Cyber Security Policy Manual

P OLICY 1) Suppliers must strive to identify vulnerabilities, risks and threats, take all actions necessary to protect the City’s information regarding security issues and help limit the likelihood that vulnerabilities in systems and applications are exposed. 2) Suppliers must complete the “Supplier Information Security Questionnaire” and engage with the City’s Cyber Security Personnel to review the completed questionnaire. If deemed necess ary, the City’s Cyber Security T eam will conduct security scans against the application, software or service. If critical security issues are identified after reviewing the security questionnaire and/or conducting the security scans, the supplier must resolve these issues as quickly as possible. 3) The City must not use the service provided by the supplier until all critical security issues have been resolved. 4) If the supplier experiences a data breach that impacts City’s information, the supplier must notify the City as quickly as possible so that certain measures can be taken to limit the impact of such a breach. 5) Supplier’s infrastructure must be protected against network intrusions and cyber -attacks that aim at compromising the confidentiality, integrity and availability of systems and applications. Network detection and prevention controls must also be implemented to identify and stop intrusions and cyber-attacks. 6) Suppliers must conduct vulnerability assessments regularly to identify and mitigate system and application vulnerabilities that could be exploited by unauthorized individuals to gain access to confidential information. 7) Suppliers, contractors or consultants must sign and adhere to the City’s Third Party Access Policy (TPA) to ensure that City’s confidential information is protected against release and disclosure without proper authorization. Suppliers, contractors and consultants must not disclose confidential information to any person other than employees or authorized representatives of the City who require access to such information. Such confidential information include but not limited to information related to business processes, software, application data, resident lists, employee lists, personal identifiable information, protected health information, vendor lists, operational methods, strategic plans, and any other confidential affairs concerning the City of Greensboro and its employees and residents. 8) Suppliers, contractors or consultants must not collect information about City’s employees and residents and distribute or share that information with other third parties or use the information to communicate with employees and residents about products, services or offerings. 9) Suppliers, contractors or consultants must avoid the unauthorized use of copyrighted materials of software or software applications and must confer with the City if they have any questions regarding the permissibility of photocopying, excerpting, electronically copying, or otherwise using copyrighted materials.

Cyber Security Policy Manual

29