Supplier Information Security Addendum
EXTRAHOP NETWORKS, INC.
SUPPLIER INFORMATION SECURITY ADDENDUM
This Supplier Information Security Addendum (“Security Addendum”) forms part of the Master Purchasing Agreement or other written or electronic agreement (the “Agreement”) between ExtraHop Networks, Inc. (“ExtraHop”) and the party providing the products or services (“Supplier”) to describe the technical and organizational security measures that will be implemented by the Supplier to secure ExtraHop Confidential Information. Any terms not defined herein shall have the meanings given to them in the Agreement. Unless otherwise stated, in the event of a conflict between the Agreement and this Addendum, the terms providing the higher level of security will control.
Definitions:
1.1 “Applicable Law” means (a) the General Data Protection Regulation (Regulation (EU) 2016/679), (b) the UK General Data Protection Regulation as it forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018, (c) the UK Data Protection Act 2018, (d) the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq. and its implementing regulations (“CCPA”), and (e) any other applicable statutes, regulations, or directives regarding the protection or Processing of Personal Information and the security and integrity of IT Systems, including, without limitation, data breach notification laws.
1.2 “ExtraHop Confidential Information” means any data or information owned, controlled, or disclosed by ExtraHop, without regard to form and whether or not expressly marked as proprietary or confidential, that is or should be treated as confidential under the Agreement, including trade secrets, technology, business operations and strategies, and customer information, pricing, marketing strategies, techniques, or plans, and also includes Personal Information and ExtraHop Data.
1.3 “ExtraHop Data” means any data or information owned or controlled by ExtraHop (including that of its employees, contractors, partners, and customers) that is Processed by Supplier via the Products or the Agreement.
1.4 “Information Security Incident” is any actual or reasonably suspected circumstance in which ExtraHop Confidential Information is or may have been lost, stolen, accessed, transferred, copied, altered, destroyed, disclosed, or used without authorization or in any manner not permitted under the Agreement or this Security Addendum.
1.5 “IT System” means any networks, applications, computers, media, software, hardware, and mobile devices used to Process ExtraHop Confidential Information or logically connect to such systems.
1.6 “Personal Information” means any data or information relating, directly or indirectly, to an identified or identifiable individual or household and includes similarly defined terms under any applicable privacy or data protection law.
1.7 “Process” means to perform any operations upon any data whether or not by automatic means, including, but not limited to, collecting, recording, organizing, storing, adapting or altering, retrieving, accessing, consulting, using, disclosing by transmission, disseminating, or otherwise making available, aligning or combining, blocking, erasing, or destroying.
1.8 “Supplier” means the entity that is a party to the Agreement and any affiliate, subcontractor, or agent of such entity, that Processes or has access to ExtraHop Confidential Information or has access to an IT System. References to Supplier include Supplier Personnel.
1.9 “Supplier Personnel” means any Supplier employees or contractors that Process or have access to ExtraHop Confidential Information or access to an IT System.
2. General Security Practices
Supplier has implemented and shall maintain appropriate technical and organizational measures to protect ExtraHop Confidential Information against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction, including the policies, procedures, and security measures set forth in this Security Addendum.
3. General Compliance
Supplier shall document and implement processes and procedures to avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security or other security requirements. Such processes and procedures shall provide appropriate security to protect ExtraHop Confidential Information given the risk posed by the nature of the Processing by Supplier. Supplier shall implement and operate information security in accordance with the Supplier’s own policies and procedures, which shall be no less strict than the information security requirements set forth in this Security Addendum. Supplier shall implement appropriate procedures designed to protect records from loss, destruction, falsification, unauthorized access, and unauthorized release, in accordance with legislative, regulatory, and contractual requirements. Supplier’s approach to managing information security and its implementation (i.e., control objectives, controls, policies, processes, and procedures) shall be reviewed at planned intervals or when significant changes occur by appropriate internal or external assessors. Supplier’s management shall regularly review the compliance of information processing and procedures with the appropriate applicable security policies and standards.
4. Technical and Organizational Measures for Security
4.1. Organization of Information Security
4.1.1 Supplier shall appoint one or more security officers responsible for coordinating and monitoring its security requirements and procedures. Such officers shall have the knowledge, experience, and authority to serve as the owner(s) of, with responsibility and accountability for, information security within the organization. Supplier shall define and allocate information security responsibilities in accordance with Supplier’s approved policies for information security. Such policies (or summaries thereof) shall be published and communicated to Supplier Personnel required to comply with such policies. Supplier shall have a risk management framework and conduct periodic risk assessment of its environment and systems to understand its risks and apply appropriate controls to manage and mitigate risks before Processing ExtraHop Confidential Information.
4.1.2 Supplier must use an auditable process to permanently and irretrievably destroy or delete all ExtraHop Confidential Information from IT Systems in a manner that ensures the ExtraHop Confidential Information is not accessible or readable at the conclusion of the authorized Processing of ExtraHop Confidential Information by Supplier. Supplier is authorized to Process ExtraHop Confidential Information only as necessary to provide the Products or perform under the Agreement. Upon request by ExtraHop, Supplier shall certify in writing that all ExtraHop Confidential Information has been destroyed in compliance with this section.
4.1.3 Supplier must keep all software used in its IT Systems current and in no event can software be more than one version behind the current version in any significant Processing system. Suppler shall develop, deploy, update, and maintain all Supplier software in strict accordance with relevant industry standards.
4.1.4 Supplier must ensure that IT Systems are free from all malicious software (malware). Supplier must install and run anti-malware software on all IT Systems capable of running such software, and must configure anti-malware software to automatically detect and remove harmful or malicious code. Supplier must configure the anti-malware software to update automatically and continuously to ensure definitions will never be more than 24 hours old.
4.2. Human Resources Security
4.2.1 General. Supplier shall ensure that Supplier Personnel are under a confidentiality agreement that includes the protection of ExtraHop Confidential Information and shall provide adequate training about relevant privacy and security policies and procedures. Supplier shall further inform Supplier Personnel of possible consequences of breaching Supplier’s security policies and procedures, which must include disciplinary action, including possible termination of employment for Supplier’s employees and termination of contract or assignment for contractors and temporary personnel.
4.2.2 Training. Supplier Personnel shall receive appropriate, periodic education and training regarding privacy and security procedures to aid in the prevention of unauthorized use (or inadvertent disclosure) of ExtraHop Confidential Information and training regarding how to effectively respond to security incidents. Training shall be provided before Supplier Personnel are granted access to ExtraHop Confidential Information or begin providing services. Training shall be regularly reinforced through refresher training courses, emails, posters, notice boards, and other training and awareness materials.
4.2.3 Background Checks. In addition to any other terms in the Agreement related to this subject matter, Supplier shall conduct criminal and other relevant background checks for Supplier Personnel in compliance with Applicable Law.
4.3. Trusted Device Standards.
4.3.1 Supplier Personnel shall:
- Only use trusted Devices that are configured with security software (i.e., anti-virus, antimalware, encryption, etc.);
- Follow trusted device standards when accessing ExtraHop Confidential Information or when having ExtraHop Confidential Information in their possession, custody, or control. The trusted device standard specifies the requirements that user devices (“Devices”) must satisfy to be trusted when Processing ExtraHop Confidential Information whether or not connected to ExtraHop’s network through wired, wireless, or remote access. Devices that fail to comply with this standard will not be entitled to access network unless ExtraHop determines limited access is acceptable.
4.3.2 Trusted device standards include, at a minimum, the following:
- Each Device must be uniquely associated with a specific, individual user;
- Devices must be configured for automatic patching. All operating system and application security patches must be installed within the timeframe recommended or required by the issuer of the patch;
- Devices must be encrypted (i.e., full disk, endpoint encryption) and secured with a protected (e.g., password, PIN, finger print, facial recognition, biometrics, etc.) screen lock with the automatic activation feature. Users must lock the screen or log off when the device is unattended;
- Devices must not be rooted or jailbroken;
- Devices must be periodically scanned for restricted/prohibited software (e.g., certain peer-to-peer sharing apps that have been found to exploit/exfiltrate data); and
- Devices must run an acceptable industry standard anti-malware solution. On-access scan and automatic update functionality must be enabled.
4.3.3 Supplier shall implement policies designed to prevent the storage of ExtraHop Confidential Information on unencrypted smartphones, tablets, USB drives, DVD/CDs, or other portable media without prior written authorization from ExtraHop; and take measures to prevent accidental exposure of ExtraHop Confidential Information (e.g., using privacy filters on laptops).
4.4. Personnel Access Controls
4.4.1 Access.
- Limited Use. Supplier understands and acknowledges that ExtraHop may be granting Supplier access to sensitive and proprietary information and IT Systems. Supplier will not (i) access the ExtraHop Confidential Information or IT Systems for any purpose other than as necessary to perform its obligations to ExtraHop; or (ii) use any system access information or log-in credentials to gain unauthorized access to ExtraHop Confidential Information or IT Systems, or to exceed the scope of any authorized access.
- Authorization. Supplier shall restrict access to ExtraHop Confidential Information and IT Systems at all times solely to those Supplier Personnel whose access is necessary to performing Supplier’s obligations to ExtraHop.
- Suspension or Termination of Access Rights. At ExtraHop’s reasonable request, Supplier shall promptly and without undue delay suspend or terminate the access rights to ExtraHop Confidential Information and IT Systems for any Supplier Personnel reasonably suspected of breaching any of the provisions of this Security Addendum; and Supplier shall remove access rights of all employees and external party users upon suspension or termination of their employment, or engagement.
4.4.2 Access Policy. Supplier shall determine appropriate access control rules, rights, and restrictions for each specific user’s roles towards their assets. Supplier shall maintain a record of security privileges of its personnel that have access to ExtraHop Confidential Information, networks, and network services.
4.5. Access Authorization.
4.5.1 Supplier shall have user account creation and deletion procedures, with appropriate approvals, for granting and revoking access to IT Systems. Supplier shall use an enterprise access control system that requires revalidation of its personnel by managers at regular intervals based on the principle of “least privilege” and need-to-know criteria based on job role/Performance obligations.
4.5.2 For IT Systems that Process ExtraHop Confidential Information, Supplier shall revalidate (or where appropriate, deactivate) access of users who change reporting structure and deactivate authentication credentials that have not been used for a period of time not to exceed six (6) months.
4.5.3 Supplier shall restrict access to program source code and associated items such as software object code, designs, specifications, verification plans, and validation plans, in order to prevent the introduction of unauthorized functionality and to avoid unintentional changes.
4.6. Network Design. For IT Systems that Process ExtraHop Confidential Information, Supplier shall have controls to avoid Supplier Personnel assuming access rights beyond those that they have been assigned to gain unauthorized access to ExtraHop Confidential Information.
4.7. Authentication
4.7.1 Supplier shall use industry standard practices including ISO/IEC 27002:2013 and NIST SP 800-633B (Digital Identity Guidelines) to identify and authenticate users who attempt to access IT Systems.
4.7.2 Where authentication mechanisms are based on passwords, Supplier shall require the password to conform to strong password control parameters (e.g., length, character complexity, and/or nonrepeatability) with at least 8 characters and containing the following four classes: upper case, lower case, numeral, special character.
4.7.3 Supplier shall ensure that de-activated or expired identifiers and log-in credentials are not granted to other individuals.
4.7.4 Supplier shall monitor repeated failed attempts to gain access to the information system and implement appropriate lock-out procedures.
4.7.5 Supplier shall maintain industry standard procedures to deactivate log-in credentials that have been corrupted or inadvertently disclosed.
4.7.6 Supplier shall use industry standard log-in credential protection practices, including practices designed to maintain the confidentiality and integrity of log-in credentials when they are assigned and distributed, and during storage (e.g., log-in credentials shall not be stored or shared in plain text). Such practices shall be designed to ensure strong, confidential log-in credentials.
4.7.7 Supplier shall use a multi-factor authentication solution to authenticate personnel accessing IT Systems.
4.8. Cryptography and Key management
4.8.1 Supplier shall have a policy on the use of cryptographic controls based on assessed risks.
4.8.2 Supplier shall assess and manage the lifecycle of cryptographic algorithms, hashing algorithms, etc. and deprecate and disallow usage of weak cypher suites and insufficient bit and block lengths.
4.8.3 Supplier shall have procedures for distributing, storing, archiving, and changing/updating keys; recovering, revoking/destroying, and dealing with compromised keys; and logging all transactions associated with such keys.
4.9. Physical and Environmental Security
4.9.1 Physical Access to Facilities. Supplier shall limit access to facilities where systems that Process ExtraHop Confidential Information are located to authorized individuals. ii. Security perimeters shall be defined and used to protect areas that contain ExtraHop Confidential Information and Processing facilities. Facilities shall be monitored and access-controlled at all times (24x7). Access shall be controlled through key card and/or appropriate sign-in procedures for facilities with systems Processing ExtraHop Confidential Information. Supplier must register personnel and require them to carry appropriate identification badges.
4.9.2 Physical Access to Equipment. Supplier equipment used to Process or store ExtraHop Confidential Information shall be protected using industry standard processes to limit access to authorized individuals.
4.9.3 Protection from Disruptions. Supplier shall implement appropriate measures designed to protect against loss of data due to power supply failure or line interference.
4.10. Operations Security
4.10.1 Operational Policy. Supplier shall maintain written policies describing its security measures and the relevant procedures and responsibilities of Supplier Personnel who have access to ExtraHop Confidential Information and IT Systems. Supplier shall communicate its policies and requirements to all persons involved in the Processing of ExtraHop Confidential Information. Supplier shall implement the appropriate management structure and control designed to ensure compliance with such policies and with Applicable Laws concerning the protection and Processing of ExtraHop Confidential Information.
4.10.2 Security and Processing Controls.
Supplier shall maintain, document, and implement standards and procedures to address the configuration, operation, and management of IT Systems. Such standards and procedures shall include: security controls, identification and patching of security vulnerabilities, change control process and procedures, and incident prevention, detection, remediation, and management. Supplier shall maintain logs of administrator and operator activity and data recovery events related to ExtraHop Confidential Information.
4.11. Communications Security and Data Transfer
4.11.1 Networks. Supplier shall, at a minimum, use the following controls to secure its networks that access or Process ExtraHop Confidential Information:
- Network traffic shall pass through firewalls, which are monitored at all times. Supplier must implement intrusion prevention systems that allow traffic flowing through the firewalls and LAN to be logged and protected at all times.
- Network devices used for administration must utilize industry standard cryptographic controls when Processing ExtraHop Confidential Information.
- Anti-spoofing filters and controls must be enabled on routers.
- Network, application, and server authentication passwords are required to meet the same industry standard practices used for the authentication of users set forth in Section 4.7 (Authentication) above. System-level passwords (privileged administration accounts or user level accounts with privileged administration access) must be changed at minimum every 90 days.
- Initial user passwords are required to be changed at first log-on. Supplier shall have a policy prohibiting the sharing of user IDs, passwords, or other log-in credentials.
- Firewalls must be deployed to protect the perimeter of Supplier's networks.
4.12. System Acquisition, Development, and Maintenance
Supplier shall adopt security requirements for the purchase, use, or development of information systems, including for application services delivered through public networks. Supplier shall have policies for secure development, system engineering, and support. Supplier shall conduct appropriate tests for system security as part of acceptance testing processes. Supplier shall supervise and monitor the activity of outsourced system development.
4.13. Penetration Testing and Vulnerability Scanning & Audit Reports
4.13.1 Testing. Supplier will perform periodic penetration tests on their internet perimeter network. Tests will be conducted with industry recommended network security tools to identify vulnerability of information. Upon written request from ExtraHop, Supplier shall provide a Vulnerability & Penetration testing report at the organization level which may include an executive summary of the results and not the details of actual findings.
4.13.2 Audits. Supplier shall respond promptly to and cooperate with reasonable requests by ExtraHop for security audits, scanning, discovery, and testing reports.
4.13.3 Remedial Action. If any audit or penetration testing exercise referred to in Section 4.13.1 (Testing), above reveals any deficiencies, weaknesses, or areas of non-compliance, Supplier shall promptly take such steps as may be required, in Supplier’s reasonable discretion, to remedy those deficiencies, weaknesses, and areas of non-compliance as soon as may be practicable given the circumstances. Upon request, Supplier shall keep ExtraHop informed of the status of any remedial action that is required to be carried out, and shall certify to ExtraHop as soon as may be practicable that all necessary remedial actions have been completed.
4.14. Contractor Relationships
Supplier shall have information security policies or procedures for its use of third parties that impose requirements consistent with this Security Addendum. Supplier shall monitor and audit service delivery by such third parties and review their security practices against the security requirements set forth in Supplier’s agreements with such parties and this Security Addendum. Supplier shall manage changes in such third parties’ services that may have an impact on security.
4.15 Information Security Aspects of Business Continuity Management
Supplier shall maintain emergency and contingency plans for the facilities where Supplier IT Systems are located. Supplier shall verify the established and implemented information security continuity controls at regular intervals. Supplier shall design redundant storage and procedures for recovering data in a manner sufficient to reconstruct ExtraHop Confidential Information in its original state as found on the last recorded backup provided by ExtraHop.
5. Information Security Incident
5.1 Supplier must develop and maintain an up-to-date incident management plan to promptly identify, prevent, investigate, and mitigate any Information Security Incidents and perform any required recovery actions to remedy the impact.
5.2 Supplier must log Information Security Incidents on Supplier’s IT Systems and review (on a periodic basis (minimum quarterly)), secure, and maintain the logs for a minimum of twelve (12) months.
5.3 Supplier will promptly (but in no event later than 48 hours after discovery) inform ExtraHop in writing on becoming aware of any known or reasonably suspected Information Security Incident and provide any available incident-related logs ExtraHop requests as soon as reasonably practicable.
5.4 Supplier shall report any Information Security Incidents to ExtraHop at security-incident-reporting@extrahop.com and privacy@extrahop.com, or at such other contact information communicated to Supplier from time to time. Supplier will give specific information on what information and IT Systems were involved and any other information ExtraHop reasonably may request concerning the details of the Information Security Incident, as soon as such information can be collected or otherwise becomes available and any remediation efforts undertaken, and will thereafter provide regular and timely updates throughout the ongoing investigation and remediation. The parties will work cooperatively to secure the return or recovery of any ExtraHop Confidential Information as necessary. When Supplier experiences the incident, ExtraHop may require Supplier to hire an independent, third party forensic or security firm to assist with this investigation or remediation effort. Supplier will provide ExtraHop with the investigation final results. Each party will work cooperatively with the other party on remediation and law enforcement activities, as appropriate.
5.5 Notwithstanding any limitations in the Agreement, Supplier shall pay for or reimburse ExtraHop for all costs associated with an Information Security Incident caused by Supplier or Supplier Personnel, including, without limitation, forensic assessments, breach notices, credit monitoring or other fraud alert services, regulatory investigations, third party audits, and all other remedies either required by applicable law and regulation or which are required to remediate the Information Security Incident.
5.6 Other than notices required by law or regulation, Supplier may not make or permit any public statements concerning ExtraHop involvement with any Information Security Incident to any third-party without the explicit written authorization of the ExtraHop Legal Department. Supplier agrees to fully cooperate with
6. Audits
6.1 Supplier shall monitor its security program effectiveness by conducting, or engaging a third party to conduct, audits and risk assessments of Supplier IT Systems against the requirements of written policies and procedures maintained as required by this Security Addendum and applicable law no less frequently than every twelve (12) months. Supplier shall be responsible for ensuring consistency of its security operations, including proactive monitoring and mitigating all vulnerabilities across any Supplier IT Systems.
6.2 Upon request from ExtraHop, Supplier will provide information to ExtraHop to enable ExtraHop to determine compliance with this Security Addendum. As part of the ExtraHop assessment of Supplier’s internal control structure, ExtraHop may require Supplier to, without limitation, answer security questionnaires or conduct server, database, or other network hardware scans and submit an attestation by an officer of Supplier with knowledge of Supplier’s compliance.
6.3 Upon request, Supplier must provide to ExtraHop reports of any audits and assessments conducted on Supplier IT Systems, which reports shall include, at a minimum, the audit and/or assessment scope and any vulnerabilities, issues, findings, concerns, and/or recommendations in so far as they impact ExtraHop Confidential Information. Both parties shall treat such reports provided by Supplier to ExtraHop as Confidential Information.
6.4 Supplier must remediate within thirty (30) days any items rated as high or critical (or similar rating indicating similar risk) in any audits or assessments of Supplier IT Systems. ExtraHop reserves the right to request remediation completion in less than 30 days, implementation of a compensating control, or suspension of further activity where necessary to adequately protect ExtraHop Confidential Information.
6.5 Upon request, with reasonable advance notice and conducted in such a manner not to unduly interfere with Supplier’s operations, ExtraHop reserves the right to conduct, or to engage third parties to conduct, an audit of Supplier’s compliance with the requirements in this Security Addendum relating to ExtraHop Confidential Information including but not limited to: (a) a review of Supplier’s applicable policies, processes, and procedures, (b) a review of the results of Supplier’s most recent vulnerability assessment (e.g., application vulnerability scanning, penetration testing, and similar testing results) and accompanying remediation plans, and (c) on-site assessments of Supplier’s physical security arrangements and Supplier IT Systems during Supplier’s regular working hours pursuant to a mutually agreeable audit plan. ExtraHop reserves the right to conduct an onsite audit of Supplier on ten (10) business days prior written notice during regular business hours. This right shall survive termination or expiration of the Agreement so long as Supplier Processes ExtraHop Confidential Information provided under the Agreement. Supplier agrees to cooperate fully with ExtraHop or its designee during such audits and shall provide access to facilities, appropriate resources and applicable supporting documentation to ExtraHop.
6.6 If ExtraHop has a reasonable basis to believe that Supplier has breached or is likely to breach the terms of this Security Addendum, then, in addition to any other applicable rights, ExtraHop may, upon five (5) days’ notice, perform a vulnerability assessment. At reasonable request from ExtraHop, Supplier will promptly cooperate with ExtraHop to develop a plan to protect ExtraHop Confidential Information from any applicable failures or attacks, which plan will include prioritization of recovery efforts, identification of and implementation plans for alternative data centers or other storage sites and backup capabilities.