Laserfiche WebLink
16.2.2.2 SCE information management and information security policies and <br />procedures as made available to Implementer from time to time ("SCE Policies and <br />Procedures"), including without limitation ITS-445 "Standards for Information <br />Security Response - Third Parties." <br />16.2.3 Implementer Response to Security Incident. The following will apply in the event <br />of a Security Incident: <br />16.2.3.1 Implementer will submit a Security Incident Report (SIR) to SCE's or its <br />affiliates', as the case may be, IT Help Desk or IT Operations Center ("ITOC") in <br />accordance with SCE Policies and Procedures including ITS-445, and applicable <br />law. The SIR shall be given promptly upon discovery of an SI and in any event not <br />more than four (4) hours after discovery of a suspected SI, or sooner if required by <br />law, statute or regulation. If additional time is required under the circumstances of <br />the SI to ascertain the nature or extent of the SI, to stabilize the Computing System <br />or to ensure the integrity of SCE's or its affiliates', as the case may be, data and <br />information, then Implementer shall promptly notify SCE or its affiliates, as the <br />case may be, in writing of the existence of an SI initially, and keep SCE or its <br />affiliates, as the case may be, informed of developments and new information. <br />16.2.3.2 At SCE's or its affiliates', as the case may be, request, Implementer will <br />meet with SCE or its affiliates, as the case may be, to discuss the cause of the <br />Security Incident, Implementer's response, lessons learned and potential <br />improvements to Implementer's system security processes and procedures. <br />16.2.4 Compromise of SCE Personal Information. <br />16.2.4.1 Additional SIRP Requirements for Personal Information. With respect to any <br />SCE Personal Information in the possession or under the control of Implementer, to <br />protect SCE Personal Information from unauthorized access, destruction, use, <br />modification or disclosure, Implementer shall: <br />(a) Develop, implement and maintain reasonable security procedures and practices <br />appropriate to the nature of the information to protect SCE Personal Information <br />from unauthorized access, destruction, use, modification, or disclosure. <br />(b) Develop, implement and maintain data privacy and security programs with <br />administrative, technical, and physical safeguards appropriate to the size and <br />complexity of the Implementer's business and the nature and scope of Implementer's <br />activities to protect SCE Personal Information from unauthorized access, destruction, <br />use, modification, or disclosure. <br />16.2.4.2 Notice Requirements for Personal Information. In the event of a Security <br />Incident where SCE Personal Information was, or is reasonably believed to have been, <br />acquired by an unauthorized person, Implementer shall immediately provide the SIR <br />required by Section 16.2.3. Such SIR shall state that SCE Personal Information may <br />be involved, and shall describe the suspected nature of such SCE Personal <br />Information. <br />20B-21