Minimum Vendor Information Security Requirements

Any vendor or supplier (“Vendor”) supporting Consensus Cloud Solutions Inc. (“CCSI”) is expected to implement and maintain the minimum information security requirements, as set forth below (as applicable to the scope of services provided to CCSI):

  1. Right to Audit
    • Vendor shall maintain all necessary documentation to show compliance with the minimum information security requirements set forth herein.
    • Upon request, Vendors shall permit CCSI or an independent third party to audit Vendor’s compliance with the minimum information security requirements.
    • To the extent required and applicable to the scope of work, Vendor must provide CCSI with written audit results as follows:
      • Audit results must be an ISO/ICE 27000 or other appropriate Industry standard certification or report. The Vendor’s information security management program must comply with an internationally recognized standard (e.g., ISO/IEC, NIST)
      • If any such audit reveals material gaps or weaknesses in Vendor’s security program, CCSI shall be entitled to suspend transmission of CCSI Information to Vendor. Vendor is to cease processing of any of this
        information until such issues are resolved to the satisfaction of CCSI.
      • CCSI reserves the right to terminate Vendor services without penalty if identified gaps or weaknesses are not resolved within a reasonable period.
  2. Security Management
    • Vendor shall maintain a comprehensive written information security program, based on best practice standards for their industry. The program must contain:
      • Written information privacy and security policies, communicated to appropriate personnel and third party providers and revised on a regular basis.
      • Security training and awareness activities performed regularly and designed to enable employees and contractors to identify information privacy risks.
  3. Risk Management
    • Vendor shall implement a risk management program to formally identify, assess, treat and monitor risks regarding the Vendor’s business.
    • Vendor shall perform periodic risk assessments to evaluate the risk profile regarding the collection, storage, and use of CCSI Information.
    • Vendors should use best efforts to continually identify and mitigate internal and external risks that could result in the compromise of confidential information, including CCSI Information.
  4. Personnel Security/Human Resources Security
    • Vendor shall implement controls to enable employees, contractors, and service providers to adhere to policies and standards, according to roles and access in order to reduce the risk of theft, fraud, loss, and misuse of facilities or information.
      • Vendor must ensure that employees, contractors, and third party users understand their responsibilities and are suitable for the roles in which they are considered, including through any appropriate personnel screening.
      • Security roles and responsibilities of employees, contractors and third party users must be defined and documented to incorporate CCSI data protection control requirements, including background checks to the extent permitted by applicable law.
      • All employees, contractors and third party users must be provided with education and training in privacy and security procedures and the correct information processing requirements.
      • All employees, contractors, and third-party users must be notified of the consequences for not following the minimum information security requirements in connection with the handling of CCSI Information.
      • If Vendor has knowledge that an agent is using or disclosing CCSI Information in a manner contrary to the scope of services, Vendor will take reasonable steps to prevent or stop the use or disclosure.
  5. Operations Management
    • Vendor must provide appropriate security and protection from unauthorized access, damages and interference of assets based on classification, information sensitivity, and other factors.
      • All assets used to manage or store CCSI Information must be protected against unauthorized access, disclosure, modification, destruction or interference.
      • All software used by Vendor in providing services to CCSI must be properly licensed before entering into an Agreement with CCSI.
      • Vendors must ensure that media sanitization of assets conforms to an industry accepted Media Sanitization standard (e.g., NIST SP 800-88).
    • Vendor is responsible for data protection, privacy compliance, and security control validation/certification of its sub-contractors.
    • Vendor will protect against the risk of malicious code by using anti-malware products on clients and servers; use an appropriate blocking strategy on the network perimeter, filtering input to applications; and creating, implementing and training staff in appropriate computing policies and practices.
  6. Security Breach
    • Vendor must comply with specified incident response processes for CCSI Information and CCSI systems.
      • Vendor shall follow documented responsibilities and procedures to respond to information security incidents quickly, effectively, and in an orderly way. “Security Breach” means any act or omission that compromises either the security, confidentiality or integrity of the CCSI Information or the physical, technical, administrative or organizational safeguards put in place that relate to the security, confidentiality, or integrity of the CCSI  Information.
    • Vendor shall bear all costs associated with resolving a security breach, including those costs associated with conducting an investigation, notifying consumers and others as required by law or the relevant Security Standard (e.g., PCI-DSS, HITRUST).
    • Vendor shall report any Security Breach through appropriate management channels as quickly as possible. Any Security Breach involving or impacting CCSI or a CCSI affiliate or subsidiary must be reported to CCSI. Notification must be within twenty-four (24) hours from detection of compromise to CCSI Information, CCSI brand, logo or trademarks.
    • Vendor shall cooperate with CCSI in investigations of any incidents involving CCSI Information or CCSI systems. Vendor shall cooperate with CCSI and CCSI personnel, affiliates and representatives in responding to inquiries, claims, and complaints regarding the processing of CCSI information, including, but not limited to: 
      • Assisting with any investigation as requested by CCSI.
      • Providing CCSI with physical access to facilities and operations affected.
      • Facilitating interviews with Vendor’s representatives and others involved in the matter.
      • Making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards, or as otherwise reasonably requested by CCSI.
    • Vendor shall not inform any third party of any security breach, which affects CCSI, without first obtaining the prior written consent of CCSI, other than to inform a complainant that the matter has been forwarded to CCSI legal counsel. CCSI shall have the sole right and authority to determine: 
      • Whether notice of the security breach is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in CCSI
        discretion.
      • The contents of such notice.
      • Whether any remediation may be offered to affected persons.
      • The nature and extent of any such remediation.
  7. Encryption and Data Management Controls
    • Cryptographic controls must be used to protect the confidentiality, integrity, and availability of CCSI Information in transit and while in Vendor’s possession (at rest). Controls for the management and use of cryptographic keys must be developed, implemented, and reviewed by Vendor on a periodic basis.
    • Vendor must encrypt:
      • Desktops, laptops, and all other portable devices storing CCSI Information, or folders/files containing CCSI Information.
      • All messages and files containing CCSI Information during transit over public networks.
    • If the processing involves the transmission of CCSI Information over a network, Vendor shall have implemented appropriate supplementary measures to protect CCSI Information against the specific risks presented by the processing. CCSI Information may only be transmitted in an encrypted format.
    • CCSI Information may not be stored on any portable computer devices or media (including laptop computers, removable hard disks or flash drives, personal digital assistants (PDAs) or computer tapes) unless the CCSI Information is encrypted, or the hard drive that contains the CCSI Information on the portable computer device or media is fully encrypted.
      • Vendor should also be aware of any regulations, standards, or industry or sector specific guidelines that set forth minimum guidelines for encrypting personal data.
  8. Access Controls
    • Access to resources, including CCSI Information, must be regulated by using information security access controls and authorization mechanisms commensurate with risk.
    • Vendor will secure its computer networks using multiple layers of access controls to protect against unauthorized access. In particular, the Vendor will:
      • Group network servers, applications, data and users into security domains.
      • Establish appropriate access requirements within and between each security domain.
      • Implement appropriate technological controls to meet those access requirements consistently, including (for example) firewalls.
    • Vendor will secure remote access to and from its systems by disabling remote communications at the operating system level if no business need exists and/or tightly controlling access through management approvals, robust controls, logging and monitoring access events and subsequent audits.
    • Vendor must deploy Multi-factor Authentication or Single Sign-On measures where possible to its systems containing CCSI information or adjacent systems that can potentially be used to access CCSI information. 
    • Vendor must limit access to the minimum necessary to perform the required function.
    • Vendor must maintain and enforce a password policy, which addresses password length, composition, complexity, lockout, history and expiration.
    • Vendor, within 24 hours, must revoke access for any Vendor employee, contractor, or third party user of CCSI Information, and facilities processing CCSI Information, upon their termination of employment contract or agreement, or adjust access upon a change of responsibility.
    • Vendor will define physical security zones and implement appropriate preventative and detective controls in each zone to protect against the risks of physical penetration by malicious or unauthorized people, damage from environmental contaminants, and electronic penetration through active or passive electronic emissions.
    • Vendor must appropriately leverage firewall infrastructure to segregate sensitive environments and restrict the use of insecure protocols. Network segments connected to the internet must be protected by a firewall, which is configured to secure all devices behind it.
  9. Vulnerability Management and Patch Management
    • Vendor must have appropriate vulnerability management controls to identify and mitigate deficiencies and weaknesses within their networks, systems, and software.
    • Vendor must conduct periodic vulnerability scans to identify vulnerabilities.
    • Vendor must prioritize remediation of identified vulnerabilities commensurate to their risk and remediation schedule.
    • Vendor must conduct periodic penetration testing by a qualified external party and remediate identified findings commensurate to their risk and remediation schedule. Upon request, Vendor must provide a report of the latest penetration test and vulnerability remediation progress.
    • Vendor must have a formal patch management schedule and controls to identify, test, and implement all required industry patches.
      • Vendor must apply all industry patches, as soon as they are available (in accordance with a patch schedule).
      • Vendor must implement all security patches, including those released to remediate critical deficiencies (e.g., zero-day exploits), immediately.
    • Vendor must implement strict code review practices for its software development lifecycle.
    • All software must be reviewed for security flaws and security flaws remediated prior to release. Security flaws that cannot be remediated prior to release, must be made known to CCSI and include a list of compensating controls mitigating the flaws and a remediation plan to fix identified flaws.
  10. Business Continuity and Disaster Recovery
    • Vendor must have appropriate Business Continuity and Disaster Recovery plans that do the following:
      • Prevent or mitigate business interruption and associated impact.
      • Address ongoing access to the CCSI Information, as well as security needs for backup sites and alternative communication networks.
    • Vendor must test the Business Continuity and Disaster Recovery capability regularly.
    • Vendor must counteract interruptions to business activities and protect critical business processes from the effects of major information systems failures or disasters, and ensure their timely resumption.
    • Vendor must counteract interruptions to business activities and protect critical business processes from the effects of major information systems failures or disasters, and ensure their timely resumption.
  11. Compliance
    • Vendor information security and data protection controls and processes must comply with applicable law and contractual obligations. If Vendor is unable to do so, it must notify CCSI immediately.
    • PCI Data Security Standards. If Vendor has access to or will create, receive, store, process, or transmit CCSI cardholder information (e.g. credit, debit, stored value, or prepaid card information), Vendor, at its own expense, warrants:
      • Vendor is, and will remain, responsible for securing cardholder information in its care, custody, possession, or control.
      • Vendor will comply with the applicable current Payment Card Industry Data Security Standards (“PCI Standards”).
      • Vendor will provide CCSI with an annual third party Attestation of Compliance.
        • If a third party provider will have access to, or will create, receive, store, process, or transmit CCSI cardholder information to perform under the Agreement, Vendor warrants that it will require this of the third party provider and will provide CCSI with the third party provider’s annual Attestation of Compliance issued  by another party unaffiliated with the third party provider.
    • HIPAA Protected Health Information. If Vendor has access to or will create, receive, store, process, or transmit Protected Health Information, Vendor, at its expense, warrants:
      • Vendor is, and will remain, responsible for securing Personal Health Information in its care, custody, possession or control.
      • Vendor will comply with HIPAA, including all applicable privacy and security standards.