Vendor Information Security Requirements

These Vendor Information Security Requirements are subject to the terms and conditions of the
main agreement in which they are referenced and these requirements may be amended from time
to time. In no event shall these terms and conditions apply to CWT or any other party other than as
expressly provided for in each main agreement.

Copyright © 2016 CWT

1. Introduction

These terms and conditions (“Information Security Requirements”) set out the required information
security measures (“Technical and Organizational Security Measures”) which shall apply to the
Vendor (as defined below), its subcontractors, and each of the Vendor’s temporary personnel,
contractors, or additional vendors and/or agents acting on behalf of the Vendor (collectively
referred to herein as “Third Parties”) who perform any services and supply any products for, on
behalf of, and/or through Vendor and/or other obligations that include any of the following:

a. The collection, storage, handling, or disposal of CWT’s (as defined below) Confidential
Information (as defined below) resources;
b. Providing or supporting CWT branded services and products using non-CWT systems or other
resources;
c. Connectivity to CWT’s Confidential Information resources;
d. Incidental and/or CWT-paid-for development of any software to the extent produced or
developed by or on behalf of Vendor, or forming part of any software, pursuant to the
Agreement (as defined below) to which these Technical and Organizational Security Measures
are attached (including under any statement of work, exhibit, order or other document under,
subordinate to, or referencing the Agreement) for the development of which CWT has been
charged monies; or
e. Website hosting and development for CWT and/or CWT’s clients.

2. Definitions

2.1 Unless otherwise set forth or expanded herein, defined terms shall have the same meaning as set
forth in the main Agreement. The following defined terms shall apply to these Information Security
Requirements:

“Affiliates” shall mean, with reference to a party, any company or other legal entity which: (i)
controls either directly or indirectly, a party; or (ii) is controlled, directly or indirectly, by a party; or
(iii) is directly or indirectly controlled by a company or entity which directly or indirectly controls a
party. For these purposes, “control” means the right to exercise more than fifty percent (50%) of the
voting or similar right of ownership; but only for so long as such control shall continue to exist.

"Agreement" means the contract or other legal document entered into by CWT and the Vendor.

“Company Restricted Data” are data that might cause serious loss, business interruption, or
embarrassment to: (a) CWT and its Affiliates; (b) a CWT client; (c) CWT personnel. This data includes
customer or supplier lists; individual traveler information; company business bank account numbers;
non-credit card branded gift and stored value card numbers; customer loyalty data not included in
Personal Information (as defined below); trade secrets; customer codes; performance assessments;
contracts, requests for proposals, requests for quotes, and requests for information; strategic plans,
marketing plans, mergers and acquisitions and divestitures; and financial statements.

“Confidential Information” means any commercially sensitive, proprietary or otherwise confidential

information relating to CWT, its Affiliates or the contents and/or purpose of the Agreement, whether
oral, in writing or which by any other means may directly or indirectly come into the Vendor’s
possession or into the possession of a Vendor personnel or the Vendor’s personnel, agents,
contractors or sub-contractors as a result of or in connection with the Agreement. For the avoidance
of doubt all work product shall constitute Confidential Information.

“CWT” means the Carlson Wagonlit Travel entity outlined in the Agreement as well as its Affiliates.
“Demilitarized Zone” or “DMZ” is a network or sub-network that sits between a trusted internal
network, such as a corporate private Local Area Network (LAN), and an untrusted external network,
such as the public Internet. A DMZ helps prevent outside users from gaining direct access to internal
systems and other resources. Inbound packets from the untrusted external network must terminate
within the DMZ and must not be allowed to flow directly through to the trusted internal network. All
inbound packets which flow to the trusted internal network must only originate within the DMZ. The
DMZ must be separated from the untrusted external network by use of a Security Gateway and must
be separated from the trusted internal network by use of either:

a. another Security Gateway, or

b. the same Security Gateway used to separate the DMZ from the untrusted external network, in
which case the Security Gateway must ensure that packets received from the untrusted external
network are either immediately deleted or if not deleted are routed only to the DMZ with no
other processing of such inbound packets performed other than possibly writing the packets to a
log.

The following must only be located within the trusted internal network:

a. Any CWT Personal Information or Company Restricted Data stored without the use of Strong
Encryption,
b. The official record copy of information to be accessed from requests originating from the
untrusted external network,
c. The official record copy of information to be modified as the result of requests originating from
the untrusted external network,
d. Database servers,
e. All exported logs, and
f. All environments used for development, test, sandbox, production, and any other such
environments; and all source code versions.

Authentication credentials not protected by the use of Strong Encryption must not be located within
the DMZ.

“Government Data” means data belonging to a government entity and subject to enhanced
requirements due to its status. For these purposes, Government Data requires full compliance with
specific government standards.

“Incident Management Process” is a Vendor-developed, documented process and procedure to be

followed in the event of an actual or suspected attack upon, intrusion upon, unauthorized access to,
loss of, or other breach involving the confidentiality, availability, or integrity of CWT’s Confidential
Information.

“Masking” is the process of covering information displayed on a screen. System and user passwords,
national identification numbers, driver’s license numbers, passport numbers, health information,
meal preferences, biometric data, gender, and redress numbers should be completely masked at all
times. Charge card, debit card, loyalty, and financial account numbers require masking on all but the
last four numbers. Any birth date should mask the year.

“Mobile and Portable Devices” mean mobile and/or portable computers, devices, media and
systems capable of being easily carried, moved, transported or conveyed that are used in connection
with the Agreement. Examples of such devices include laptop computers, tablets, USB hard drives,
USB memory sticks, Personal Digital Assistants (PDAs), mobile or data phones, and any other wireless
or periphery device with the ability to store Confidential Information.

“Personal Information” as defined under European Union Directive 94/46/EC and other applicable
global information security, data protection, and privacy laws, means any information relating to an
identified or identifiable natural person. An identifiable person is one who can be identified, directly
or indirectly, in particular by reference to an identification number or to one or more factors specific
to his physical, physiological, mental, economic, cultural or social identity. Examples include, but are
not limited to: full name (including prefix and suffix), personal identification number (PIN) or
password, payment card information or associated numbers (e.g. CVV number), bank account
information, email addresses, phone number, physical address, information evidencing health status
(e.g. prior treatments) or health requirements, travel documents such as driver’s license number,
state or national ID number, passport number, citizenship, residency, date of birth, sexual
orientation, religion, trade union membership, social security number or visa number, criminal
history, biometric or genetic data.

“Security Gateway” means a set of control mechanisms between two or more networks having
different trust levels which filter and log traffic passing, or attempting to pass, between networks,
and the associated administrative and management servers. Examples of Security Gateways include
firewalls, firewall management servers, hop boxes, session border controllers, proxy servers, and
intrusion prevention devices.

“Strong Authentication” means the use of authentication mechanisms and authentication

methodologies stronger than the passwords required herein. Examples of Strong Authentication
mechanisms and methodologies include digital certificates, two-factor authentication, and one-time
passwords.

“Strong Encryption” means the use of encryption technologies with minimum key lengths of 256-
bits for symmetric encryption and 1024-bits for asymmetric encryption whose strength provides
reasonable assurance that it shall protect the encrypted information from unauthorized access and is
adequate to protect the confidentiality and privacy of the encrypted information, and which
incorporates a documented policy for the management of the encryption keys and associated
processes adequate to protect the confidentiality and privacy of the keys and passwords used as
inputs to the encryption algorithm. Strong Encryption includes, but is not limited to: SSL v3.0+/TLS
v1.0+, Point to Point Tunneling Protocol (PPTP), AES 256, FIPS 140-2 (United States government
only), RSA 1024 bit, SHA1/SHA2/SHA3, Internet Protocol Security (IPSEC), SFTP, SSH, Vormetric v4, or
WPA2.

“Technical and Organizational Security Measures” mean any activities required under these
Information Security Requirements to access, manage, transfer, process, store, retain, and destroy
information or data; to disclose and notify affected parties required under the Agreement and under
applicable information privacy and data protection laws; and to safeguard information or data to
ensure availability, integrity, confidentiality, and privacy, or notify individuals of any failure to
safeguard such information or data. Measures include but are not limited to those required or
interpreted to be required under European Union Directives 94/46/EC and 2006/24/EC as
promulgated under member countries, the United States Gramm-Leach Bliley Act (GLBA), the United
States Health Insurance Portability and Accountability Act (HIPAA), the EU /Switzerland data privacy
requirements, and any other international and U.S. laws, official legal interpretation, or case
precedent pertaining to information or data under the Agreement.
 “Third Party” means any subcontractors, and each of the Vendor’s temporary personnel,
contractors, or additional vendors and/or agents acting on behalf of the Vendor, and does include
any definition of Third Party under applicable EU, U.S., or other international law.

“Vendor” means the contracting entity set forth in the Agreement together with its Affiliates.

2.2 While Vendor has access to CWT’s Confidential Information, Vendor shall implement reasonable and
appropriate Technical and Organizational Security Measures in accordance with information security
best practices to protect the integrity, availability, and confidentiality of information.

2.3 The Vendor warrants and represents that it shall comply with the following Technical and
Organizational Security Measures to the extent that these applicable to the provision of services set
forth in the Agreement:

3. Organization of Information Security

3.1 Vendor shall establish, implement, and maintain reasonable policies and a program of
organizational, operational, administrative, physical, and Technical and Organizational Security
Measures appropriate to (1) prevent any access to CWT’s Confidential Information in a manner not
authorized by the Agreement or these Information Security Requirements, and (2) comply with and
meet all applicable industry standards. Vendor shall ensure that its information security staff has
reasonable and necessary experience in information and network security.

3.2 Vendor shall provide an appropriate level of supervision, guidance, and training on the Technical and
Organizational Security Measures to Vendor’s Third Parties who require access to CWT’s Confidential
Information. Vendor shall provide Technical and Organizational Security Measure training upon hire
and prior to accessing Confidential Information. Refresher training shall be provided at least annually
and as soon as possible following any material change in Vendor’s Technical and Organizational
Security Measures.

3.3 Vendor’s Third Parties with significant security duties, including but not limited to human resources
or information technology functions, and any technology administrator function, shall also receive
specialized training specific to their respective roles. Specialized training shall include, as applicable
to the role, information security procedures, acceptable use of information security resources,
current threats to information systems, security features of specific systems, and secure access
procedures.

3.4 Vendor shall take reasonable steps to prevent unauthorized physical or electronic access to or loss of
CWT’s Confidential Information and the services, systems, devices or media containing this
information.

3.5 Vendor shall employ risk assessment processes and procedures to regularly assess systems used to
provide services or products to CWT. Vendor shall remediate such risks as soon as reasonably
possible and commensurate with the level of risk posted to CWT Confidential Information given
threats known at the time of identification. Operate a process to enable Vendor’s Third Parties to
report risks or suspected incidents to the Vendor security team.

3.6 To the extent that Vendor’s Third Parties perform services pursuant to the Agreement in CWT
facilities or using services, systems, devices or media owned, operated or managed by CWT, Vendor
shall comply with all CWT policies made available to Vendor that are applicable to such access.
Vendor shall require all of Vendor’s Third Parties using CWT facilities, services, systems, devices or
media to perform services pursuant to the Agreement to comply with all applicable CWT policies.
 Vendor shall promptly notify CWT in writing when such access is no longer needed, including without
limitation when an employee, contractor, subcontractor, or third party of Vendor is no longer
performing services under the Agreement or when no longer accessing CWT’s Confidential
Information.

3.7 Vendor shall keep record of Vendor resources that access, transfer, maintain, store, or process CWT
Confidential Information.

4. Physical and Environmental Security

4.1 Vendor shall ensure that all of Vendor’s systems and other resources intended for use by multiple
users are located in secure physical facilities with access limited and restricted to authorized
individuals only.

4.2 Vendor shall monitor and record, for audit purposes, access to the physical facilities containing
systems and other resources intended for use by multiple users used in connection with Vendor’s
performance of its obligations under the Agreement.

4.3 Vendor shall ensure that all of Vendor’s Third Parties shall sign a non-disclosure or confidentiality
agreement with Vendor prior to accessing CWT Confidential Information.

4.4 Vendor shall require all its personnel to abide by a clean desk policy and lock workstation screens
prior to leaving work areas.

4.5 Vendor shall collect all company assets upon employment or contract termination.

4.6 Vendor shall limit and monitor physical access to its facilities according to the following
requirements:

a. Visitor access is logged, and the log is maintained for three months including the visitor’s name,
company he/she represents, and the name of the employee authorizing the physical access.
b. Access is restricted to appropriate personnel, based on job requirements.
c. All employees must wear a company provided name badge.
d. Access is revoked immediately upon termination, and all physical access mechanisms, such as
keys, access cards, etc., are returned or disabled.
e. The data center or computer room is locked and access limited to only those requiring access.
f. Use video cameras to monitor individual physical access to sensitive areas, and review such data
regularly. Video footage must be stored for a minimum of three (3) months.
g. Equipment used to store, process or transmit Personal Information must be physically secured
including wireless access points, gateways, handheld devices, networking/communications
hardware, and telecommunication lines.

4.7 Vendor shall implement controls to minimize the risk of and protect against physical threats.

4.8 Vendor shall maintain all hardware assets processing or handling in accordance with third party
service provider’s recommended servicing requirements.

4.9 Vendor shall restrict conference room and other publicly accessible network jacks logically from the
Vendor’s network and restricted only to authenticated users or disabled by default.

4.10 Vendor shall protect any device that captures payment card data via direct physical interaction from
tampering and substitution by periodically inspecting device surfaces to detect tampering or
 substitution; provide training for personnel to be aware of attempting tampering or replacement of
devices.

4.11 Vendor shall control and separate access points such as delivery and loading areas and other points
from all centers accessing, managing, storing, or processing CWT Confidential Information.

4.12 Vendor data centers must have heating, cooling, fire suppression, water detection, and heat/smoke
detection devices.

5. Access Control

Vendor shall:

5.1 Take all reasonable steps to prevent anyone from accessing CWT’s Confidential Information in any
manner or for any purpose not authorized by CWT and the Agreement. Vendor shall limit access to
CWT’s Confidential Information to Vendor’s Third Parties who (1) have a legitimate need to access
Confidential Information to provide services pursuant to the Agreement, and (2) have agreed in
writing to protect the integrity, availability, and confidentiality of CWT’s Confidential Information.

5.2 Maintain reasonable procedures to terminate access to CWT’s Confidential Information provided for
Vendor Third Parties when it is no longer needed or relevant to the performance of their duties, and
prior to the end of employment or engagement by CWT. Vendor shall comply with CWT’s
background check requirements to the extent needed and permitted by law, and as otherwise set
forth in an applicable statement of work/work order/purchase order.

5.3 Separate CWT’s information from any other customer’s or Vendor’s own applications and
information either by using physically separate servers or alternatively by using logical access
controls where physical separation of servers is not implemented.

5.4 Identify and require owners to review and approve access to systems used to access, process,
manage, or store CWT’s Confidential Information; and shall maintain and track access approvals.

5.5 Remove access to systems managing CWT Personal Information and Company Restricted Data within
24 hours of an employee, contractor, subcontractor, or third party terminating their relationship
with Vendor; and remove access to such systems within three (3) business days when an employee,
contractor, subcontractor, or third party changes job responsibilities within the company. All other
user IDs must be disabled or removed after 90 calendar days of inactivity.

5.6 Routinely review and approve access to systems managing CWT Personal Information and Company
Restricted Data at least quarterly to remove unauthorized access.

5.7 Limit access to CWT’s Information only to authorized persons or systems, and employ highly
restrictive access controls to any of Vendor’s systems and CWT Personal Information and Company
Restricted Data.

5.8 Limit system administrator (also known as root, privileged, or super user) access to operating
systems intended for use by multiple users only to individuals requiring such high-level access in the
performance of their jobs. Use check-out IDs with individual user log-in credentials and activity logs
to manage high security access when possible and otherwise reduce high-level access to a highly
limited number of users.
5.9 Require application, database, network, and system administrators to restrict access by users to only
the commands, data, systems, and other resources necessary for them to perform authorized
functions.

5.10 Require Strong Authentication for any remote access use of Confidential Information.

5.11 Prohibit and employ reasonable Technical and Organizational Security Measure to ensure that
Vendor’s Third Parties accessing Personal Information may not copy, move, or store Personal
Information onto local hard drives or cut and paste or print Personal Information.

5.12 Manage remote access capabilities: activate use of remote access capabilities only when needed,
monitor while in use, and immediately deactivate after use.

5.13 Require at least two-factor authentication to connect to internal Vendor resources containing CWT
Confidential Information.

6. Identification and Authentication

Vendor shall:

6.1 Assign unique user IDs to individual users and assign authentication mechanisms to one individual
account.

6.2 Use a documented user ID lifecycle management process including, but not limited to, procedures
for approved account creation, timely account removal, and account modification (e.g., changes to
privileges, span of access, functions/roles) for all access to Confidential Information and across all
environments (e.g., production, test, development, etc.). Such process shall include review of access
privileges and account validity to be performed at least quarterly.

6.3 Enforce the rule of least privilege (i.e., limiting access to only the commands, information, systems,
and other resources necessary to perform authorized functions according to one’s job function).

6.4 Require all access to CWT Confidential Information be made using a valid user ID and password, and
require unique user IDs to employ one of the following: password or passphrase, two-factor
authentication, or a biometric value.

6.5 Require password complexity and meet the following password construction requirements: a
minimum of eight (8) characters in length for system passwords and four (4) characters for tablet
and smartphone passcodes. System passwords must contain three of the following: upper case,
lower case, numeric, or special characters. Passwords must also not be the same as the user ID with
which they are associated, contain a dictionary word, sequential or repeat numbers, and not be one
of the past five passwords. Require password expiration at regular intervals not to exceed ninety (90)
days. Mask all passwords when displayed.

6.6 Limit failed login attempts to no more than five (5) failed logon attempts within 24 hours and lock
the user account upon reaching that limit in a persistent state. Access to the user account can be
reactivated subsequently through a manual process requiring verification of the user’s identity.

6.7 Verify user’s identity and set one-time use and reset passwords to a unique value for each user.
Systematically prompt change after first use.
6.8 Use a secure method for the conveyance of authentication credentials (e.g., passwords) and
authentication mechanisms (e.g., tokens or smart cards).

6.9 Restrict service account and proxy passwords to a 12 character minimum, including upper case,
lower case, and numeric characters, as well as special symbols. Change service account and proxy
passwords at least annually.

6.10 Terminate interactive sessions, or activate a secure, locking screensaver requiring authentication,
after a period of inactivity not to exceed fifteen (15) minutes.

6.11 Use an authentication method based on the sensitivity of CWT’s Information. Whenever
authentication credentials are stored, Vendor shall protect them using Strong Encryption. Require
reauthentication after 15 minutes of inactivity.

6.12 Configure systems to automatically timeout after a maximum period of inactivity: server (15
minutes), workstation (15 minutes), mobile device (4 hours), Dynamic Host Configuration Protocol (7
days), Virtual Private Network (24 hours).

7. Information Systems Acquisition, Development and Maintenance

Vendor shall:

7.1 For CWT branded products or services and products or for software developed for CWT, Vendor shall
display a warning banner on login screens or pages as specified in writing by CWT.

7.2 Ensure that all personnel, subcontractors or representatives performing work under the Agreement
are in compliance with these Technical and Organizational Security Measures and evidenced by
agreement no less restrictive than these Information Security Requirements.

7.3 Return all CWT-owned or -provided access devices as soon as practicable, but in no event more than
fifteen (15) days after the soonest of:

(a) expiration or Termination of the Agreement;

(b) CWT’s request for the return of such property; or
(c) the date when Vendor no longer needs such devices.

7.4 Employ an effective application management methodology that incorporates information technical
and organizational security measures into the software development process, and ensure that
information technical and organizational security measures, as represented in CWT’s software
development lifecycle or information security policies, standard, and procedures are implemented
by Vendor in a timely manner.

7.5 Follow standard development procedures, including separation of access and code between non-
production and production environments and associated segregation of duties between such
environments.

7.6 Ensure internal information security controls for software development are assessed regularly and
reflect industry best practices, and revise and implement these controls in a timely manner.

7.7 Manage security of the development process and ensure secure coding practices are implemented
and followed, including appropriate cryptographic controls, protections against malicious code, and
a peer review process.
7.8 Conduct or arrange for conduction of penetration testing on functionally complete applications, at
least once every year and after any significant modifications to source code or configuration using
NIST SP800-115. Remediate any exploitable vulnerabilities prior to deployment to the production
environment.

7.9 Use anonymized or obfuscated data in non-production environments. Never use plain text
production data in any non-production environment, and never use Personal Information in non-
production environments for any reason. Ensure all test data and accounts are removed prior to
production release.

7.10 Ensure Vendor’s Third Parties using open source code, software, applications, or services maintain
due diligence in reviewing such resulting code for flaws, bugs, or security issues that may impact
data integrity, availability, or confidentiality of CWT or CWT clients.

7.11 Ensure Vendor Third Parties will not, under any circumstances, share any code created under the
Agreement, regardless of the stage of development, in any shared or non-private environment, such
as an open access code repository, regardless of password protection.

8. Software and Data Integrity

Vendor shall:

8.1 In environments where antivirus software is commercially available and to the extent practicable,
have current antivirus software installed and running to scan for and promptly remove or quarantine
viruses and other malware from any system or device.

8.2 Separate non-production information and resources from production information and resources.

8.3 Ensure teams use a documented change control process for all system changes, including back-out
procedures for all production environments and emergency change processes. Include testing,
documentation, and approvals for all system changes and require management approval for
significant changes in such processes.

8.4 To the extent Vendor processes or stores card holder data, shall build and maintain a PCI zone.

8.5 For applications that utilize a database that allows modifications to CWT’s Information, have
database transaction audit logging features enabled and retain database transaction audit logs for a
minimum of six (6) months.

8.6 Not perform any incidental development of any software under the Agreement.

8.7 Where technically feasible, for all software used, furnished and/or supported under the Agreement,
review such software to find and remediate security vulnerabilities during initial implementation and
upon any significant modifications and updates.

8.8 Perform quality assurance testing for the security components (e.g., testing of identification,
authentication and authorization functions), as well as any other activity designed to validate the
security architecture, during initial implementation and upon any significant modifications and
updates.
9. System Security

Vendor shall:

9.1 Regularly create and update the most recent versions of data flow and system diagrams used to
access, process, manage, or store CWT’s Confidential Information.

9.2 Actively monitor industry resources (e.g., www.cert.org and pertinent software vendor mailing lists
and websites) for timely notification of all applicable security alerts pertaining to Vendor’s systems
and other information resources.

9.3 Effectively manage cryptographic keys by reducing access to keys by fewest number of custodians
necessary, storing secret and private cryptographic keys by encrypting with a key at least as strong as
the data-encrypting key, and storing separately from the data-encrypting key in a secure
cryptographic device, in the fewest possible locations. Change cryptographic keys from default at
installation and at least every two years, and securely dispose of old keys.

9.4 At least quarterly, and prior to release for applications and for significant changes and any upgrades
within timeframes resulting from risk analyses based upon reasonable and generally accepted IT
policies and standards, scan externally-facing systems and other information resources, including,
but not limited to, networks, servers, and applications, with applicable industry-standard security
vulnerability scanning software to uncover security vulnerabilities.

9.5 At least quarterly, and prior to release for applications and for significant changes and upgrades
within timeframes resulting from risk analyses based upon reasonable and generally accepted IT
policies and standards, scan internal systems and other information resources, including, but not
limited to, networks, servers, applications and databases, with applicable industry-standard security
vulnerability scanning software to uncover security vulnerabilities, ensure that such systems and
other resources are properly hardened, and identify any unauthorized wireless networks.

9.6 Maintain a risk rating process for vulnerability assessment findings based on industry best practices
and potential impact. All assessment findings with a CVSS score of 4 or higher must be addressed via
a repeatable process.

9.7 Ensure that all of Vendor’s systems and other resources are and remain ‘hardened’ including, but not
limited to, removing or disabling unused network and other services and products (e.g., finger,
rlogin, ftp, and simple Transmission Control Protocol/Internet Protocol (TCP/IP) services and
products) and installing a system firewall, Transmission Control Protocol (TCP) wrappers or similar
technology.

9.8 In environments where such technology is commercially available and to the extent practicable,
deploy one or more Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or
Intrusion Detection and Prevention Systems (IDP) in an active mode of operation that monitors all
traffic entering and leaving systems and other resources in conjunction with the Agreement.

9.9 Have and use a documented process to remediate security vulnerabilities in any system or other
resource, including, but not limited to, those discovered through industry publications, vulnerability
scanning, virus scanning, and the review of security logs, and apply appropriate security patches
promptly with respect to the probability that such vulnerability can be or is in the process of being
exploited. Critical patches with a CVSS score of 7.5 or higher must be installed immediately upon
availability and in no event longer than one month after release. Patches with a CVSS score of 4 or
higher must be installed within 90 days of release.
9.10 Conduct generalized penetration testing internally and externally at least annually and after any
significant infrastructure or application upgrade or modification.

9.11 Remove or disable unauthorized software discovered on Vendor’s systems and employ reasonable
malware controls, including the installation, regular update and routine use of anti-malware
software products on all services, systems and devices that may be used to access to CWT’s
Confidential Information. Use reliable and industry best practice anti-virus software where
practicable and ensure such virus definitions remain updated.

9.12 Maintain reasonably up-to-date software on all services, systems and devices that may be used to
access Protected Information, including appropriate maintenance of operating system(s) and
successful installation of reasonably up-to-date security patches.

9.13 Assign security administration responsibilities for configuring host operating systems to specific
individuals.

9.14 Change all default account names and/or default passwords.

10. Monitoring

Vendor shall:

10.1 Retain log data for CWT Confidential Information for at least 12 months and ensure such data is
available to CWT within a reasonable timeframe and upon request, except as specified in 8.54.

10.2 Record primary system Vendor’s Third Parties’ activities for systems containing any CWT Personal
Information and Company Restricted Data.

10.3 Restrict access for security logs to authorized individuals, and protect security logs from
unauthorized modification.

10.4 Implement a change detection mechanism (e.g. file integrity monitoring) to alert personnel to
unauthorized modification of critical system files, configuration files, or content files; configure
software to perform critical file comparisons weekly.

10.5 Review, on no less than a weekly basis, all security and security-related audit logs on systems
containing CWT Personal Information and Company Restricted Data for anomalies and document
and resolve all logged security problems in a timely manner.

10.6 Review daily all security events, logs of system components storing, processing, or transmitting card
holder data, logs of critical system components, and logs of servers and system components
performing security functions.

11. Security Gateways

Vendor shall:

11.1 Require Strong Authentication for administrative and/or management access to Security Gateways,
including, but not limited to, any access for the purpose of reviewing log files.
11.2 Have and use documented controls, policies, processes and procedures to ensure that unauthorized
users do not have administrative and/or management access to Security Gateways, and that user
authorization levels to administer and manage Security Gateways are appropriate.

11.3 At least once every six (6) months, ensure that Security Gateway configurations are hardened by
selecting a sample of Security Gateways and verifying that each default rule set and set of
configuration parameters ensures the following:

a. Internet Protocol (IP) source routing is disabled,

b. The loopback address is prohibited from entering the internal network,
c. Anti-spoofing filters are implemented,
d. Broadcast packets are disallowed from entering the network,
e. Internet Control Message Protocol (ICMP) redirects are disabled,
f. All rule sets end with a “DENY ALL” statement, and
g. Each rule is traceable to a specific business request.

11.4 Ensure that monitoring tools are used to validate that all aspects of Security Gateways (e.g.,
hardware, firmware, and software) are continuously operational.

11.5 Ensure that all Security Gateways are configured and implemented such that all non-operational
Security Gateways shall deny all access.

12. Network Security

Vendor shall:

12.1 Upon CWT’s request, provide to CWT a logical network diagram documenting systems and
connections to other resources including routers, switches, firewalls, IDS systems, network topology,
external connection points, gateways, wireless networks, and any other devices that shall support
CWT.

12.2 Maintain a formal process for approving, testing, and documenting all network connections and
changes to the firewall and router configurations. Configure firewalls to deny and log suspicious
packets, and restrict to only allow appropriate and authorized traffic, denying all other traffic
through the firewall. Review firewall rules every six months.

12.3 Install a firewall at each Internet connection and between any demilitarized zone (DMZ) and the
internal network zone. Any system storing Personal Information must reside in the internal network
zone, segregated from the DMZ and other untrusted networks.

12.4 Monitor firewall at the perimeter and internally, as necessary.

12.5 Have a documented process and controls in place to detect and handle unauthorized attempts to
access CWT’s Information.

12.6 When providing Internet-based services and products to CWT, protect CWT’s Information by the
implementation of a network DMZ. Web servers providing service to CWT shall reside in the DMZ.
Any system or information resource storing CWT’s Information (such as application and database
servers) shall reside in a trusted internal network. (Internet services and products Must Use DMZ).

12.7 Restrict unauthorized outbound traffic from applications processing, storing or transmitting
Confidential Information to IP addresses within the DMZ and Internet.
12.8 When using radio frequency (RF) based wireless networking technologies to perform or support
services and products for CWT, Vendor shall ensure that all of CWT’s Confidential Information
transmitted is protected by the use of appropriate encryption technologies sufficient to protect the
confidentiality of CWT’s Confidential Information; provided, however, that in any event such
encryption shall use no less than key lengths of 256-bits for symmetric encryption and 256-bits for
asymmetric encryption. Regularly scan, identify, and disable unauthorized wireless access points.

13. Connectivity Requirements

13.1 In the event that a data connection agreement, such as a “Master Data Connection Agreement,”
“Data Connection Agreement,” and/or “Connection Supplement” (“DCA”) exists between CWT and
the Vendor, and incorporates the Agreement by reference, or is otherwise integrated with, or used
to govern the parties’ connectivity obligations under these Information Security Requirements,
Vendor and CWT agree that any information technical and organizational security measures
incorporated within such DCA are hereby superseded by the terms of these Information Security
Requirements, effective as of the date these Information Security Requirements becomes effective
under the Agreement, and the terms of such DCA are amended to require that these Information
Security Requirements and not the information technical and organizational security measures
incorporated within the DCA are controlling in the Agreement (as well as any agreements
subordinate to the Agreement). Notwithstanding the foregoing, the DCA remains in full force and
effect for all other agreements between the parties to which it applies.

13.2 In the event that Vendor has, or shall be provided, connectivity to CWT’s or CWT’s clients’
Confidential Information resources in conjunction with the Agreement, then in addition to the
foregoing Vendor shall:

a. Use only the mutually agreed upon facilities and connection methodologies to interconnect
CWT’s and CWT’s clients’ Confidential Information resources with Vendor’s Information
Resources.
b. NOT establish interconnection to CWT’s and CWT’s clients’ Confidential Information resources
without the prior consent of CWT.
c. Provide CWT access to any applicable Vendor facilities during normal business hours for the
maintenance and support of any equipment (e.g., router) provided by CWT under the Agreement
for connectivity to CWT’s and CWT’s clients’ Confidential Information resources.
d. Use any equipment provided by CWT under the Agreement for connectivity to CWT’s and CWT’s
clients’ Confidential Information resources only for the furnishing of those services and products
or functions explicitly authorized in the Agreement.
e. If the agreed upon connectivity methodology requires that Vendor implement a Security
Gateway, maintain logs of all sessions using such Security Gateway. These session logs must
include sufficiently detailed information to identify the end user or application, origination IP
address, destination IP address, ports/service protocols used and duration of access. These
session logs must be retained for a minimum of six (6) months from session creation.

13.3 In the event that Vendor has, or shall be provided, connectivity to CWT’s or CWT’s clients’
Confidential Information resources in conjunction with the Agreement, in addition to other rights set
forth herein, permit CWT to:

a. Gather information relating to access, including Vendor’s access, to CWT’s and CWT’s clients’
Confidential Information resources. This information may be collected, retained and analyzed by
CWT to identify potential security risks without further notice. This information may include
 from trace files, statistics, network addresses, and the actual data or screens accessed or
transferred.
b. Immediately suspend or terminate any interconnection to CWT’s and CWT’s clients’ Confidential
Information resources if CWT, in its sole discretion, believes there has been a breach of security
or unauthorized access to or misuse of CWT data facilities or any CWT information, systems, or
other resources.

14. Mobile and Portable Devices

Vendor shall:

14.1 Use Strong Encryption to protect all of CWT’s Confidential Information stored on Mobile and
Portable Devices.

14.2 Not store Personal Information on mobile devices or laptops and not store CWT Personal
Information and Company Restricted Data on removable devices unless using Strong Encryption.

14.3 Use Strong Encryption to protect CWT’s Confidential Information transmitted using or remotely
accessed by network-aware Mobile and Portable Devices.
a. When using network aware Mobile and Portable Devices that are not laptop computers to
access and/or store CWT’s Information, such devices must be capable of deleting all stored
copies of CWT’s Information upon receipt over the network of a properly authenticated
command. (Note: Such capability is often referred to as a “remote wipe” capability.)
b. Have documented policies, procedures and standards in place to ensure that the authorized
individual who should be in physical control of a network-aware mobile and portable device that
is not a laptop computer and that is storing CWT’s Information promptly initiates deletion of all
CWT’s Information when the device becomes lost or stolen.
c. Have documented policies, procedures and standards in place to ensure that Mobile and
Portable Devices that are not laptop computers and are not network aware, shall automatically
delete all stored copies of CWT’s Information after consecutive failed login attempts.

14.4 Have documented policies, procedures and standards in place which ensure that any Mobile and
Portable Devices used to access and/or store CWT’s Information:

a. Are in the physical possession of authorized individuals;

b. Are physically secured when not in the physical possession of authorized individuals; or
c. Have their data storage promptly and securely deleted when not in the physical possession of
authorized individuals nor physically secured, or after 10 unsuccessful access attempts.

14.5 Prior to allowing access to CWT’s Information stored on or through the use of Mobile and Portable
Devices, Vendor shall have and use a process to ensure that:

a. The user is authorized for such access; and

b. The identity of the user has been authenticated.

14.6 Implement a policy that prohibits the use of any Mobile and Portable Devices that are not
administered and/or managed by Vendor or CWT to access and/or store CWT’s Information.

14.7 Review, at least annually, the use of, and controls for, all Vendor-administered or managed Mobile
and Portable Devices to ensure that the Mobile and Portable Devices can meet the applicable
Technical and Organizational Security Measures.
15. Security in Transit

Vendor shall:

15.1 Use Strong Encryption for the transfer of CWT’s Information outside of CWT-controlled or Vendor
controlled networks or when transmitting CWT’s Information over any untrusted network.

15.2 Use Strong Encryption to protect CWT Personal Information and Company Restricted Data when
transmitted over any CWT-controlled or Vendor-controlled network, including but not limited to
CWT Personal Information and Company Restricted Data contained in email or attachments
embedded therein.

15.3 Records containing CWT Personal Information and Company Restricted Data in paper format,
microfiche, or electronic media physically transferred, must be transported by secured courier or
other delivery method that can be tracked, packed securely and per manufacturer specifications.
Any CWT Personal Information and Company Restricted Data must be transported in locked
containers.

16. Security at Rest

16.1 Vendor shall use Strong Encryption to protect CWT Personal Information and Company Restricted
Data when stored.

16.2 Vendor shall not store CWT Personal Information and Company Restricted Data electronically
outside of Vendor’s network environment (or CWT’s own secure computer network) unless the
storage device (e.g., backup tape, laptop, memory stick, computer disk, etc.) is protected by Strong
Encryption.

16.3 Vendor shall not store CWT Personal Information and Company Restricted Data on removable media
(e.g., USB flash drives, thumb drives, memory sticks, tapes, CDs, or external hard drives) except: (a)
for backup, business continuity, disaster recovery, and data interchange purposes as allowed and
required under contract, and (b) using Strong Encryption.

16.4 Vendor shall appropriately store and secure records containing CWT Personal Information and
Company Restricted Data in paper format or microfiche in areas to which access is restricted to
authorized personnel. Vendor shall ship CWT Personal Information and Company Restricted Data via
secured courier or a delivery mechanism that allows for accurate tracking of delivery status.

16.5 Unless otherwise instructed by CWT in writing, when collecting, generating or creating Information
in paper form and backup media for, through or on behalf of CWT or under the CWT brand, Vendor
shall ensure that such Information shall be CWT’s Information and, whenever practicable, label such
Information of CWT as “Confidential” or “Proprietary”. Vendor acknowledges that CWT’s
Confidential Information shall remain CWT-owned Information irrespective of labeling or the
absence thereof.

17. Return, Destruction, and Disposal

17.1 At no additional charge to CWT and upon CWT’s request, Vendor shall provide copies of any of
CWT’s Information to CWT within thirty (30) days of such request. Return, or, at CWT’s option,
destroy all of CWT’s Information, including electronic and hard copies within ninety (90) days after
the soonest of: Expiration or Termination of the Agreement, CWT’s request for the return of CWT’s
 Information, or the date when Vendor no longer needs CWT’s Information to perform services and
products under the Agreement.

17.2 In the event that CWT approves destruction as an alternative to returning CWT’s Information, then
Vendor shall certify in writing the destruction as rendering CWT’s Information non-retrievable and
unrecoverable. Vendor shall completely destroy all copies of CWT Information at all locations and in
all systems where CWT Information is stored, including but not limited to previously approved
Vendor Third Parties. Such information shall be destroyed following an industry standard procedure
for complete destruction such as DOD 5220.22M or NIST Special Publication 800-88 or using a
manufacturer-recommended degaussing product for the system affected. Prior to such destruction,
Vendor shall maintain all applicable Technical and Organizational Security Measure to protect the
security, privacy and confidentiality of CWT’s Confidential Information.

17.3 Vendor shall dispose of CWT Personal Information and Company Restricted Data in a manner that
ensures the information cannot be reconstructed into a usable format. Papers, slides, microfilm,
microfiche and photographs must be disposed by cross-shredding or burning. Materials containing
CWT Personal Information and Company Restricted Data awaiting destruction must be stored in
secured containers and be transported using a secure third party.

18. Retention

18.1 In the event that Vendor needs to retain copies of CWT’s Information more than ninety (90) days
past either the expiration or Termination of the Agreement, or CWT’s request for the return or
destruction of CWT’s Information, Vendor shall be allowed to retain such copies when elsewhere
agreed to in writing with CWT. Copies of CWT’s profile Information may be retained for more than
ninety (90) days past the expiration or Termination of the Agreement without obtaining agreement
in writing from CWT allowing for such longer retention, provided such longer retention is performed
to achieve compliance with Laws requiring such longer retention.

18.2 In all cases, Vendor is responsible for validating appropriate retention requirements with CWT
contacts prior to acquiring any CWT Information and consistent with any statement of work or
purchase order.

18.3 Vendor shall take reasonable steps to secure any backup copies of CWT’s Confidential Information
automatically created by Vendor’s or third party’s services, systems, devices or media (“Archival
Copies”). Within 90 calendar days of expiration or termination of the Agreement or sooner if
reasonably requested by CWT, Vendor shall securely destroy all Archival Copies of CWT’s
Confidential Information, following an industry standard procedure at least as restrictive as DOD
5220.22M or NIST Special Publication 800-88.

19. Incident Response and Notification

Vendor shall:

19.1 Have and use an Incident Management Process and related procedures and staff such Process and
procedures with specialized resources. Immediately, and in no event greater than twenty-four (24)
hours, notify CWT whenever there is any suspected or confirmed attack upon, intrusion upon,
unauthorized access to, loss of, or other incident regarding CWT’s information, systems, or other
resources.

19.2 After notifying CWT, provide CWT with regular status updates, including, but not limited to, actions
taken to resolve such incident, at mutually agreed upon intervals or times for the duration of the
 incident and as soon as reasonably possible after the closure of the incident, provide CWT with a
written report describing the incident, actions taken by the Vendor during its response and Vendor’s
plans for future actions to prevent a similar incident from occurring.

19.3 Under no circumstances publicly disclose any such breach of CWT’s information, systems, or other
resources without first notifying CWT and working directly with CWT to notify applicable regional,
country, state, or local government officials or credit monitoring services, individuals affected by
such breach, and any applicable media outlets, as required by law.

19.4 Vendor shall have a process in place to promptly identify violations of security controls including
those set forth in these Information Security Requirements, by Vendor personnel. Vendor personnel
so identified shall be subject to appropriate disciplinary action subject to the applicable laws.
Notwithstanding the foregoing, Vendor personnel shall remain under the authority of the Vendor.
CWT shall not be deemed employer of the Vendor personnel.

20. Business Continuity Management and Disaster Recovery

Vendor shall:

20.1 Develop, operate, manage, and revise business continuity and disaster recovery plans in order to
minimize impact for CWT to Vendor’s service or products. Such plans shall include: named resources
specific to Business Continuity and Disaster Recovery functions, established recovery time objectives
and recovery point objectives, daily back-up of data and systems, off-site storage of backup media
and records, record protection and contingency plans commensurate with the requirements of the
Agreement. Store such plans securely off-site and ensure such plans are available to Vendor as
needed.

20.2 Upon CWT’s request, furnish to CWT a documented business continuity plan that ensures Vendor
can meet its contractual obligations under the Agreement, including the requirements of any
applicable Statement of Work or Service Level Agreement. Such plans shall exercise recovery while
protecting integrity and confidentiality of CWT Confidential Information.

20.3 Have documented procedures for the secure backup and recovery of CWT’s Information which shall
include, at a minimum, procedures for the transport, storage, and disposal of the backup copies of
CWT’s Information and, upon CWT’s request, provide such documented procedures to CWT.

20.4 Ensure that backups of all CWT Information stored or software and configurations for systems used
by CWT are created at least once a week.

20.5 Regularly, at least annually, or following any material change in business continuity or disaster
recovery plans, comprehensively exercise such plans at Vendor’s sole cost and expense. Such
exercises shall ensure proper functioning of impacted technologies and internal awareness of such
plans.

20.6 Promptly review its business continuity plan to address additional or emerging threat sources or
scenarios and provide CWT a high level summary of plans and testing within a reasonable timeframe
upon request.
20.7 Ensure that all Vendor or Vendor-contracted locations housing or processing CWT Information are
monitored 24 hours a day, seven (7) days per week against intrusion, fire, water, and other
environmental hazards.

21. Compliance and Accreditations

21.1 Vendor shall retain complete and accurate records relating to its performance of its obligations
arising out of these Information Security Requirements and Vendor’s compliance herewith in a
format that shall permit assessment or audit for a period of no less than three (3) years, or longer as
may be required pursuant to a court order or civil or regulatory proceeding. Notwithstanding the
foregoing, Vendor shall only be required to maintain security logs for a minimum of six (6) months
after any continuing performance of the Agreement.

21.2 CWT may, at no additional cost to CWT, and with reasonable advance notice, conduct periodic
security assessments or audits of the Technical and Organizational Security Measure used by Vendor
during which, CWT shall provide Vendor with written questionnaires and requests for
documentation. For all requests, Vendor shall respond with written response and evidence, if
applicable, immediately or upon mutual agreement, if not reasonably possible. Upon CWT’s request
for an audit, Vendor shall schedule a security audit to commence within ten (10) business days from
such request. CWT may require access to facilities, systems, processes, or procedures to evaluate
Vendor’s security control environment.

21.3 Upon CWT’s request, Vendor shall supply evidence of compliance with the terms of the Agreement,
including supporting certifications for the most recent versions of PCI-DSS, ISO 27001/27002, SOC 2,
or similar assessment for the Vendor and for any subcontractor or third party processing, accessing,
storing, or managing on behalf of the Vendor.

21.4 In the event that CWT, in its sole discretion, deems that a security breach has occurred, which has
not been promptly reported to CWT in compliance with the Vendor’s Incident Management Process,
Vendor shall schedule the audit or assessment to commence within 24 (24) hours of CWT’s notice
requiring an assessment or audit. This provision shall not be deemed to, and shall not, limit any more
stringent audit obligations permitting the examination of Vendor’s records contained in the
Agreement.

21.5 Within thirty (30) calendar days of receipt of the final assessment results or audit report, Vendor
shall provide CWT a written report outlining the corrective actions that Vendor has implemented or
proposes to implement with the schedule and current status of each corrective action. Vendor shall
update this report to CWT every thirty (30) calendar days reporting the status of all corrective
actions through the date of implementation. Vendor shall implement all corrective actions within
ninety (90) days of Vendor’s receipt of the assessment or audit report or within an alternative time
period provided such alternative time period has been mutually agreed to in writing within no more
than thirty (30) days of Vendor’s receipt of the assessment or audit report.

21.6 Vendor shall be currently compliant and continue to be compliant with any applicable government
mandated information security standards and reporting requirements and ISO 27001/27002. To the
extent that Vendor handles payment account numbers or any other related payment information,
Vendor shall be currently compliant with the most current version of Payment Card Industry (PCI-
DSS) for the full scope of systems handling this information and continue such compliance. In the
event Vendor no longer is compliant with PCI-DSS for any portion of the full scope of systems
handling PCI-applicable data, Vendor will promptly notify CWT, immediately proceed without undue
delay to remedy such non-compliance, and provide regular status of such remediation to CWT upon
request.
22. Standards, Best Practices, Regulations, and Laws

In the event Vendor processes, accesses, views, stores, or manages CWT Personal Information and
Company Restricted Data pertaining to CWT personnel, partners, Affiliates; CWT clients; or CWT
client employees, contractors, or subcontractors; Vendor shall employ Technical and Organizational
Security Measures no less strict than is required by applicable global, regional, country, state, and
local guidelines, regulations, directives and law.

23. Modification
CWT reserves the right to update or modify these Information Security Requirements from time to
time by posting the latest version on CWT’s website.

The following clauses shall apply to the extent that they are not already included in the main Agreement.
If there is a conflict between the following terms and the terms of the Agreement, the terms of the
Agreement shall prevail.

24. Warranties and Obligations

Vendor represents and warrants that during the term of the Agreement and thereafter (as applicable
with respect to Vendor’s obligations under the survival of obligations clause in the Agreement)
Vendor is currently compliant at the time of Agreement, and shall continue to be throughout the
course of service, software or product offering, in compliance with its obligations as set forth herein.
The provisions of these Information Security Requirements shall not limit any more stringent security
or other obligations of the Agreement.

25. Survivability

Rights and obligations under these Information Security Requirements shall survive, including
confidentiality of any CWT Confidential Information, past the active term or termination of the
Agreement. All other obligations shall terminate at which point Vendor no longer views, accesses,
collects, maintains, processes, or stores any CWT Confidential Information; visits any CWT premises;
or retains any CWT information.

26. Term and Termination

26.1 Any non-compliance with any terms within these Information Security Requirements shall constitute
material breach for the purposes of the Agreement and give rise to CWT’s right of rescission,
modification, or remedy, at CWT’s election. Any CWT decision not to enforce or terminate the
Agreement for Vendor non-compliance shall not constitute any modification of the Agreement or
waiver of CWT’s rights under the Agreement.

26.2 Vendor agrees that any access to Confidential Information resources in violation of these
Information Security Requirements, CWT’s instructions, or Industry Standards; or incidence of any
Data Breach or Incident, may cause immediate and irreparable harm to CWT for which money
damages may not constitute an adequate remedy. Accordingly, Vendor agrees that CWT may obtain
specific performance and injunctive or other equitable relief for any such violation or Incident, in
addition to its remedies at law, without proof of actual damages.
Version 1.0
Date: 26 May 2016