Information Security Requirements

Policy

 

Service Provider will implement, maintain, and meet the following requirements:

 

Information Security Policy & Governance
Service Provider has created, implemented, and maintained an information security program that meets or exceeds industry standards and that includes, without limitation, the Security Policies, governance structures, staffing, monitoring, and assessment procedures necessary to sustain such a program. The program includes administrative, technical, and physical safeguards that ensure the availability, integrity, privacy, confidentiality, and security of Tempus Data (as defined below).
Service Provider has and will maintain formal, written information security policies that are in accordance with all applicable laws (including without limitation, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) and Title I of the Genetic Information Nondiscrimination Act of 2008, and any regulations promulgated thereunder), rules, regulations, guidelines, and generally accepted industry standards (the “Security Policies”). Service Provider will review its Security Policies at least annually and whenever there is a material change in its security practices.
Service Provider has implemented and maintains a formal information security training program that educates Service Provider’s employees, agents, contractors and personnel (“Representatives”) on the organization’s Security Policies and the Tempus information security requirements. Representatives are bound by written agreements to comply with the Security Policies and to review them annually.

 

Security Safeguards
Service Provider will operate in a manner consistent with its Security Policies and will maintain appropriate physical, technical, and administrative safeguards necessary to protect the security and privacy of its assets and resources used in the delivery of the products and services to Tempus, including without limitation its hardware, software, freeware, related information, infrastructure, Representatives, components, tools, databases, devices, and third party products and services (the “Assets”).
Service Provider agrees that any data made available by Tempus that Service Provider and its Representatives access, process, transmit, share, and/or disclose (“Tempus Data”) will be encrypted at rest and in transit.
Service Provider will scan Assets used in connection with any products or services provided to Tempus for vulnerabilities on a regular basis, but no less frequently than monthly. Service Provider agrees that they will remediate discovered vulnerabilities without unreasonable delay, but no greater than fourteen (14) calendar days after discovering critical vulnerabilities and ninety (90) days for other vulnerabilities.
Service Provider will only have access to Tempus systems as expressly authorized by Tempus in writing and Service Provider will use such access solely for providing services to Tempus. Service Provider will not attempt to access any applications, systems, or data which Tempus has not expressly authorized Service Provider to access, nor will Service Provider use access credentials to create automated processes except as authorized in a fully executed Statement of Work with Tempus. Service Provider will not attempt to reroute, proxy, or spoof traffic to appear to come from another country or location in an attempt to bypass Tempus security controls.
Network Security

• Service Provider has implemented and configures firewalls and other network boundary devices to deny all access to internal networks and only allow traffic based on defined rules. Service Provider has implemented and deploys network intrusion detection and prevention technology to monitor and detect any abnormal network activity.
• Service Provider performs external network vulnerability assessments and penetration tests on networks supporting services provided to Tempus and tracks through to completion all issues and findings identified during such assessments in accordance with industry best practices. Service Provider implemented and maintains multi-factor authentication for all users gaining remote access to Tempus Data and systems.
  Endpoint Security
• Service Provider implemented and maintains a patch management policy and deploys patches based on criticality levels and timelines established in its patch management policy in accordance with industry best practices.
• Service Provider implemented and deploys anti-malware/virus protection on all of its endpoints (i.e., servers, workstations, and mobile devices where possible). Service Provider configures its anti-malware and virus protection policy so that malware and virus signatures are automatically updated and real-time detection is enabled. Service Provider logs and monitors activities at the network and host level for all systems supporting services to Tempus.
  Application Security
• Secure coding standards have been documented and are updated on a periodic basis. All developers are formally trained on secure coding practices and techniques, including avoiding the use of third party code frameworks and repositories with known vulnerabilities and ensuring adequate security testing is performed and approved. Service Provider develops, implements, and maintains its applications securely to limit vulnerabilities.
• Service Provider performs application penetration tests and vulnerability scans to identify common vulnerabilities and security flaws in the application in scope for services provided to Tempus. Service Provider develops remediation plans and tracks through completion of all issues and findings identified during such tests.
  Physical Security
• Service Provider has implemented a physical security policy that governs the physical security of the organization and retention timelines for various facility related logs.
• Service Provider issues physical IDs (badges or smart cards) for all personnel who are permitted unescorted physical access to their facilities. Service Provider’s physical security team provisions access to designated areas of the organization’s facilities based on the principle of least privilege in accordance with the staff’s department and job function. The organization diligently revokes access when required.
  Cloud Security
• Service Provider has established governance functions to ensure effective cloud management process with transparency of information security, responsibility, and operations in alignment with industry best practices. Service Provider secures the systems and data, stored, processed, and transmitted through its cloud services and infrastructure.
  Mobile Device Security
• Service Provider will ensure that appropriate measures for securing portable devices are instructed to, and followed by, its Representatives. This includes but is not limited to any time devices are not in a secured office location (e.g., in a hotel, automobiles, aircraft, home, etc.).
• Service Provider will maintain technical controls sufficient to remotely wipe Tempus Data from any mobile device in the event the device is lost or stolen.

 

Identity and Access Management
Service Provider will restrict access to Assets only to authorized users with proper segregation of duties in accordance with the principle of least privilege. Any individual users with access to Tempus Data are assigned unique User IDs and passwords that are based on job-related roles and on a need-to-know basis.
Service Provider performs user access reviews on a periodic basis to ensure user access is commensurate with the user roles and responsibilities. Service Provider has a formal approval mechanism to grant and revoke user access (privileged as well as non-privileged) to systems that store, transmit, access, or process data or have direct connectivity to Tempus Data or Tempus systems.
Service Provider restricts privileged and administrator access to appropriate users within its IT department who are responsible for the ongoing support and maintenance of the IT systems.
Service Provider enforces strong password configuration requirements via a password management policy and requires multi-factor authentication (MFA). Service Provider’s password management practices will meet or exceed the following password requirements:

Service Provider employs strong authentication protocols that effectively protect user accounts from being compromised through common exploits such as brute force attacks, password cracking tools, default passwords, dictionary attacks, etc. Access logs will be kept and background checks will be performed for staff with access to Tempus Data.
Tempus Data will only be used by Service Provider to perform its obligations set forth in the Agreement. Services Provider acknowledges that it has no ownership rights with respect to Tempus Data and shall not either directly or indirectly acquire any rights to use, own, process, disclose, access, or transfer any Tempus other than limited right to use it for the sole purpose of fulfilling its obligations to Tempus.

 

Security Assessments
Service Provider will maintain accurate books and records related to the performance of its obligations under this Exhibit. Upon Tempus’s prior written notice, Service Provider will either (i) provide a copy of a recently received SOC2 Type 2 audit report or (ii) permit Tempus or its agents to conduct a review of Service Provider’s books, records, systems, and processes in order to audit Service Provider’s compliance with this Exhibit (“Assessment”). Unless a Security Incident occurred, Tempus will have the right to perform an Assessment once per calendar year. Service Provider will subsequently remedy any identified deficiencies in a timely manner.
On a periodic basis, Service Provider shall complete Tempus compliance, privacy, and/or security assessment questionnaire.

 

Security Incidents
Service Provider has implemented and maintains a comprehensive incident response program that includes defined roles and responsibilities,the monitoring, detection and response to potential threats and incidents, as well as immediate reporting of suspicious activity and weaknesses. Service Provider’s Representatives are regularly trained on the recognition and reporting of Security Incidents (as defined below).
Service Provider has implemented and maintains a written information security incident response plan that addresses actual and/or suspected incidents affecting the confidentiality, integrity, and availability of Tempus Data.
Service Provider will report to Tempus in writing, promptly, but in no event greater than 24 hours, any breach or suspected breach of security leading to the unavailability of systems or services that impact the ability to deliver the contracted goods or services to Tempus or the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Tempus Data in the possession, custody, or control of the Service Provider and its respective directors, officers, employees, affiliates, agents, subcontractors, and representatives (in each case, a “Security Incident”). Security Incidents will not include unsuccessful attempts or activities that do not compromise the security of Tempus Data or ability to deliver goods or services to Tempus. Such report will include:

Service Provider and will promptly investigate all Security Incidents, including, where reasonable and appropriate, internal forensic analysis and mitigation of all incidents. Upon request, Service Provider will provide to Tempus interim reports of the results of any responsive forensic investigation and remediation efforts. Service Provider shall cooperate fully with all requests from Tempus or its representatives for information regarding the Security Incident and Service Provider shall provide regular updates on the investigative and corrective action taken for the Security Incident.

 

Third Party Management
Service Provider will conduct risk assessments and reviews upon all third parties with access to Tempus Data no less than once per year. Service Provider will monitor third party compliance with security requirements outlined in this Exhibit.
Service Provider will only provide Tempus Data to a third party upon Tempus’s prior written consent. Service Provider will report to Tempus, upon written request, a list of of all third parties with access to Tempus Data and the nature of the services provided by those third parties that necessitates access to Tempus Data.
Service Provider will be responsible for the acts and omissions of the third party to the same extent as it is responsible for its own acts and omissions.

 

Miscellaneous
Any notice to be given to Tempus under this Exhibit shall be deemed given when received by Tempus at both of the following email addresses: soc@tempus.com and phi@tempus.com. If there is a conflict between this Exhibit and a business associate agreement between the parties, the terms of the business associate agreement will supersede to the extent necessary to resolve the conflict.