ACCENTURE’S GENERAL TERMS AND CONDITIONS OF PURCHASE – Russia
(Revised March 2018)
Page 3 of 4
cooperate with Accenture and its clients in ensuring their compliance with
applicable laws, including Articles 32 to 36 of GDPR where applicable. Supplier
will make available to Accenture and/or any supervisory authority all information
necessary to demonstrate Supplier’s compliance with the Agreement and
applicable laws, and allow for and contribute to audits and inspections conducted
by Accenture; (v) not retain any Accenture Personal Data for longer than is
necessary for the performance of the Agreement or as required by applicable law;
and (vi) ensure that any sub-processor(s) (approved under Section 10.2) must be
bound by a written agreement that includes the same data protection obligations
as set out in the Agreement.
14.3 “Security Incident” means a known, or reasonably suspected, accidental or
unauthorized loss, acquisition, disclosure, access, use or other form of
compromise of Accenture Data. Supplier will implement and maintain
commercially reasonable and appropriate physical, technical and organizational
security measures, including those set out in Section 15 below, to protect
Accenture Data against a Security Incident and all other unauthorized or unlawful
forms of processing. Supplier will (i) notify Supplier’s point of contact at
Accenture in writing and without undue delay, and any event within 48 hours of
Supplier’s discovery of the Security Incident; and (ii) investigate the Security
Incident, taking all necessary steps to eliminate or contain the Security Incident,
including cooperating with Accenture’s remediation efforts, mitigating any
damage, and developing and executing a plan, subject to Accenture´s approval,
that promptly reduces the likelihood of a recurrence of the Security Incident.
14.4 Supplier will notify Accenture promptly in writing of any investigation,
litigation, arbitrated matter or other dispute relating to Supplier’s or its sub-
contractors' information security or privacy practices.
14.5 Supplier will not transfer, access or otherwise process Accenture Personal
Data which originates from the EEA to/from jurisdictions outside of an Approved
Jurisdiction, without first entering into a legally valid data transfer mechanism(s)
and/or additional agreement(s) with Accenture. “Approved Jurisdiction” means
a member state of the European Economic Area (EEA) or any other jurisdiction or
sector as may be approved by the European Commission as ensuring adequate
legal protections for personal data.
15. INFORMATION SECURITY
15.1 Industry Standards. Supplier will implement appropriate technical and
organizational security measures that comply with Industry Standards in all
applicable goods, services, equipment, software systems and platforms that
Supplier uses to access, process and/or store Accenture Data. “Industry
Standards” means security measures that are commercially reasonable in the
information technology industry and that are designed to ensure the security,
integrity, and confidentiality of Accenture Data, and to protect against Security
Incidents.
15.2 Illicit Code. Except for the functions and features expressly disclosed in
Supplier's documentation made available to Accenture, Deliverables will be free
of any programs, subroutines, code, instructions, data or functions, (including but
not limited to viruses, malware, worms, date bombs, time bombs, shut-down
devices, keys, authorization codes, back doors or passwords allowing Supplier
access) that may result in any inoperability, damage, interruption, or interference
of the Deliverables or any equipment on which the Deliverables reside or with
which the Deliverables are capable of communicating.
15.3 Security of All Software Components. Supplier will inventory all software
components (including open source software) used in Deliverables, and provide
such inventory to Accenture upon request. Supplier will assess whether any such
components have any security defects or vulnerabilities that could lead to a
Security Incident. Supplier will perform such assessment prior to providing
Accenture with access to such software components and on an on-going basis
thereafter during the term of the Agreement. Supplier will promptly notify
Accenture of any identified security defect or vulnerability and remediate same
in a timely manner. Supplier will promptly notify Accenture of its remediation
plan. If remediation is not feasible in a timely manner, Supplier will replace the
subject software component with a component that is not affected by a security
defect or vulnerability and that does not reduce the overall functionality of the
Deliverable(s).
15.4 Security Assessment. If Accenture reasonably determines, or in good faith
believes, that Supplier’s security practices or procedures do not meet Supplier’s
obligations under the Agreement, then Accenture will notify Supplier of the
deficiencies. Supplier will without unreasonable delay: (i) correct such
deficiencies at its own expense; (ii) permit Accenture, or its duly authorized
representatives, to assess Supplier’s security-related activities that are relevant
to the Agreement; and (iii) timely complete a security questionnaire from
Accenture on a periodic basis upon Accenture’s request. Security issues identified
by Accenture will be assigned risk ratings and an agreed-to timeframe to
remediate. Supplier will remediate all the security issues identified within the
agreed to timeframes. Upon Supplier’s failure to remediate any high or medium
rated security issues within the stated timeframes, Accenture may terminate the
Agreement in accordance with Section 8 above.
15.5 Application Hardening. Supplier will comply with this Section 15.5 if Supplier
is providing Accenture with access to or the use of any software, including
software-as-a-service or cloud-based software. Supplier will maintain and
implement secure application development policies, procedures, and standards
that are aligned to Industry Standard practices (e.g., SANS Top 35 Security
Development Techniques and Common Security Errors in Programming and the
OWASP Top Ten project). This applies to web application, mobile application,
embedded software, and firmware development. All Personnel responsible for
application design, development, configuration, testing, and deployment will be
qualified to perform such activities and receive appropriate training on such
policies, procedures, and standards.
15.6 Infrastructure Vulnerability Scanning. Supplier will scan its internal
environments (e.g., servers, network devices, etc.) related to Deliverables
monthly and external environments related to Deliverables weekly. Supplier will
have a defined process to address any findings but will ensure that any high-risk
vulnerabilities are addressed within 30 days.
15.7 Application Vulnerability Assessment. Supplier will comply with this
Section 15.7 if Supplier is providing Accenture with access to or the use of any
software, including software-as-a-service or cloud-based software. Supplier will
perform an application security vulnerability assessment prior to any new
release. The test must cover all application and/or software vulnerabilities
defined by the OWASP or those listed in the SANS Top Cyber Security Risks or its
successor current at the time of the test. Supplier will ensure all high-risk
vulnerabilities are resolved prior to release. Supplier will provide a summary of
the test results including any open remediation points upon request. Supplier will
have a defined process to address any findings but will ensure that any high-risk
vulnerabilities are addressed within 30 days
15.8 Penetration Tests and Security Evaluations of Websites. Supplier will
perform a comprehensive penetration test and security evaluation of all systems
and websites involved in providing Deliverables prior to use and on a recurring
basis no less frequent than quarterly. Supplier will have an industry recognized
independent third party perform one of the quarterly tests. Supplier will have a
defined process to address any findings but any high-risk vulnerabilities must be
addressed within 30 days. Supplier will provide a summary of such tests and
evaluations, including any open remediation points, to Accenture upon request.
15.9 Asset Management. Supplier will: i) maintain an asset inventory of all media
and equipment where Accenture Data is stored. Access to such media and
equipment will be restricted to authorized Personnel; ii) classify Accenture Data
so that it is properly identified and access to it is appropriately restricted; iii)
maintain an acceptable use policy with restrictions on printing Accenture Data
and procedures for appropriately disposing of printed materials that contain
Accenture Data when such data is no longer needed under the Agreement; iv)
maintain an appropriate approval process whereby Supplier’s approval is
required prior to its Personnel storing Accenture Data on portable devices,
remotely accessing Accenture Data, or processing such data outside of Supplier
facilities. If remote access is approved, Personnel will use multi-factor
authentication, which may include the use of smart cards with certificates, One
Time Password (OTP) tokens, and biometrics.
15.10 Access Control. Supplier will maintain an appropriate access control policy
that is designed to restrict access to Accenture Data and Supplier assets to
authorized Personnel. Supplier will require that all accounts have complex
passwords that contain letters, numbers, and special characters, be changed at
least every 90 days, and have a minimum length of 8 characters.
15.11 Cryptography. Supplier will maintain policies and standards on the use of
cryptographic controls that are implemented to protect Accenture Data.
15.12 Secure Disposal or Reuse of Equipment. Supplier will verify that all
Accenture Data has been deleted or securely overwritten using Industry Standard
processes, prior to disposal or re-use of equipment containing storage media.
15.13 Operations Security. Supplier must enable logging and monitoring on all
operating systems, databases, applications, and security and network devices
that are involved in providing Deliverables. Supplier will maintain anti-malware
controls that are designed to protect systems from malicious software, including
malicious software that originates from public networks. In addition, Supplier will
use anti-malware software (of Industry Standard or better quality), maintain such
software at the then current major release, purchase maintenance & support