My WebLink
|
Help
|
About
|
Sign Out
Home
Browse
Search
Item 19 - Agreement with Empower Annuity Insurance Company for the Employee Deferred Compensation Plan
Clerk
>
Agenda Packets / Staff Reports
>
City Council (2004 - Present)
>
2023
>
09/19/2023 Regular
>
Item 19 - Agreement with Empower Annuity Insurance Company for the Employee Deferred Compensation Plan
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
10/24/2023 11:43:40 AM
Creation date
10/24/2023 11:35:25 AM
Metadata
Fields
Template:
City Clerk
Doc Type
Agenda Packet
Agency
Finance & Management Services
Item #
19
Date
9/19/2023
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
101
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
View images
View plain text
City of Santa Ana_Master Services Agreement_5.23.23 17 <br />13.1 Systems Development Security. Empower addresses security as part of information <br />systems development and operations and follows secure coding methodologies based on application <br />development security best practices. <br />13.2 Software Security Management. Empower’s information systems (including operating <br />systems, infrastructure, business applications, off-the-shelf products, services and user-developed <br />applications) adheres to the information security standards set forth in Empower’s Information Security <br />Policies. <br />13.3 Vulnerability Assessments/Ethical Hacking. Empower performs vulnerability <br />assessments and penetration testing against Internet-facing points of presence. Empower corrects <br />vulnerabilities or security issues discovered through such assessments in a manner and time frame <br />consistent with established standards set forth in Empower’s Information Security Policies. <br />13.4 Cryptography. Empower uses cryptography techniques that assist Empower with <br />preventing the unauthorized capture, modification of or access to data or information . Empower uses <br />standard encryption algorithms that follow up-to-date encryption standards and industry practices. Such <br />cryptography techniques may include but are not limited to: encryption of sensitive data sent across external <br />communication lines; requirement of minimum 128-bit encryption TLS encryption for web browsers; and <br />encryption of Personal Data while stored on laptops, mobile devices, and in recordkeeping databases. <br />14. Information Security Breach Management. <br />14.1 Incident Management Program. Empower maintains investigative measures and <br />techniques for incident handling, including but not limited to: a formalized, enterprise-wide Computer <br />Security Incident Response Team (“CSIRT”), and CSIRT processes which are tested at least annually. <br />14.2 Information Security Breach Response. Empower will notify Plan Sponsor after <br />becoming aware of any Information Security Breach in accordance with all applicable Data Protection Laws. <br />For the avoidance of doubt, Empower will (i) keep the Plan Sponsor informed of significant developments <br />in connection with the investigation of such incident; (ii) investigate and assist any regulator or other <br />governmental body with oversight over the Information Security Breach in investigating, remedying and <br />taking any other action regarding the Information Security Breach as appropriate or required by law; and <br />iii) provide Plan Sponsor with information about remedial measures that have been undertaken to prevent <br />such Information Security Breach from reoccurring. In the event that individual or regulatory notifications <br />are required under applicable Data Protection Laws, the parties will cooperate with respect to notifications. <br />To the extent the Information Security Breach is caused by Empower’s failure to abide by its obligations as <br />set forth in this Data Security Addendum, Empower shall bear the costs of such notifications and provision <br />of credit monitoring services to affected individuals to the extent required by law or otherwise appropriate <br />in Plan Sponsor’s and Empower’s reasonable judgment. <br />15. Plan Sponsor Assessment Rights. <br />15.1 Assessment via Security Assurance Package. Within the secure Plan Sponsor website <br />provided by Empower, Empower provides documentation that supports and informs the reader about <br />Empower’s current security program and practices. These documents are referred to as the Security <br />Assurance Package (“SAP”), which currently consists of the following items: Security Program Overview <br />document, SOC 1 report, SOC 2 report, available IT certification reports (e.g. Verizon CRP), and a <br />completed SIG questionnaire with related supporting materials. (The SIG is a standardized document <br />template created by the Shared Assessments Program, a consortium of leading financial institutions, the <br />Big 4 accounting firms, and companies from a wide array of industries.) <br />15.2 Regulatory Assessment. If Plan Sponsor’s governmental regulators require that Plan <br />Sponsor perform an on-site audit of Empower’s network security, as supported by evidence provided by
The URL can be used to link to this page
Your browser does not support the video tag.