLP, etc.). No generic user accounts for shared resources will be permitted. The Commission requires that all corporate owned mobile devices that connect to Commission applications be enrolled and managed into our current Mobile Device Management (MDM) solution. No other Enterprise MDM profile or software can be installed in parallel. Audit logs must be implemented for all systems. All actual or attempted violations of system security must generate an audit log. Audit logs must be secured against unauthorized access or modification. Audit logs must be implemented for all systems. All actual or attempted violations of system security must generate an audit log. Audit logs must be secured against unauthorized access or modification. All account credentials (username/password) must be encrypted during transmission. All administrator account passwords and SNMP community strings must be changed from the manufacturer’s default values to a hardened value. Any request for access to Commission systems or facilities for a non-Commission employee shall include criminal background information furnished by the vendor. The criminal background check must comply with state and federal law and must include the results of a National Criminal Information Database check. If a Pennsylvania resident, a PA State-wide check (ePATCH) must also be included. If a consultant is working offshore, results of an international background check will be required. IT Security will specify detailed background check requirements based upon the user's country of origin. Verification of valid photo identification matching submitted resource name and image is required. Access will not be provided until required background checks and documentation are completed and provided by the vendor. Background checks are valid if completed within the last 5 years.
