1. Vendor shall supply all hosting equipment (hardware and software) required for performance of the contract and ensure maintenance and replacement as necessary to maintain compliance with the Service Level Agreement(s). 2. The Vendor shall warrant all system/software to be delivered free of malware or other malicious or destructive code. 3. All application code should be written to comply with secure coding guidelines such as the Open Web Application Security Project (OWASP). Scans on custom code should be performed and reviewed to identify coding vulnerabilities prior to moving to production. 4. In the event of adverse risk findings through an audit or assessment, the vendor shall cooperate with the Commission in remediating any risks to the system, including complying with requests to temporarily take the system offline or otherwise limit access to the system during remediation if warranted. 5. Vendors must have a plan for compliance with all applicable breach notification laws, including Pennsylvania’s Breach of Personal Information Notification Act (73 P.S. Section 2301 et. seq.). 6. The Commission must be notified in writing within 72 hours of the earliest indication or report of a potential breach or unintended disclosure of confidential information. Vendor is responsible to notify the Commission of any potential breach or unintended disclosure of confidential information that occurred with its subcontractors. 7. Incident response actions that may affect confidential information must be conducted quickly and with ample resources. Vendor must hire a professional third-party incident response team if its inhouse resources do not have sufficient skill or availability. 8. The Commission shall have the right to view all incident response evidence, reports, communications, and related materials, affecting Commission systems, upon request. 9. If requested by the Commission, or if required by law, the vendor, at its own cost and expense, shall notify in writing all persons affected by the incident. 10. The Vendor is responsible for hardening all devices to run only the services required to support the application. All unnecessary services must be disabled (for example, UPnP, SLP, etc.).
