|
Exhibit “E”
<br />ONLINE's Security Requirements
<br />The security requirements included in this document represent the minimum security requirements acceptable to ONLINE and
<br />its suppliers and are intended to ensure that a Third Party (i.e., Supplier, Reseller, Service Provider, end-user client, or any other
<br />organization engaging with ONLINE) has appropriate controls in place to protect information and systems, including any
<br />information that it receives, processes, transfers, transmits, stores, delivers, and / or otherwise accesses on behalf of ONLINE
<br />and its suppliers.
<br />DEFINITIONS
<br />"ONLINE Information” means ONLINE's and its suppliers' highly sensitive information including, by way of example and not
<br />limitation, data, databases, application software, software documentation, supporting process documents, operation process
<br />and procedures documentation, test plans, test cases, test scenarios, cyber incident reports, consumer information, financial
<br />records, employee records, and information about potential acquisitions, and such other information that is similar in nature or
<br />as mutually agreed in writing, the disclosure, alteration or destruction of which would cause serious damage to ONLINE’s and its
<br />suppliers' reputation, valuation, and / or provide a competitive disadvantage to ONLINE and its suppliers.
<br />“Resource” means all Third-Party devices, including but not limited to laptops, PCs, routers, servers, and other computer
<br />systems that store, process, transfer, transmit, deliver, or otherwise access ONLINE Information.
<br />1. Information Security Policies and Governance
<br />Third Party shall have Information Security policies and procedures in place that are consistent with the practices described in
<br />an industry standard, such as ISO 27002 and / or this Security Requirements document, which is aligned to ONLINE’s
<br />Information Security policy.
<br />2. Vulnerability Management
<br />Firewalls, routers, servers, PCs, and all other resources managed by Third Party (including physical, on-premise or cloud
<br />hosted infrastructure) will be kept current with appropriate security specific system patches. Third Party will perform regular
<br />penetration tests to further assess the security of systems and resources. Third Party will use end-point computer malware
<br />detection / scanning services and procedures.
<br />3. Logging and Monitoring
<br />Logging mechanisms will be in place sufficient to identify security incidents, establish individual accountability, and reconstruct
<br />events. Audit logs will be retained in a protected state (i.e., encrypted, or locked) with a process for periodic review.
<br />4. Network Security
<br />Third Party will use security measures, including anti-virus software, to protect communications systems and networks device to
<br />reduce the risk of infiltration, hacking, access penetration by, or exposure to, an unauthorized third-party.
<br />5. Data Security
<br />Third Party will use security measures, including encryption, to protect ONLINE provided data in storage and in transit to reduce
<br />the risk of exposure to unauthorized parties.
<br />6. Remote Access Connection Authorization
<br />All remote access connections to Third Party internal networks and / or computer systems will require authorization with access
<br />control at the point of entry using multi-factor authentication. Such access will use secure channels, such as a Virtual Private
<br />Network (VPN).
<br />7. Incident Response
<br />Processes and procedures will be established for responding to security violations and unusual or suspicious events and
<br />incidents. Third Party will report actual or suspected security violations or incidents that may affect ONLINE and / or its data
<br />suppliers to ONLINE within twenty-four (24) hours of Third Party’s confirmation of such violation or incident.
<br />8. Identification, Authentication and Authorization
<br />Each user of any Resource will have a uniquely assigned user ID to enable individual authentication and accountability. Access
<br />to privileged accounts will be restricted to those people who administer the Resource and individual accountability will be
<br />maintained. All default passwords (such as those from hardware or software vendors) will be changed immediately upon receipt.
<br />9. User Passwords and Accounts
<br />DocuSign Envelope ID: ED55B3D5-BAD0-45B4-977B-F09C4091C16A
|