This document sets out the technical and organizational measures (“TOMs”) deployed by NICE for protecting personal data provided by Customers and/or business partners to NICE against unauthorized access, corruption and loss, when such personal data is being processed by NICE with respect to its on-premise based Maintenance Services.

1. Access Control

1.1 NICE will develop and implement a formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to support the scoped services.

1.2 NICE will develop and implement formal documented procedures to facilitate the implementation of the access control policy and associated access controls to support the scoped services.

1.3 NICE will specify authorized users, group and role membership, access authorizations (i.e., privileges) and other attributes (as required) for each account used to support the scoped Services. NICE will assure that authorized access to the information system will be based on a valid access authorization and intended system usage.

1.4 NICE will notify Customer account managers or Customer representatives when accounts are no longer required, when users are terminated or transferred and when individual information system usage or need-to-know changes.

1.5 NICE requires that connected support users will be logged out when maintenance services are completed.

1.6 Where the Customer information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies, NICE will apply those policies.

1.7 NICE’s access control policy shall specify that a subject that has been granted access to information is constrained from doing any of the following: passing the information to unauthorized subjects or objects, granting its privileges to other subjects, changing one or more security attributes on subjects, objects, the information system, or information system components, choosing the security attributes and attribute values to be associated with newly created or modified objects or changing the rules governing access control.

1.8 NICE will implement separate information flows logically or physically using different mechanisms and/or techniques to accomplish different support activities, or access to Customer systems for support and maintenance, or receiving Customer information for analysis purposes.

1.9 NICE will implement the principles for separation of duties (SOD) of individuals and define information system access authorizations to support separation of duties for the scoped services.

1.10 NICE employs the principle of least privilege, allowing only authorized access for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with the scoped services.

1.11 NICE enforces a limit of consecutive invalid logon attempts by a user accessing NICE systems supporting Customer services, and automatically lock the account when the maximum number of unsuccessful attempts has been exceeded.

1.12 NICE will prevent further access to the NICE domain by initiating an inactivity session lock out and retain the session lock until the user reestablishes access using established identification and authentication procedures.

1.13 Where Customer support requires remote access to the NICE environment, NICE will establish and document a remote access policy and implementation guidance for remote access allowed to NICE’s internal systems. NICE will authorize remote access to the information system prior to allowing such connections, and NICE will monitor and control remote access methods and implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

1.14 NICE will ensure that users protect information about remote access mechanisms from unauthorized use and disclosure when support activity uses Customer remote access mechanisms and technology.

1.15 If access to Customer systems/environment uses NICE wireless technology, NICE will establish usage restrictions, configuration/connection requirements and protect wireless access to the system using authentication of devices and encryption.

1.16 Where access to a Customer environment for support activities is done using mobile devices (i.e., laptop), NICE will establish usage restrictions, configuration requirements, connection requirements, and implementation guidance for mobile devices and authorize the connection of mobile devices to the NICE environment prior to connecting to Customer systems. NICE will employ full-device encryption to protect the confidentiality and integrity of Customer information on mobile devices.

2. Audit and Accountability

2.1 NICE will develop and implement a formal, documented audit and accountability control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to support the scoped services.

2.2 NICE will develop and implement formal documented procedures to facilitate the implementation of the audit and accountability control policy, along with associated audit controls to support the scoped services.

2.3 NICE defined auditable events: evidence of unauthorized disclosure of Customer information.

3. Awareness and Training

3.1 NICE will develop and implement a training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to support the scoped services.

3.2 NICE will develop and implement documented security awareness procedures to facilitate the implementation of the security awareness and training controls that support the scoped services.

4. Configuration Management

4.1 NICE will develop and implement a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to support the scoped services.

4.2 NICE will develop and implement documented configuration management procedures to facilitate the implementation of the configuration management policy for software and tools used for support activities and for changes that are configuration-controlled.

4.3 The support environment will be configured with base line configuration, and NICE will implement configuration change control for major changes, and retain records of configuration changes.

4.4 NICE enforces physical and logical access restrictions and limits privileges to change information system components and system-related information associated with changes to systems used to support Customer’s production or operational environment.

4.5 NICE may change these TOMs from time to time to adapt to the evolving security landscape and will notify Customers of such changes.

5. Contingency Planning

5.1 NICE will develop and implement a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to support the scoped services.

5.2 NICE will develop and implement documented contingency plans and procedures to facilitate the implementation of the required contingency capabilities of the scoped services. The plans will determine essential missions and business functions and associated contingency requirements, provide recovery objectives and restoration priorities, address contingency roles and responsibilities, and assign individuals with contact information.

5.3 NICE will identify critical information system assets supporting essential missions and business functions, resumption of essential missions and business functions as determined for the scoped services and agreed upon with the Customer.

6. Incident Response

6.1 NICE will develop and implement an incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to support the scoped services.

6.2 NICE will develop and implement documented incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls.

6.3 NICE will implement an incident management capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. NICE will employ automated mechanisms to support the incident management process, to assist in the tracking of security incidents and in the collection and analysis of incident information.

7. Maintenance

7.1 NICE will develop and implement a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to support the scoped services.

7.2 NICE will develop and implement documented procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls.

7.3 NICE will sanitize relevant equipment to remove all Customer information from associated media prior to removal from organizational facilities for off-site maintenance or repairs.

8. Personnel Security

8.1 NICE will develop a Human Resources policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to support the scoped services.

8.2 NICE will develop procedures to facilitate the implementation of the personnel security policy and associated personnel security controls.

8.3 NICE will screen individuals prior to authorizing access to the information system and ensure that individuals accessing an information system processing, storing, or transmitting Customer information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.

8.4 Upon termination of individual employment NICE will disable information system access within reasonable time period, terminate/revoke any authenticators/credentials associated with the individual, retrieve all security-related organizational information system-related property and notify the Customer within a reasonable time period.

8.5 NICE requires third-party providers to comply with personnel security policies and procedures established by the organization and requires third-party providers to notify NICE of any personnel transfers or terminations of third-party personnel.

8.6 NICE employs a formal sanctions process for individuals failing to comply with established information security policies and procedures relevant for the scoped services and notifies the Customer when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

9. Physical and Environmental Protection

9.1 NICE will develop a physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to support the scoped services.

9.2 When information needs to be transferred to NICE for support reasons, NICE will facilitate the implementation of a dedicated physical and logical environment with protection controls.

9.3 NICE will limit as possible the individuals with authorized access to the facility where the information system resides, issue authorization credentials for facility access, remove individuals from the facility access list when access is no longer required, and verify individual access authorizations before granting access to the facility.

9.4 NICE escorts visitors and monitors visitor activity, secures keys, combinations, and other physical access devices.

9.5 NICE enforces physical access authorizations to the information system in addition to the physical access controls for the facility.

9.6 NICE employs guards to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.

9.7 NICE controls physical access to information system distribution and transmission lines within organizational facilities.

9.8 NICE monitors physical access to the facility where the information system resides to detect and respond to physical security incidents, monitors physical intrusion alarms and surveillance equipment, employs video surveillance and monitors physical access to the information system in addition to the physical access monitoring of the facility, and maintains visitor access records to the facility where the information system resides.

10. System and Communications Protection

10.1 NICE will develop a system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to support the scoped services.

10.2 NICE will develop procedures to facilitate the system and communications protection policy and associated personnel security controls.

10.3 NICE will protect the confidentiality and integrity of the information being transmitted to the NICE environment and systems for support.

10.4 NICE will implement host-based protection mechanisms to secure and protect Customer information.

10.5 The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains.

10.6 The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information.

10.7 The information system terminates the network connection associated with a communications session at the end of the session or after defined time period of inactivity.

10.8 The information system provides a trusted communications path that is logically isolated and distinguishable from other paths.

11. System and Information Integrity

11.1 NICE will employ malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code and centrally manage malicious code protection mechanisms. The information system automatically updates malicious code protection mechanisms.

11.2 The information system monitors inbound and outbound communications traffic for unusual or unauthorized activities or conditions.